Juniper SRX Destination NAT allows services with private IP addresses to be published over the Internet.

In other words, servers with private IP address can be reachable from the internet with the help of destination NAT.

It is also known as pre-routing NAT because the destination NAT occurs before routing.

Juniper SRX Destination NAT Fundamental

As I have defined different types of NAT in the previous sections, with destination NAT it becomes possible to publish services over the internet even though servers have real private IP addresses.

Juniper SRX Destination NAT
Juniper SRX Destination NAT

With this solution we can publish many services with just one or a few public IP addresses.

For example, in this figure you can see that the public IP address 12.1.1.1 is used to publish two services with private IP addresses over the Internet.

When users connect to the public IP address, 12.1.1.1 and with destination port 22, it will be translated to the server with IP address 192.168.10.118 and with the same port.

However, when users connect to this IP address with destination port 2323, they are redirected to the server with IP address 192.168.10.121 and with port 23.

As you can see especially in the second example, destination NAT can be used as a port-forwarding solution. Since the port 2323 is translated to 23. It can be used to hide the real port that the server is listening on.

Destination NAT in Flow Diagram

If you remember, this is the Juniper SRX flow diagram that we discussed in the second lesson of this course called Juniper SRX Traffic Flow.

Destination NAT in Juniper SRX Fow Diagram
Destination NAT in Juniper SRX Fow Diagram (taken from juniper website)

It shows that destination NAT occurs before routing decision. This is because, routing is based on destination IP address and destination IP address is changed in destination NAT.

Theredore first, Destination-NAT changes the destination IP address of the packet and then routing decides on which outgoing interface the packet should be forwarded.

It also means that at the time of destination NAT processing, the router does not know the packet’s outgoing interface and zone.

Therefore, unlike source NAT policies that are configured between two specific interfaces or zones, in destination NAT, only incoming interface or zone must to be configured.

Juniper SRX Destination NAT Configuration

This is the topology that we will use to configure destination NAT, and this is the same topology that we used in the previous sections.

Juniper SRX Destination NAT Topology
Juniper SRX Destination NAT Topology

As you can see in the topology, users inside the network with IP address subnet 192.168.10.0/24 are connected to the internet through two intervening devices.

The first device juniper SRX translate the IP address of users in the subnet 192.168.10.0/24 to the IP addresses in the subnet 192.168.1.0/24. This is implemented using the source NAT and in the previous section.

The second device, WAN router, which is not under my control, translates the IP addresses in the 192.168.1.0/24 subnet to a specific public IP address.

What we will implement in this section is to publish servers in the inside zone with IP address subnet 192.168.10.0/24 to be available with IP address subnet 192.168.1.0/24 in the outside zone.

When clients connect to the outside IP, 192.168.1.118 and port 22, then they will be redirected to the IP address, 192.168.10.118 in inside zone and with port 22.

Also when clients connect to the outside IP, 192.168.1.121 and port 2323, then they will be redirected to the IP address, 192.168.10.121 and port 23 in inside zone.

Only one pubic IP address was enough to redirect users to both servers. Just for the sake of simplicity, I used two IP addresses. So that the last octet of outside IP address and inside IP address are the same.

security policies in Juniper SRX Destination NAT

Before I start the destination NAT configuration, I will permit everything from outside to the inside zone so that we don’t get involved in the concept and configuration of security policies as we learned how to configure them in the previous sections.

This is the configuration to permit everything from outside zone to the inside zone.

set security policies from-zone outside to-zone inside policy PERMIT-ALL match source-address any
set security policies from-zone outside to-zone inside policy PERMIT-ALL match destination-address NET_192_168_10_0__24
set security policies from-zone outside to-zone inside policy PERMIT-ALL match application any
set security policies from-zone outside to-zone inside policy PERMIT-ALL then permit
set security policies from-zone outside to-zone inside policy PERMIT-ALL then log session-init

There is just one another important point to note here.

If you remember, and also what we discussed a few minutes ago, security policies occur in traffic flow after both destination NAT and routing.

Therefore, in the security policy, we use the actual IP address of internal servers as the destination IP address and not the IP addresses seen from the outside.

In our example, destination IP address 192.168.10.0/24 is used in the security policy and not the IP addresses visible from the outside.

Now we can copy and commit, this part of the configuration.

