SRX Services Gateway
Reply
Contributor
jeniferdcosta
Posts: 92
Registered: ‎07-25-2010
0
Accepted Solution

Source Natting & Destination NAT

[ Edited ]

Friends,

 

I have a strange question here please bear with me if it is funny but it is woking live with thirdparty firewall which is going to be replaced by the SRX.

 

Third party firewall is working with below policy and i want to do it in SRX:

 

i have a server in my internal network 192.168.1.1 which accepts only specific IP's as a source addresses (192.168.10.1 to 192.168.10.100) on a port 2445 . The connection is initiating from extranet with source ip address  172.16.10.0/24 to destination virtual IP 192.168.100.1 on a port 2445 which is then directing traffic to inside server 192.168.1.1 with a source ip address from the pool mentioned above.

 

This means the thirdy party firewall is doing  the destination NAT and the source NAT which are both merged togther to one flow to achieve the customer requirement,

 

How to achieve this in Juniper SRX.

 

Tx

Distinguished Expert
MMcD
Posts: 635
Registered: ‎07-20-2010

Re: Source Natting & Destination NAT

Hi,

 

I think you could accomplish this with some Double NAT. 

 

1. Source NAT From 172.16.10.0/24 ---> Translate to 192.168.10.0/26 range or something in this range.

2. Destination NAT from 192.168.10.0/26 ---> Translate to 192.168.100.1

3. Proxy ARP on the interface exiting to the 192.168.100.1 server for 172.16.10.0/24 range

 

See the below for example on Page 11:

 

http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Contributor
jeniferdcosta
Posts: 92
Registered: ‎07-25-2010
0

Re: Source Natting & Destination NAT

[ Edited ]

Hello Dear,

 

The example shown  in above link i did'nt understood can u explore more on that example, Only what  i understood is the below source NAT and i didnt understood destination NAT!!!!

from source NAT:

any source comes to go any destination from trust to untrust should go by the pool specified.

 

But i have found something on the internet which matches my scenario just confirm to me i m on the right path and my below configs are correct according to the details provided.

 

EXTRANET SUBNETS (THE IP'S WHICH ARE GOING TO ACCESS THE INSIDE SERVERS)
172.16.10.0/24

INSIDE SERVER REAL IP
192.168.1.1/32

SERVER ACCEPTS ONLY THIS SOURCE POOL BECZ CONSTRAINT BY THE APPLICATION
192.168.2.1 TO 192.168.2.254

DESTINATION NAT VIRTUAL IP
192.168,100.1

 

source {
pool intermediate-net {
address {
192.168.2.0/24
}
port no-translation;
}
rule-set nat-example {
from zone extranet;
to zone internal ;
rule double-nat-source {
match {
source-address 172.16.10.0/24;
}
then {
source-nat pool intermediate-net;

 

 

                   }
           }
      }
}
destination {
pool trust-net {
address 192.168.1.1/32;
}
rule-set nat-example {
from zone extranet;
rule double-nat-dest {
match {
destination-address 192.168.100.1/32;
}
then {
destination-nat pool trust-net;
                      }
               }
         }
}

 

 

 

 IF the configs are not correct please write a config for me according to above details of the servers IP's

 



 

THANKS

Distinguished Expert
MMcD
Posts: 635
Registered: ‎07-20-2010

Re: Source Natting & Destination NAT

[ Edited ]

Hopefully something like this below will work:

 

EXTRANET SUBNETS (THE IP'S WHICH ARE GOING TO ACCESS THE INSIDE SERVERS)
172.16.10.0/24

INSIDE SERVER REAL IP
192.168.1.1/32

SERVER ACCEPTS ONLY THIS SOURCE POOL BECZ CONSTRAINT BY THE APPLICATION
192.168.2.1 TO 192.168.2.254

DESTINATION NAT VIRTUAL IP
192.168,100.1

 

source {
    pool intermediate-net {
        address {
            192.168.2.0/24;
        }
    port no-translation;
    
