Example: Configuring Source NAT with Address Shifting

This example describes how to configure a source NAT mapping of a private address range to public addresses, with optional address shifting. This mapping is one-to-one between the original source IP addresses and translated IP addresses and no port translation is performed.

Note: The match conditions for a source NAT rule set do not allow you to specify an address range; only address prefixes may be specified in a rule. When configuring a source NAT pool, you can specify the host-base-address option; this option specifies the IP address where the original source IP address range begins.

The range of original source IP addresses that are translated is determined by the number of addresses in the source NAT pool. For example, if the source NAT pool contains a range of ten IP addresses, then up to ten original source IP addresses can be translated, starting with a specified base address.

The match condition in a source NAT rule may define a larger address range than that specified in the source NAT pool. For example, a match condition might specify an address prefix that contains 256 addresses, but the source NAT pool contains a range of only ten IP addresses. A packet’s source IP address can match a source NAT rule, but if the source IP address is not within the address range specified in the source NAT pool, the source IP address is not translated.

Requirements

Before you begin:

Configure network interfaces on the device. See the Junos OS Interfaces Configuration Guide for Security Devices.
Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 118, a range of private addresses in the trust zone is mapped to a range of public addresses in the untrust zone. For packets sent from the trust zone to the untrust zone, a source IP address in the range of 192.168.1.10/32 through 192.168.1.20/32 is translated to a public address in the range of 1.1.1.30/32 through 1.1.1.40/32.

Figure 118: Source NAT with Address Shifting

Image g030672.gif

This example describes the following configurations:

Source NAT pool src-nat-pool-1 that contains the IP address range 1.1.1.30/32 through 1.1.1.40/32. For this pool, the beginning of the original source IP address range is 192.168.1.10/32 and is specified with the host-address-base option.
Source NAT rule set rs1 with rule r1 to match packets from the trust zone to the untrust zone with a source IP address in the 192.168.1.0/24 subnet. For matching packets that fall within the source IP address range specified by the src-nat-pool-1 configuration, the source address is translated to the IP address in src-nat-pool-1 pool.
Proxy ARP for the addresses 1.1.1.30/32 through 1.1.1.40/32 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for that address.
Security policies to permit traffic from the trust zone to the untrust zone.

Configuration

CLI Quick Configuration

To quickly configure a source NAT mapping with address shifting, copy the following commands and paste them into the CLI.

[edit]set security nat source pool src-nat-pool-1 address 1.1.1.30/32 to 1.1.1.40/32 set security nat source pool src-nat-pool-1 host-address-base 192.168.1.10/32 set security nat source rule-set rs1 from zone trust set security nat source rule-set rs1 to zone untrust set security nat source rule-set rs1 rule r1 match source-address 192.168.1.0/24 set security nat source rule-set rs1 rule r1 then source-nat pool src-nat-pool-1 set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.30/32 to 1.1.1.40/32 set security policies from-zone trust to-zone untrust policy internet-access match source-address any set security policies from-zone trust to-zone untrust policy internet-access match destination-address any set security policies from-zone trust to-zone untrust policy internet-access match application any set security policies from-zone trust to-zone untrust policy internet-access then permit

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a source NAT mapping with address shifting:

Create a source NAT pool.
[edit security nat source]user@host# set pool src-nat-pool-1 address 1.1.1.30/32 to 1.1.1.40/32
Specify the beginning of the original source IP address range.
[edit security nat source]user@host# set pool src-nat-pool-1 host-address-base 192.168.1.10/32
Create a source NAT rule set.
[edit security nat source]user@host# set rule-set rs1 from zone trustuser@host# set rule-set rs1 to zone untrust
Configure a rule that matches packets and translates the source address to an address in the pool.
[edit security nat source]user@host# set rule-set rs1 rule r1 match source-address 192.168.1.0/24user@host# set rule-set rs1 rule r1 then source-nat pool src-nat-pool-1
Configure proxy ARP.
[edit security nat]user@host# set proxy-arp interface ge-0/0/0.0 address 1.1.1.30/32 to 1.1.1.40/32
Configure a security policy that allows traffic from the trust zone to the untrust zone.
[edit security policies from-zone trust to-zone untrust]user@host# set policy internet-access match source-address any destination-address any application anyuser@host# set policy internet-access then permit

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]user@host# show security natsource {pool src-nat-pool-1 {address {1.1.1.30/32 to 1.1.1.40/32;}host-address-base 192.168.1.10/32;}rule-set rs1 {from zone trust;to zone untrust;rule r1 {match {source-address 192.168.1.0/24;}then {source-nat {pool {src-nat-pool-1;}}}}}}proxy-arp {interface ge-0/0/0.0 {address {1.1.1.30/32 to 1.1.1.40/32;}}}user@host# show security policiesfrom-zone trust to-zone untrust {policy internet-access {match {source-address any;destination-address any;application any;}then {permit;}}}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Source NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the source NAT pool.

Action

From operational mode, enter the show security nat source pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Source NAT Rule Usage

Purpose

Verify that there is traffic matching the source NAT rule.

Action

From operational mode, enter the show security nat source rule all command. View the Translation hits field to check for traffic that matches the rule.

Example: Configuring Source NAT with Address Shifting

Requirements

Overview

Configuration

CLI Quick Configuration

Step-by-Step Procedure

Results

Verification

Verifying Source NAT Pool Usage

Purpose

Action

Verifying Source NAT Rule Usage

Purpose

Action

Verifying NAT Application to Traffic

Purpose

Action

Related Topics