Junos OS

hello guys, following example from this link:

http://www.juniper.net/documentation/en_US/junos12.2/topics/example/nat-security-static-single-address-translation-configuring.html

it has this config:

set security nat static rule-set rs1 from zone untrust
set security nat static rule-set rs1 rule r1 match destination-address 1.1.1.200/32
set security nat static rule-set rs1 rule r1 then static-nat prefix 192.168.1.200/32
set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.200/32
set security address-book global address server-1 192.168.1.200/32
set security policies from-zone trust to-zone untrust policy permit-all match source-address server-1
set security policies from-zone trust to-zone untrust policy permit-all match destination-address any
set security policies from-zone trust to-zone untrust policy permit-all match application any
set security policies from-zone trust to-zone untrust policy permit-all then permit
set security policies from-zone untrust to-zone trust policy server-access match source-address any
set security policies from-zone untrust to-zone trust policy server-access match destination-address server-1
set security policies from-zone untrust to-zone trust policy server-access match application any
set security policies from-zone untrust to-zone trust policy server-access then permit

but it also shows this one:

set rule-set rs1 from zone untrust
set rule-set rs1 rule r1 match destination-address 1.1.1.200/32
set rule-set rs1 rule r1 then static-nat prefix 192.168.1.200/32
set proxy-arp interface ge-0/0/0.0 address 1.1.1.200
set address server-1 192.168.1.200/32
set policy server-access match source-address any destination-address server-1 application any
set policy server-access then permit
set policy permit-all match source-address server-1 destination-address any application any
set policy permit-all then permit

So what's the difference between the two?

Which one should be used on the production?

Thank you.

The first example is better and more complete, but likely neither would be used in production.  You would create much more specific security policy for what is needed on the server, especially inbound.

Differences:

the first has proxy arp, so it assumes the server address is the same subnet as the inbound interface.  The second does not so it assumes this is a routed subnet.

The first has more specific security policies with the zones explicitly mentioned, the second just allows the addresses from any configured zone.  In production you would create these policies to be as explicit as possible for both addresses and applications to reduce the surface area of attack on your server.  Ideally both inbound and outbound.

Hi, if the server address is not the same subnet as the inbound interface. So the proxy-arp will be omitted?

Thank you.

Hi Steve, just for other beginner like me. Thanks for pointing out to apply specific filtering for inbound.

Because the example accepts "any", so those lines had to be changed to specific services or ports such as "POP3", port 21 and 22, or whatever is necessary but not "any".

Thank you Steve, hope this will help others as well.

But I think the example from Juniper website should have a disclaimer that "any" is not recommended as it will have a larger surface of attack.

Hello,

First configuration block is 'CLI quick configuration'.

The Second block appears to be step by step configuration. For clarity, you can use 'step by step' configuration.

Regards,

Rushi

Hi All,

Yes I know it's not a complete config as a complete config will take more than those lines.

If let's say I have a complete config or I have other configs.

So I can used either one of them for 1 to 1 NATing?

Thanks.

Hello,

Yes. You can.

Quick CLI includes all the configuration so does step by step procedure.

Only difference is that step by step procedure explains the meaning of each section.

If Mapped IP & interface IP are not in the same subnet, proxy-arp can be omitted.

Regards,

Rushi

Hi Steve and Rushi, Thank you so much for your help..