Juniper SRX Destination NAT Configuration Example

This is the configuration of the destination NAT.

set security nat destination pool SSH address 192.168.10.118/32
set security nat destination pool SSH address port 22

set security nat destination pool TENET address 192.168.10.121/32
set security nat destination pool TENET address port 23

set security nat destination rule-set DNAT from zone outside

set security nat destination rule-set DNAT rule SSH match destination-address 192.168.1.118/32
set security nat destination rule-set DNAT rule SSH match destination-port 22
set security nat destination rule-set DNAT rule SSH then destination-nat pool SSH

set security nat destination rule-set DNAT rule TELNET match destination-address 192.168.1.121/32
set security nat destination rule-set DNAT rule TELNET match destination-port 2323
set security nat destination rule-set DNAT rule TELNET then destination-nat pool TENET
         
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.1.118/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.1.121/32

The first four lines are the pool of internal servers which will be published in the outside zone.

The first two lines create a pool with the name of SSH, include the IP address 192.168.10.118 with port 22, pointing to the SSH server.

The port number is optional and it is configured when it is required.

The second two lines create another pool with the name of TELNET containing the IP address 192.168.10.121 with port 23.

Configuring the pool for the internal IP addresses, published in the destination NAT is always required.

Then we configure a rule-set with the name of DNAT which match with traffic coming from outside zone.

Unlike source NAT rule-set, which we configure between two zones or interfaces, in destination NAT, we only configure incoming zone or incoming interface. This is because, destination NAT occurs before routing in the traffic flow and at the time of destination NAT processing, outgoing interface is not still determined.

Then we configure two rules, with the name of SSH and TENET.

Rule SSH, matches traffic with destination address 192.168.1.118 and destination port 22. It translate destination IP address and port to what is configured in SSH pool, which is 192.168.10.118 and port 22.

Rule TELNET, matches traffic with destination address 192.168.1.121 and destination port 2323. It translate destination IP address and port to what is configured in TELNET pool, which is 192.168.10.121 and port 23.

And finally, proxy ARP must be enabled for the IP addresses 192.168.1.118 and 192.168.1.121 in the Juniper SRX since by default Juniper SRX does not respond to the ARP request for these IP addresses and traffic to these IP addresses never reach to the juniper SRX.

Now we can copy and commit the configuration

Juniper SRX Destination NAT Monitoring and Troubleshooting

To monitor and troubleshoot destination NAT, we first try to connect to the servers through their outside IP address and ports.

We create a SSH connection to 192.168.1.118 over default port and a also a telnet connection to 192.168.1.121 over port 2323.

Then we monitor session table with the command “show security flow session”.

rayka# run show security flow session | grep /22  
  In: 192.168.1.88/46547 --> 192.168.10.118/22;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 42, Bytes: 4654, 
  Out: 192.168.10.118/22 --> 192.168.1.88/46547;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 62, Bytes: 10701, 
  
  
[edit]
rayka# run show security flow session | grep /23      
  In: 192.168.1.88/46624 --> 192.168.1.121/2323;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 11, Bytes: 503, 
  Out: 192.168.10.121/23 --> 192.168.1.88/46624;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 8, Bytes: 444, 

As you can see in the output of both connections, destination IP address of incoming connection is the outside IP address but the source IP address of reverse outgoing connection is real inside IP address.

We can also monitor the live output of log file with “monitor start” command.

rayka# run monitor start FIREWALL | grep 23    

[edit]
rayka# Aug 29 20:26:36   RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.1.88/46665->192.168.1.121/2323 0x0 junos-telnet 192.168.1.88/46665->192.168.10.121/23 0x0 N/A N/A destination rule TELNET 6 PERMIT-ALL outside inside 12884966498 N/A(N/A) ge-0/0/0.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A Off root N/A N/A

[edit]
rayka# run monitor stop    

The same IP and port translation can be seen also in the output of log file.

You can also see which NAT and policy rules traffic is matched against.

With the command “show security nat destination rule all”, you can see the details of the configuration and also if there is any “Translation hits” and “Successful sessions”.

rayka# run show security nat destination rule all    
Total destination-nat rules: 2
Total referenced IPv4/IPv6 ip-prefixes: 2/0
Destination NAT rule: SSH
  Rule set                   : DNAT
  Rule Id                    : 1
  Rule position              : 1
  From zone                  : outside
    Destination addresses    : 192.168.1.118   - 192.168.1.118
    Destination port         : 22              - 22
  Action                     : SSH
  Translation hits           : 0
    Successful sessions      : 0
  Number of sessions         : 0
Destination NAT rule: TELNET
  Rule set                   : DNAT
  Rule Id                    : 2
  Rule position              : 2
  From zone                  : outside
    Destination addresses    : 192.168.1.121   - 192.168.1.121
    Destination port         : 2323            - 2323
  Action                     : TENET
  Translation hits           : 1
    Successful sessions      : 1
  Number of sessions         : 0
Back to: Juniper Security Associate (JNCIA-SEC) based on vSRX version 22.1R1.10 > Network Address Translation (NAT)

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment