Example: Configuring Source and Destination NAT Translations

This example describes how to configure both source and destination NAT mappings.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See the Junos OS Interfaces Configuration Guide for Security Devices.
  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 120, the following translations are performed on the Juniper Networks security device:

Figure 120: Source and Destination NAT Translations

Image g030674.gif

This example describes the following configurations:

Configuration

CLI Quick Configuration

To quickly configure source and destination NAT mappings, copy the following commands and paste them into the CLI.

[edit]set security nat source pool src-nat-pool-1 address 1.1.1.10/32 to 1.1.1.14/32 set security nat source rule-set rs1 from zone trust set security nat source rule-set rs1 to zone untrust set security nat source rule-set rs1 rule r1 match source-address 0.0.0.0/0 set security nat source rule-set rs1 rule r1 match destination-address 0.0.0.0/0 set security nat source rule-set rs1 rule r1 then source-nat pool src-nat-pool-1 set security nat destination pool dst-nat-pool-1 address 10.1.1.200/32 set security nat destination rule-set rs1 from zone untrust set security nat destination rule-set rs1 rule r1 match destination-address 1.1.1.100/32 set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1 set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.10/32 to 1.1.1.24/32 set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.100/32 set security policies from-zone trust to-zone untrust policy internet-access match source-address any set security policies from-zone trust to-zone untrust policy internet-access match destination-address any set security policies from-zone trust to-zone untrust policy internet-access match application any set security policies from-zone trust to-zone untrust policy internet-access then permitset security zones security-zone trust address-book address dst-nat-pool-1 10.1.1.200/32 set security policies from-zone untrust to-zone trust policy dst-nat-pool-1-access match source-address any set security policies from-zone untrust to-zone trust policy dst-nat-pool-1-access match destination-address dst-nat-pool-1 set security policies from-zone untrust to-zone trust policy dst-nat-pool-1-access match application any set security policies from-zone untrust to-zone trust policy dst-nat-pool-1-access then permit

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure the source and destination NAT translations:

  1. Create a source NAT pool.
    [edit security nat source]user@host# set pool src-nat-pool-1 address 1.1.1.10 to 1.1.1.14
  2. Create a source NAT rule set.
    [edit security nat source]user@host# set rule-set rs1 from zone trustuser@host# set rule-set rs1 to zone untrust
  3. Configure a rule that matches packets and translates the source address to an address in the source NAT pool.
    [edit security nat source]user@host# set rule-set rs1 rule r1 match source-address 0.0.0.0/0user@host# set rule-set rs1 rule r1 match destination-address 0.0.0.0/0user@host# set rule-set rs1 rule r1 then source-nat pool src-nat-pool-1
  4. Create a destination NAT pool.
    [edit security nat destination]user@host# set pool dst-nat-pool-1 address 10.1.1.200/32
  5. Create a destination NAT rule set.
    [edit security nat destination]user@host# set rule-set rs1 from zone untrust
  6. Configure a rule that matches packets and translates the destination address to the address in the destination NAT pool.
    [edit security nat destination]user@host# set rule-set rs1 rule r1 match destination-address 1.1.1.100/32user@host# set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
  7. Configure proxy ARP.
    [edit security nat]user@host# set proxy-arp interface ge-0/0/0.0 address 1.1.1.10 to 1.1.1.14user@host# set proxy-arp interface ge-0/0/0.0 address 1.1.1.100
  8. Configure a security policy that allows traffic from the trust zone to the untrust zone.
    [edit security policies from-zone trust to-zone untrust]user@host# set policy internet-access match source-address any destination-address any application anyuser@host# set policy internet-access then permit
  9. Configure an address book entry in the trust zone for the translated destination IP address.
    [edit security]user@host# set zones security-zone trust address-book address dst-nat-pool-1 10.1.1.200/32
  10. Configure a security policy that allows traffic from the untrust zone to the trust zone.
    [edit security policies from-zone untrust to-zone trust]user@host# set policy dst-nat-pool-1-access match source-address any destination-address dst-nat-pool-1 application anyuser@host# set policy dst-nat-pool-1-access then permit

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]user@host# show security natsource {pool src-nat-pool-1 {address {1.1.1.10/32 to 1.1.1.14/32;}}rule-set rs1 {to zone untrust;rule r1 {match {source-address 0.0.0.0/0;destination-address 0.0.0.0/0;}then {source-nat {pool {src-nat-pool-1;}}}}}}destination {pool dst-nat-pool-1 {address 10.1.1.200/32;}rule-set rs1 {from zone untrust;rule r1 {match {destination-address 1.1.1.100/32;}then {destination-nat pool dst-nat-pool-1;}}}}proxy-arp {interface ge-0/0/0.0 {address {1.1.1.10/32 to 1.1.1.24/32;1.1.1.100/32;}}}user@host# show security policiesfrom-zone trust to-zone untrust {policy internet-access {match {source-address any;destination-address any;application any;}}policy internet-access {then {permit;}}}from-zone untrust to-zone trust {policy dst-nat-pool-1-access {match {source-address any;destination-address dst-nat-pool-1;application any;}then {permit;}}}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Source NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the source NAT pool.

Action

From operational mode, enter the show security nat source pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Source NAT Rule Usage

Purpose

Verify that there is traffic matching the source NAT rule.

Action

From operational mode, enter the show security nat source rule all command. View the Translation hits field to check for traffic that matches the rule.

Verifying Destination NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the destination NAT pool.

Action

From operational mode, enter the show security nat destination pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Destination NAT Rule Usage

Purpose

Verify that there is traffic matching the destination NAT rule.

Action

From operational mode, enter the show security nat destination rule all command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Related Topics