    }
    rule-set nat-example {
        from zone extranet;
        to zone internal ;
            rule double-nat-source {
                match {
                    source-address 172.16.10.0/24;
                }
                then {
                    source-nat pool intermediate-net;


                   }
           }
      }
}
destination {
    pool trust-net {
        address 192.168.1.1/32;
        }

    rule-set nat-example {
        from zone extranet;
            rule double-nat-dest {
                match {
                    destination-address 192.168.100.1/32;
                }
                then {
                    destination-nat pool trust-net;
                              }
                       }
         }
}
MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Contributor
jeniferdcosta
Posts: 92
Registered: ‎07-25-2010
0

Re: Source Natting & Destination NAT

[ Edited ]

Thanks  Dear,

 

I will sure do the below, and update the thread.

 

  • But i have some question  that there is no such matching keyword that is calling destination NAT from source NAT for example in Cisco routers the route map is calling the access-list 110, so i m assuming the same with juniper.

 

access-list 110 permit ip any any

 

route-map permit external 10

match access-list 110

set ip next-hop 192.168.X.X

 

  • How is the evaluation of  the NATTING in SRX as such with Cisco it checks 1st static and then etc etc, so what is the procedure for evaluating natting in srx if packets arrives the interface.
  • In Cisco i have a packet-tracer command to troubleshoot the packet which is failing to get in to firewall or exiting the firewall, it shows me the certain steps that where the packet is failing for example in access-list or in natting, or becz of routing, so any such command in juniper same as cisco packet tracer.

 

Thanks for ur replies.

Contributor
jeniferdcosta
Posts: 92
Registered: ‎07-25-2010
0

Re: Source Natting & Destination NAT

 

 

The upper solution double NAT  doesn't work, how i can trace the packet , on which step it is drop ????

 

Can anybody answer to me the above answers.

Distinguished Expert
MMcD
Posts: 635
Registered: ‎07-20-2010

Re: Source Natting & Destination NAT

Hi,

 

I have modified the config above as I feel It was slightly wrong,  Destination and Static NAT happen before Source.

 

All the monitoring and translation monitoring you can find here:

 

"show security flow session match <network-prefix> "is best for viewing NAT and also

 

"show security nat <source/destination> all  ( this will show you the translation hits)

 

http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Contributor
jeniferdcosta
Posts: 92
Registered: ‎07-25-2010
0

Re: Source Natting & Destination NAT

[ Edited ]

Thanks dear ,

 

I will apply the configs and update the thread,

 

But these are the same according to what i have written in my previous mail.And also i wrote by the help of the attached document before.

 

Tx

Contributor
jeniferdcosta
Posts: 92
Registered: ‎07-25-2010
0

Re: Source Natting & Destination NAT

Hello,

 

The above config worked properly, and here is the session info,

 

Session ID: 152506, Policy name: ABCD-NAT/6, State: Active, Timeout: 1788, Valid

In: 172.16.10.14/18498 --> 192.168.100.1/2445;tcp, If: reth2.254, Pkts: 4, Bytes: 164

Out: 192.168.1.1/2445 --> 192.168.2.253/59488;tcp, If: reth0.0, Pkts: 2, Bytes: 84

 

But can u explain me the steps the SRX is doing to reach inside server, The above config what you wrote to me are strange for me becz how destination NAT and source NAT are communicating with each other without any matching call between them.

 

Can you explain me step by step when the packet enters and exits SRX for the abive NAT ????

Distinguished Expert
MMcD
Posts: 635
Registered: ‎07-20-2010

Re: Source Natting & Destination NAT

[ Edited ]

The order of NAT PRocessing: Static NAT --> Destination NAT --> Reverse Static NAT --> Source NAT


  • 172.16.10.0/24 attempts connection to 192.168.100.1

 

  • We are matching on the Destination Address so traffic is translated toward 192.168.1.1 by Destination NAT

 

  • Next is Source NAT so we are matching on the Source address which is 172.16.10.0/24 and translating this source address to 192.168.2.0/24

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.