Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Configuring Destination NAT for SRX Series

Requirements

Before you begin, create security zones and assign interfaces to them. See Example: Configuring Security Zones and Policies for SRX Series.

• An SRX210
• Junos OS Release 12.1X44-D10

Overview

Using the topology shown in Figure 1, you are applying destination NAT to the traffic destined to 1.1.1.3 coming from the untrust zone. This traffic should be translated into the private IP address of 192.168.2.2 as shown in Table 1.

Figure 1: Destination NAT Single Address Translation

In this topology, you provide access to the server ( Server-HTTP-1) in the DMZ zone from the Internet after translating the public IP address 1.1.1.3 to the private address 192.168.2.2 and forward traffic to the internal network if the request is coming from ge-0/0/0.0.

• Create a destination NAT pool called dst-nat-pool-1 to include the IP address 192.168.2.2.
• Create a destination NAT rule set rs1, where rule r1 matches the packets received from the ge-0/0/0.0 interface with the destination IP address 1.1.1.3. For matching packets, the destination address is translated to the address in the dst-nat-pool-1 pool.
• Use an existing address book (as applicable) or create a new address book for Server-HTTP-1.
• Configure traffic from the untrust zone with a destination address of 1.1.1.3 to be translated to the private address 192.168.2.2 in the DMZ zone.
• Configure the device to respond to proxy ARP for the addresses in the IP pool.
• Create a security policy to permit HTTP traffic from the untrust zone to the DMZ zone.

  Note: Because the destination NAT rule-sets are evaluated before a security policy, the address referred to in the security policy must be the real IP address of the end host.

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

1. Create the destination NAT pool to include the IP address of the server (Server-HTTP-1).
   [edit]user@srx210-host# set security nat destination pool dst-nat-pool-1 address 192.168.2.2/32
2. Create a destination NAT rule set.
   [edit]user@srx210-host# set security nat destination rule-set rs1 from interface ge-0/0/0.0
3. Configure a rule that matches packets and translates the destination address (1.1.1.3/29) to the address in the pool (dst-nat-pool-1 that includes IP address 192.168.2.2/32).
   [edit]user@srx210-host# set security nat destination rule-set rs1 rule r1 match destination-address 1.1.1.3/29user@srx210-host# set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
4. Configure proxy ARP for the address 1.1.1.3/29 on interface ge-0/0/0.0.
   [edit]user@srx210-host# set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.3/29
5. Configure an address in the address book for Server-HTTP-1.
   [edit]user@srx210-host# edit security zones security-zone DMZ address-book address Server-HTTP-1 192.168.2.2/32
6. Configure a security policy to allow traffic from the untrust zone to the server (Server-HTTP-1) in the DMZ zone.
   [edit]user@srx210-host# set security policies from-zone untrust to-zone DMZ policy server-access match source-address anyuser@srx210-host# set security policies from-zone untrust to-zone DMZ policy server-access match destination-address Server-HTTP-1user@srx210-host# set security policies from-zone untrust to-zone DMZ policy server-access match application junos-httpuser@srx210-host# set security policies from-zone untrust to-zone DMZ policy server-access then permit

Results

From configuration mode [edit], confirm your configuration by entering the show security nat destination and show security policies from-zone untrust to-zone DMZ commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

• Verify the Destination NAT Rule
• Verifying NAT Application to Traffic

Verify the Destination NAT Rule

Purpose

Verify that there is traffic using IP addresses from the destination NAT pool.

Action

From operational mode, enter the show security nat destination summary command. View the translation hits field to check for traffic using IP addresses from the pool.

Total pools: 1
Pool name            Address                           Routing        Port  Total 
                     Range                             Instance             Address
dst-nat-pool-1       192.168.2.2    - 192.168.2.2      default        0     1   

Total rules: 1
Rule name            Rule set       From                               Action
r1                   rs1            ge-0/0/0.0                         dst-nat-pool-1

Meaning

Displays a summary of NAT destination pool information.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command to display information about all currently active security sessions on the device.