Junos OS

last person joined: 7 days ago 

Ask questions and share experiences about Junos OS.

  • 1.  NAT Example

    Posted 09-02-2015 01:46

    hello guys,

    http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

     

    link above shows how to NAT using interface IP.

     

    The config shows permit any application, question is: Is it safe to have this kind of configuration? Or need to have an outbound filter?

     

    Thank you.

     

    Here's the config from the above example:

     

    [edit security nat source]
    set rule-set rs1 from zone trust
    set rule-set rs1 to zone untrust
    set rule-set rs1 rule r1 match source-address 0.0.0.0/0
    set rule-set rs1 rule r1 match destination-address 0.0.0.0/0
    set rule-set rs1 rule r1 then source-nat interface
    [edit security policies from-zone trust to-zone untrust]
    set policy internet-access match source-address any destination-address any application
    any
    set policy internet-access then permit



  • 2.  RE: NAT Example

     
    Posted 09-02-2015 02:09

    Hello,

     

    What the mentioned configuration does is Any traffic coming from any Sources in Trust zone & Going to any destinations in Untrust zone will be subjected to the Interface-PAT.

     

    By default Security Policies from zone Trust to zone Untrust on the box will filter the traffic.

     

    But if you have certain IPs in Trust Zone that should never go across Untrust, you can put firewall filter in the inbound direction on interface/s in Trust Zone so the traffic is dropped even before Firewall is required to do session lookup or process to intall session thus saving the resources of Firewall.

     

    Otherwise this configuration is ok.

     

    Regards,

     

    Rushi

     

     



  • 3.  RE: NAT Example

    Posted 09-02-2015 02:28

    Hi Rushi,

     

    This line:

    set policy internet-access match source-address any destination-address any application
    any
    set policy internet-access then permit

     

    All application permit any, so even though it shows permit any; there is still a default security policy to filter this traffic from the trust zone?

     

    Thanks.



  • 4.  RE: NAT Example
    Best Answer

     
    Posted 09-02-2015 02:56

    Hello,

     

    There is no default policy that specifically filters traffic.

     

    So what you can do is:

     

    1) Admin will configure specific Trust to Untrust policy allowing only legitimate traffic to pass. Only that traffic will then

        undergo 'Interface NAT (PAT).

     

    OR

     

    2) Keep the 'internet-access' policy mentioned before by you as it is. And configure Firewall filter in the inbound direction

        on interface/interfaces of Trust Zone to block' specific traffic that you are sure would never be given internet access.

     

    Regards,

     

    Rushi



  • 5.  RE: NAT Example

    Posted 09-02-2015 03:04

    This example is way too broad

     

    set policy internet-access match source-address any destination-address any application
any
set policy internet-access then permit

    At minimum you would want to specifiy from-zone and to-zone so that it truly is an internet access only policy.  This policy is plain wide open from all zones to all zones.  

     

    Why have a firewall if you use this?

     



  • 6.  RE: NAT Example

    Posted 09-02-2015 18:05

    Hello Steve,

     

    The two lines i actually copied from the example from the Juniper website.

     

    Completely agree with you, it doesn't make sense to have that lines beceause it will defeat the purpose of having a firewall.

     

    Anyway, of course the best way is to filter outbound traffic and just troubleshoot any applications that may fail if the outbound traffic is limited to specific ports.

     

    Any good links or example to show the best way on how to handle nat traffic with outbound filtering?

     

    Thanks,