Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Destination NAT

Destination NAT changes the destination address of packets passing through the Router. It also offers the option to perform the port translation in the TCP/UDP headers. Destination NAT mainly used to redirect incoming packets with an external address or port destination to an internal IP address or port inside the network.

Understanding Destination NAT

Destination NAT is the translation of the destination IP address of a packet entering the Juniper Networks device. Destination NAT is used to redirect traffic destined to a virtual host (identified by the original destination IP address) to the real host (identified by the translated destination IP address).

Note:

When destination NAT is performed, the destination IP address is translated according to configured destination NAT rules and then security policies are applied.

Destination NAT allows connections to be initiated only for incoming network connections—for example, from the Internet to a private network. Destination NAT is commonly used to perform the following actions:

  • Translate a single IP address to another address (for example, to allow a device on the Internet to connect to a host on a private network).

  • Translate a contiguous block of addresses to another block of addresses of the same size (for example, to allow access to a group of servers).

  • Translate a destination IP address and port to another destination IP address and port (for example, to allow access to multiple services using the same IP address but different ports).

The following types of destination NAT are supported:

  • Translation of the original destination IP address to an IP address from a user-defined pool. This type of translation does not include Port Address Translation (PAT). If the original destination IP address range is larger than the address range in the user-defined address pool, any untranslated packets are dropped.

  • Translation of the original destination IP address (and optional port number) to one specific IP address (and port number) from a user-defined pool.

Understanding Destination NAT Address Pools

A NAT pool is a user-defined set of IP addresses that are used for translation. Unlike static NAT, where there is a one-to-one mapping that includes destination IP address translation in one direction and source IP address translation in the reverse direction, with destination NAT, you translate the original destination address to an IP address in the address pool.

For destination NAT address pools, specify the following:

  • Name of the destination NAT address pool

  • Destination address or address range

    Note:

    Do not overlap NAT addresses for source NAT, destination NAT, and static NAT within one routing instance.

  • Destination port that is used for port forwarding

  • Routing instance to which the pool belongs—A destination NAT pool that does not specify a specific routing instance will default to the routing instance of the ingress zone.

    Note:

    You can configure a NAT pool to exist in the default routing instance. Configuration option to specify that a NAT pool exists in the default routing-instance is available. As a result, the NAT pool is reachable from zones in the default routing instance, and from zones in other routing instances.

Understanding Destination NAT Rules

Destination NAT rules specify two layers of match conditions:

  • Traffic direction—Allows you to specify from interface, from zone, or from routing-instance.

  • Packet information—Can be source IP addresses, destination IP address or subnet, destination port numbers or port ranges, protocols, or applications.

For ALG traffic, we recommend that you not use the destination-port option or the application option as matching conditions. If these options are used, translation may fail because the port value in the application payload might not match the port value in the IP address.

If multiple destination NAT rules overlap in the match conditions, the most specific rule is chosen. For example, if rules A and B specify the same source and destination IP addresses, but rule A specifies traffic from zone 1 and rule B specifies traffic from interface ge-0/0/0, rule B is used to perform destination NAT. An interface match is considered to be more specific than a zone match, which is more specific than a routing instance match.

The actions you can specify for a destination NAT rule are:

  • off—Do not perform destination NAT.

  • pool—Use the specified user-defined address pool to perform destination NAT.

Destination NAT rules are applied to traffic in the first packet that is processed for the flow or in the fast path for the ALG. Destination NAT rules are processed after static NAT rules but before source NAT rules.

Destination NAT Configuration Overview

The main configuration tasks for destination NAT are as follows:

  1. Configure a destination NAT address pool that aligns with your network and security requirements.
  2. Configure destination NAT rules that align with your network and security requirements.
  3. Configure NAT proxy ARP entries for IP addresses in the same subnet of the ingress interface.

Example: Configuring Destination NAT for Single Address Translation

This example describes how to configure a destination NAT mapping of a single public address to a private address.

Note:

Mapping one destination IP address to another can also be accomplished with static NAT. Static NAT mapping allows connections to be established from either side of the gateway device, whereas destination NAT only allows connections to be established from one side. However, static NAT only allows translations from one address to another or between blocks of addresses of the same size.

Requirements

This example uses the following hardware and software components:

  • SRX Series device

  • Server

Before you begin:

Overview

Destination NAT is commonly used to distribute a service located in a private network with a publicly accessible IP address. This allows users to use the private service with the public IP address. Destination NAT address pool and destination NAT rules configurations are used to align your network and improve security requirements.

In this example, first you configure the trust security zone for the private address space and then you configure the untrust security zone for the public address space. In Figure 1, devices in the untrust zone access a server in the trust zone by way of public address 203.0.113.200/32. For packets that enter the Juniper Networks security device from the untrust zone with the destination IP address 203.0.113.200/32, the destination IP address is translated to the private address 192.168.1.200/32.

Topology

Figure 1: Destination NAT Single Address TranslationDestination NAT Single Address Translation

Table 1 shows the parameters configured in this example.

Table 1: Interfaces, Zones, Server, and IP Address Information

Parameter

Description

Trust Zone

Security zone for the private address space.

Untrust Zone

Security zone for the public address space.

192.168.1.200/32

Translated destination NAT IP address.

192.168.1.0/24

Private subnet in private zone.

203.0.113.200/32

Public address of the server.

Server

Server address of the private address space.

ge-0/0/0 and ge-1/0/0

NAT interfaces for traffic direction.

This example describes the following configurations:

  • Destination NAT pool dst-nat-pool-1 that contains the IP address 192.168.1.200/32.

  • Destination NAT rule set rs1 with rule r1 to match packets received from the ge-0/0/0.0 interface with the destination IP address 203.0.113.200/32. For matching packets, the destination address is translated to the address in the dst-nat-pool-1 pool.

  • Proxy ARP for the address 203.0.113.200/32 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for that address.

  • Security policies to permit traffic from the untrust zone to the translated destination IP address in the trust zone.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a destination NAT mapping from a public address to a private address:

  1. Create the destination NAT pool.

  2. Create a destination NAT rule set.

  3. Configure a rule that matches packets and translates the destination address to the address in the pool.

  4. Configure proxy ARP.

  5. Configure an address in the global address book.

  6. Configure a security policy that allows traffic from the untrust zone to the server in the trust zone.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show security zones, and show bridge-domains command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying Destination NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the destination NAT pool.

Action

From operational mode, enter the show security nat destination pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Meaning

The show security nat destination pool all command displays the pool of translated addresses. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Destination NAT Rule Usage

Purpose

Verify that there is traffic matching the destination NAT rule.

Action

From operational mode, enter the show security nat destination rule all command.

Meaning

The show security nat destination rule all command displays the destination NAT rule. View the Translation hits field to check for traffic that matches the destination rule.

Verifying Destination NAT for a Single Address Translation

Purpose

Verify the configuration of destination NAT for a single address translation.

Action

From operational mode, enter the show security nat destination summary command.

Meaning

The show security nat destination summary command displays information about destination NAT configuration. You can verify the following information:

  • Rule sets

  • Rules

  • Address range

  • NAT pool

  • Port details

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Meaning

The show security flow session command displays active sessions on the device and each session’s associated security policy. The output shows traffic entering the device using the private source address 203.0.113.219/30 destined to a public host at 203.0.113.200. The return traffic from this flow travels to the translated public address 203.0.113.219.

  • Session ID—Number that identifies the session. Use this ID to get more information about the session such as policy name or number of packets in and out.

  • server-access—Policy name that permitted the traffic from the untrust zone to the translated destination IP address in the trust zone.

  • In—Incoming flow (source and destination IP addresses with their respective source and destination port numbers, the session is ICMP, and the source interface for this session is ge-0/0/0.0).

  • Out—Reverse flow (source and destination IP addresses with their respective source and destination port numbers, the session is ICMP, and the destination interface for this session is ge-0/0/1.0).

Example: Configuring Destination NAT for IP Address and Port Translation

This example describes how to configure destination NAT mappings of a public address to private addresses, depending on the port number.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See Interfaces User Guide for Security Devices.

  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 17, devices in the untrust zone access servers in the trust zone by way of public address 203.0.113.200 on port 80 or 8000. Packets entering the Juniper Networks security device from the untrust zone are mapped to the private addresses of the servers as follows:

  • The destination IP address 203.0.113.200 and port 80 is translated to the private address 192.168.1.200 and port 80.

  • The destination IP address 203.0.113.200 and port 8000 is translated to the private address 192.168.1.220 and port 8000.

Figure 17: Destination NAT Address and Port TranslationDestination NAT Address and Port Translation

This example describes the following configurations:

  • Destination NAT pool dst-nat-pool-1 that contains the IP address 192.168.1.200 port 80.

  • Destination NAT pool dst-nat-pool-2 that contains the IP address 192.168.1.220 and port 8000.

  • Destination NAT rule set rs1 with rule r1 to match packets received from the untrust zone with the destination IP address 203.0.113.200 and destination port 80. For matching packets, the destination address is translated to the address in the dst-nat-pool-1 pool.

  • Destination NAT rule set rs1 with rule r2 to match packets received from the untrust zone with the destination IP address 203.0.113.200 and destination port 8000. For matching packets, the destination IP address and port are translated to the address and port in the dst-nat-pool-2 pool.

  • Proxy ARP for the address 203.0.113.200/32. This allows the Juniper Networks security device to respond to ARP requests received on the interface for that address.

  • Security policies to permit traffic from the untrust zone to the translated destination IP addresses in the trust zone.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a destination NAT mapping from a public address to a private address:

  1. Create destination NAT pools.

  2. Create a destination NAT rule set.

  3. Configure a rule that matches packets and translates the destination address to the address in the pool.

  4. Configure a rule that matches packets and translates the destination address to the address in the pool.

  5. Configure proxy ARP.

  6. Configure addresses in the global address book.

  7. Configure a security policy that allows traffic from the untrust zone to the servers in the trust zone.

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Destination NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the destination NAT pool.

Action

From operational mode, enter the show security nat destination pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Destination NAT Rule Usage

Purpose

Verify that there is traffic matching the destination NAT rule.

Action

From operational mode, enter the show security nat destination rule all command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Example: Configuring Destination NAT for Subnet Translation

This example describes how to configure a destination NAT mapping of a public subnet address to a private subnet address.

Note:

Mapping addresses from one subnet to another can also be accomplished with static NAT. Static NAT mapping allows connections to be established from either side of the gateway device, whereas destination NAT allows connections to be established from only one side. However, static NAT only allows translations between blocks of addresses of the same size.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See Interfaces User Guide for Security Devices.

  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 27, devices in the untrust zone access devices in the trust zone by way of public subnet address 203.0.113.0/24. For packets that enter the Juniper Networks security device from the untrust zone with a destination IP address in the 203.0.113.0/24 subnet, the destination IP address is translated to a private address on the 192.168.1.0/24 subnet.

Figure 27: Destination NAT Subnet TranslationDestination NAT Subnet Translation

This example describes the following configurations:

  • Destination NAT pool dst-nat-pool-1 that contains the IP address 192.168.1.0/24.

  • Destination NAT rule set rs1 with rule r1 to match packets received from the ge-0/0/0.0 interface with the destination IP address on the 203.0.113.0/24 subnet. For matching packets, the destination address is translated to the address in the dst-nat-pool-1 pool.

  • Proxy ARP for the addresses 203.0.113.1/32 through 203.0.113.62/32 on the interface ge-0/0/0.0; these are the IP addresses of the hosts that should be translated from the 203.0.113.0/24 subnet. This allows the Juniper Networks security device to respond to ARP requests received on the interface for those addresses. The address 203.0.113.0/24 is assigned to the interface itself, so this address is not included in the proxy ARP configuration. The addresses that are not in the 203.0.113.1/32 through 203.0.113.62/32 range are not expected to be present on the network and would not be translated.

  • Security policies to permit traffic from the untrust zone to the translated destination IP addresses in the trust zone.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a destination NAT mapping from a public subnet address to a private subnet address:

  1. Create the destination NAT pool.

  2. Create a destination NAT rule set.

  3. Configure a rule that matches packets and translates the destination address to an address in the pool.

  4. Configure proxy ARP.

  5. Configure an address in the global address book.

  6. Configure a security policy that allows traffic from the untrust zone to the devices in the trust zone.

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Destination NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the destination NAT pool.

Action

From operational mode, enter the show security nat destination pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Destination NAT Rule Usage

Purpose

Verify that there is traffic matching the destination NAT rule.

Action

From operational mode, enter the show security nat destination rule all command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Monitoring Destination NAT Information

Purpose

View the destination Network Address Translation (NAT) summary table and the details of the specified NAT destination address pool information.

Action

Select Monitor>NAT> Destination NAT in the J-Web user interface, or enter the following CLI commands:

  • show security nat destination summary

  • show security nat destination pool pool-name

Table 2 summarizes key output fields in the destination NAT display.

Table 2: Summary of Key Destination NAT Output Fields

Field

Values

Action

Rules

Rule-set Name

Name of the rule set.

Select all rule sets or a specific rule set to display from the list.

Total rules

Number of rules configured.

ID

Rule ID number.

Name

Name of the rule .

Ruleset Name

Name of the rule set.

From

Name of the routing instance/zone/interface from which the packet flows.

Source address range

Source IP address range in the source pool.

Destination address range

Destination IP address range in the source pool.

Destination port

Destination port in the destination pool.

IP protocol

IP protocol.

Action

Action taken for a packet that matches a rule.

Alarm threshold

Utilization alarm threshold.

Sessions (Succ/

Failed/

Current)

Successful, failed, and current sessions.

  • Succ–Number of successful session installations after the NAT rule is matched.

  • Failed–Number of unsuccessful session installations after the NAT rule is matched.

  • Current–Number of sessions that reference the specified rule.

Translation hits

Number of times a translation in the translation table is used for a destination NAT rule.

Pools

Pool Name

The names of the pools.

Select all pools or a specific pool to display from the list.

Total Pools

Total pools added.

ID

ID of the pool.

Name

Name of the destination pool.

Address range

IP address range in the destination pool.

Port

Destination port number in the pool.

Routing instance

Name of the routing instance.

Total addresses

Total IP address, IP address set, or address book entry.

Translation hits

Number of times a translation in the translation table is used for destination NAT.

Top 10 Translation Hits

Graph

Displays the graph of top 10 translation hits.