SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 95
Registered: ‎07-25-2010
0 Kudos
Accepted Solution

Source Natting & Destination NAT

[ Edited ]

Friends,

 

I have a strange question here please bear with me if it is funny but it is woking live with thirdparty firewall which is going to be replaced by the SRX.

 

Third party firewall is working with below policy and i want to do it in SRX:

 

i have a server in my internal network 192.168.1.1 which accepts only specific IP's as a source addresses (192.168.10.1 to 192.168.10.100) on a port 2445 . The connection is initiating from extranet with source ip address  172.16.10.0/24 to destination virtual IP 192.168.100.1 on a port 2445 which is then directing traffic to inside server 192.168.1.1 with a source ip address from the pool mentioned above.

 

This means the thirdy party firewall is doing  the destination NAT and the source NAT which are both merged togther to one flow to achieve the customer requirement,

 

How to achieve this in Juniper SRX.

 

Tx

Distinguished Expert
Posts: 675
Registered: ‎07-20-2010

Re: Source Natting & Destination NAT

Hi,

 

I think you could accomplish this with some Double NAT. 

 

1. Source NAT From 172.16.10.0/24 ---> Translate to 192.168.10.0/26 range or something in this range.

2. Destination NAT from 192.168.10.0/26 ---> Translate to 192.168.100.1

3. Proxy ARP on the interface exiting to the 192.168.100.1 server for 172.16.10.0/24 range

 

See the below for example on Page 11:

 

http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Contributor
Posts: 95
Registered: ‎07-25-2010
0 Kudos

Re: Source Natting & Destination NAT

[ Edited ]

Hello Dear,

 

The example shown  in above link i did'nt understood can u explore more on that example, Only what  i understood is the below source NAT and i didnt understood destination NAT!!!!

from source NAT:

any source comes to go any destination from trust to untrust should go by the pool specified.

 

But i have found something on the internet which matches my scenario just confirm to me i m on the right path and my below configs are correct according to the details provided.

 

EXTRANET SUBNETS (THE IP'S WHICH ARE GOING TO ACCESS THE INSIDE SERVERS)
172.16.10.0/24

INSIDE SERVER REAL IP
192.168.1.1/32

SERVER ACCEPTS ONLY THIS SOURCE POOL BECZ CONSTRAINT BY THE APPLICATION
192.168.2.1 TO 192.168.2.254

DESTINATION NAT VIRTUAL IP
192.168,100.1

 

source {
pool intermediate-net {
address {
192.168.2.0/24
}
port no-translation;
}
rule-set nat-example {
from zone extranet;
to zone internal ;
rule double-nat-source {
match {
source-address 172.16.10.0/24;
}
then {
source-nat pool intermediate-net;

 

 

                   }
           }
      }
}
destination {
pool trust-net {
address 192.168.1.1/32;
}
rule-set nat-example {
from zone extranet;
rule double-nat-dest {
match {
destination-address 192.168.100.1/32;
}
then {
destination-nat pool trust-net;
                      }
               }
         }
}

 

 

 

 IF the configs are not correct please write a config for me according to above details of the servers IP's

 



 

THANKS

Distinguished Expert
Posts: 675
Registered: ‎07-20-2010

Re: Source Natting & Destination NAT

[ Edited ]

Hopefully something like this below will work:

 

EXTRANET SUBNETS (THE IP'S WHICH ARE GOING TO ACCESS THE INSIDE SERVERS)
172.16.10.0/24

INSIDE SERVER REAL IP
192.168.1.1/32

SERVER ACCEPTS ONLY THIS SOURCE POOL BECZ CONSTRAINT BY THE APPLICATION
192.168.2.1 TO 192.168.2.254

DESTINATION NAT VIRTUAL IP
192.168,100.1

 

source {
    pool intermediate-net {
        address {
            192.168.2.0/24;
        }
    port no-translation;
    
    }
    rule-set nat-example {
        from zone extranet;
        to zone internal ;
            rule double-nat-source {
                match {
                    source-address 172.16.10.0/24;
                }
                then {
                    source-nat pool intermediate-net;


                   }
           }
      }
}
destination {
    pool trust-net {
        address 192.168.1.1/32;
        }

    rule-set nat-example {
        from zone extranet;
            rule double-nat-dest {
                match {
                    destination-address 192.168.100.1/32;
                }
                then {
                    destination-nat pool trust-net;
                              }
                       }
         }
}
MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Contributor
Posts: 95
Registered: ‎07-25-2010
0 Kudos

Re: Source Natting & Destination NAT

[ Edited ]

Thanks  Dear,

 

I will sure do the below, and update the thread.

 

  • But i have some question  that there is no such matching keyword that is calling destination NAT from source NAT for example in Cisco routers the route map is calling the access-list 110, so i m assuming the same with juniper.

 

access-list 110 permit ip any any

 

route-map permit external 10

match access-list 110

set ip next-hop 192.168.X.X

 

  • How is the evaluation of  the NATTING in SRX as such with Cisco it checks 1st static and then etc etc, so what is the procedure for evaluating natting in srx if packets arrives the interface.
  • In Cisco i have a packet-tracer command to troubleshoot the packet which is failing to get in to firewall or exiting the firewall, it shows me the certain steps that where the packet is failing for example in access-list or in natting, or becz of routing, so any such command in juniper same as cisco packet tracer.

