Example: Configuring Source NAT with Multiple Rules

This example describes how to configure source NAT mappings with multiple rules.

Requirements

Before you begin:

Configure network interfaces on the device. See the Junos OS Interfaces Configuration Guide for Security Devices.
Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 119, the following translations are performed on the Juniper Networks security device for the source NAT mapping for traffic from the trust zone to the untrust zones:

The source IP address in packets sent by the 10.1.1.0/24 and 10.1.2.0/24 subnets to any address in the untrust zone is translated to a public address in the range from 192.0.0.1 to 192.0.0.24 with port translation.
The source IP address in packets sent by the 192.168.1.0/24 subnet to any address in the untrust zone is translated to a public address in the range from 192.0.0.100 to 192.0.0.249 with no port translation.
The source IP address in packets sent by the 192.168.1.250/32 host device is not translated.

Figure 119: Source NAT with Multiple Translation Rules

Image g030673.gif

This example describes the following configurations:

Source NAT pool src-nat-pool-1 that contains the IP address range 192.0.0.1 through 192.0.0.24.

Source NAT pool src-nat-pool-2 that contains the IP address range 192.0.0.100 through 192.0.0.249, with port address translation disabled.

Note: When port address translation is disabled, the number of translations that the source NAT pool can support concurrently is limited to the number of addresses in the pool. Packets are dropped if there are no addresses available in the source NAT pool. You can optional specify an overflow pool from which IP addresses and port numbers are allocated when there are no addresses available in the original source NAT pool.

Source NAT rule set rs1 to match packets from the trust zone to the untrust zone. Rule set rs1 contains multiple rules:

Rule r1 to match packets with a source IP address in either the 10.1.1.0/24 or 10.1.2.0/24 subnets. For matching packets, the source address is translated to an IP address in the src-nat-pool-1 pool.
Rule r2 to match packets with a source IP address of 192.168.1.250/32. For matching packets, there is no NAT translation performed.

Rule r3 to match packets with a source IP address in the 192.168.1.0/24 subnet. For matching packets, the source address is translated to an IP address in the src-nat-pool-2 pool.

Note: The order of rules in a rule set is important, as the first rule in the rule set that matches the traffic is used. Therefore, rule r2 to match a specific IP address must be placed before rule r3 that matches the subnet on which the device is located.

Proxy ARP for the addresses 192.0.0.1 through 192.0.0.24 and 192.0.0.100 through 192.0.0.249 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for those addresses.
Security policies to permit traffic from the trust zone to the untrust zone.

Configuration

CLI Quick Configuration

To quickly configure a source NAT mapping with multiple rules, copy the following commands and paste them into the CLI.

[edit]set security nat source pool src-nat-pool-1 address 192.0.0.1/32 to 192.0.0.24/32 set security nat source pool src-nat-pool-2 address 192.0.0.100/32 to 192.0.0.249/32 set security nat source pool src-nat-pool-2 port no-translation set security nat source rule-set rs1 from zone trust set security nat source rule-set rs1 to zone untrust set security nat source rule-set rs1 rule r1 match source-address 10.1.1.0/24 set security nat source rule-set rs1 rule r1 match source-address 10.1.2.0/24 set security nat source rule-set rs1 rule r1 match destination-address 0.0.0.0/0 set security nat source rule-set rs1 rule r1 then source-nat pool src-nat-pool-1 set security nat source rule-set rs1 rule r2 match source-address 192.168.1.250/32 set security nat source rule-set rs1 rule r2 match destination-address 0.0.0.0/0 set security nat source rule-set rs1 rule r2 then source-nat off set security nat source rule-set rs1 rule r3 match source-address 192.168.1.0/24 set security nat source rule-set rs1 rule r3 match destination-address 0.0.0.0/0 set security nat source rule-set rs1 rule r3 then source-nat pool src-nat-pool-2 set security nat proxy-arp interface ge-0/0/0.0 address 192.0.0.1/32 to 192.0.0.24/32 set security nat proxy-arp interface ge-0/0/0.0 address 192.0.0.100/32 to 192.0.0.249/32 set security policies from-zone trust to-zone untrust policy internet-access match source-address any set security policies from-zone trust to-zone untrust policy internet-access match destination-address any set security policies from-zone trust to-zone untrust policy internet-access match application any set security policies from-zone trust to-zone untrust policy internet-access then permit

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure multiple source NAT rules in a rule set:

Create a source NAT pool.
[edit security nat source]user@host# set pool src-nat-pool-1 address 192.0.0.1 to 192.0.0.24
Create a source NAT pool with no port translation.
[edit security nat source]user@host# set pool src-nat-pool-2 address 192.0.0.100 to 192.0.0.249user@host# set pool src-nat-pool-2 port no-translation
Note: To configure an overflow pool for src-nat-pool-2 using the egress interface:
[edit security nat source]user@host# set pool src-nat-pool-2 overflow-pool interface
Create a source NAT rule set.
[edit security nat source]user@host# set rule-set rs1 from zone trustuser@host# set rule-set rs1 to zone untrust
Configure a rule that matches packets and translates the source address to an address in the pool.
[edit security nat source]user@host# set rule-set rs1 rule r1 match source-address [10.1.1.0/24 10.1.2.0/24]user@host# set rule-set rs1 rule r1 match destination-address 0.0.0.0/0user@host# set rule-set rs1 rule r1 then source-nat pool src-nat-pool-1
Configure a rule to match packets for which the source address is not translated.
[edit security nat source]user@host# set rule-set rs1 rule r2 match source-address 192.168.1.250/32user@host# set rule-set rs1 rule r2 match destination-address 0.0.0.0/0user@host# set rule-set rs1 rule r2 then source-nat off
Configure a rule to match packets and translate the source address to an address in the pool with no port translation.
[edit security nat source]user@host# set rule-set rs1 rule r3 match source-address 192.168.1.0/24user@host# set rule-set rs1 rule r3 match destination-address 0.0.0.0/0user@host# set rule-set rs1 rule r3 then source-nat pool src-nat-pool-2
Configure proxy ARP.
[edit security nat]user@host# set proxy-arp interface ge-0/0/0.0 address 192.0.0.1 to 192.0.0.24user@host# set proxy-arp interface ge-0/0/0.0 address 192.0.0.100 to 192.0.0.249
Configure a security policy that allows traffic from the trust zone to the untrust zone.
[edit security policies from-zone trust to-zone untrust]user@host# set policy internet-access match source-address any destination-address any application anyuser@host# set policy internet-access then permit

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]user@host# show security natsource {pool src-nat-pool-1 {address {192.0.0.1/32 to 192.0.0.24/32;}}pool src-nat-pool-2 {address {192.0.0.100/32 to 192.0.0.249/32;}port no-translation;}rule-set rs1 {from zone trust;to zone untrust;rule r1 {match {source-address [ 10.1.1.0/24 10.1.2.0/24 ];destination-address 0.0.0.0/0;}then {source-nat {pool {src-nat-pool-1;}}}}rule r2 {match {source-address 192.168.1.250/32;destination-address 0.0.0.0/0;}then {source-nat {off;}}}rule r3 {match {source-address 192.168.1.0/24;destination-address 0.0.0.0/0;}then {source-nat {pool {src-nat-pool-2;}}}}}}proxy-arp {interface ge-0/0/0.0 {address {192.0.0.1/32 to 192.0.0.24/32;192.0.0.100/32 to 192.0.0.249/32;}}}user@host# show security policiesfrom-zone trust to-zone untrust {policy internet-access {match {source-address any;destination-address any;application any;}then {permit;}}}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Source NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the source NAT pool.

Action

From operational mode, enter the show security nat source pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Source NAT Rule Usage

Purpose

Verify that there is traffic matching the source NAT rule.

Action

From operational mode, enter the show security nat source rule all command. View the Translation hits field to check for traffic that matches the rule.

Example: Configuring Source NAT with Multiple Rules

Requirements

Overview

Configuration

CLI Quick Configuration

Step-by-Step Procedure

Results

Verification

Verifying Source NAT Pool Usage

Purpose

Action

Verifying Source NAT Rule Usage

Purpose

Action

Verifying NAT Application to Traffic

Purpose

Action

Related Topics