 

Thanks for ur replies.

Contributor
Posts: 95
Registered: ‎07-25-2010
0 Kudos

Re: Source Natting & Destination NAT

 

 

The upper solution double NAT  doesn't work, how i can trace the packet , on which step it is drop ????

 

Can anybody answer to me the above answers.

Highlighted
Distinguished Expert
Posts: 675
Registered: ‎07-20-2010

Re: Source Natting & Destination NAT

Hi,

 

I have modified the config above as I feel It was slightly wrong,  Destination and Static NAT happen before Source.

 

All the monitoring and translation monitoring you can find here:

 

"show security flow session match <network-prefix> "is best for viewing NAT and also

 

"show security nat <source/destination> all  ( this will show you the translation hits)

 

http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Contributor
Posts: 95
Registered: ‎07-25-2010
0 Kudos

Re: Source Natting & Destination NAT

[ Edited ]

Thanks dear ,

 

I will apply the configs and update the thread,

 

But these are the same according to what i have written in my previous mail.And also i wrote by the help of the attached document before.

 

Tx

Contributor
Posts: 95
Registered: ‎07-25-2010
0 Kudos

Re: Source Natting & Destination NAT

Hello,

 

The above config worked properly, and here is the session info,

 

Session ID: 152506, Policy name: ABCD-NAT/6, State: Active, Timeout: 1788, Valid

In: 172.16.10.14/18498 --> 192.168.100.1/2445;tcp, If: reth2.254, Pkts: 4, Bytes: 164

Out: 192.168.1.1/2445 --> 192.168.2.253/59488;tcp, If: reth0.0, Pkts: 2, Bytes: 84

 

But can u explain me the steps the SRX is doing to reach inside server, The above config what you wrote to me are strange for me becz how destination NAT and source NAT are communicating with each other without any matching call between them.

 

Can you explain me step by step when the packet enters and exits SRX for the abive NAT ????

Distinguished Expert
Posts: 675
Registered: ‎07-20-2010

Re: Source Natting & Destination NAT

[ Edited ]

The order of NAT PRocessing: Static NAT --> Destination NAT --> Reverse Static NAT --> Source NAT


  • 172.16.10.0/24 attempts connection to 192.168.100.1

 

  • We are matching on the Destination Address so traffic is translated toward 192.168.1.1 by Destination NAT

 

  • Next is Source NAT so we are matching on the Source address which is 172.16.10.0/24 and translating this source address to 192.168.2.0/24

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Contributor
Posts: 95
Registered: ‎07-25-2010
0 Kudos

Re: Source Natting & Destination NAT

Dear

 

The mail what you have written above , On step 2nd the process completes becz it matched the condition then why it is jumping to 3rd step i.e source NAT ??????

 

I have configured many destination NAT for many servers this means after also matching condition  each destination NAT it looks for the source nat.?????

 

Tx

Distinguished Expert
Posts: 675
Registered: ‎07-20-2010

Re: Source Natting & Destination NAT

[ Edited ]

After Destination NAT source NAT will happen before a packet is permitted.

 

In this document on figure 13 on page 18 shows you the NAT processing and what happens before a packet is permitted:

 

http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Contributor
Posts: 95
Registered: ‎07-25-2010
0 Kudos

Re: Source Natting & Destination NAT

[ Edited ]

Hello Dear,

 

I hope, i m coming to final point by this mail, Just confirm or correct me for these answers.

 

Static NAT:

Packets enters from external network to access inside server:

 

  1. static NAT available YES translate the destination address
  2. check the inside server route
  3. check the policy to permit or deny 
  4. check the Reverse static NAT --------> what this actually means ??????  
  5. if YES reverse static NAT 
  6. permit the packet

 

  • IF Reverse static NAT---->NO
  • source NAT ----YES:  this source NAT means the actual source address which is hitting to  inside server (NATTED IP) then translate it from the pool ip addresss
  • permit the packet

 


 

Destination NAT:

Packets enters from external network to access inside server:


  1. Destination NAT available YES translate the destination address
  2. check the inside server route
  3. check the policy to permit or deny
  4. check the Reverse static NAT --------> what this actually means ??????
  5. if YES reverse static NAT
  6. permit packet
  •  IF Reverse static NAT---->NO
  • source NAT-- ----YES:  this source NAT means the actual source address which is hitting to  inside server (NATTED IP) then translate it from the pool ip addresss.IF Suppose i create two different pools by the same matching source addresses then from which pool the source will take IP address..???
  •   permit the packet.

 

TX

 

 

Distinguished Expert
Posts: 675
Registered: ‎07-20-2010

Re: Source Natting & Destination NAT

[ Edited ]

Reverse Static NAT would be the return traffic originating from trust to untrust zone for example.  It takes precedence over source NAT rules during reverse mapping.

 

You cannot configure 2 pools(in the same rule) so to speak but if you add multiple IP Ranges toa pool it will spread it out over both ranges.

 

pool Pool1 {
        address {
            1.1.1.0/24;
            2.1.1.0/24;
        }
    }
MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Contributor
Posts: 95
Registered: ‎07-25-2010
0 Kudos

Re: Source Natting & Destination NAT

Hello Dear,

 

SO according to ur mail what i understand is suppose traffic coming from outside to internal.

 

destination NAT

route lookup

policy lookup

no reverse nat for the internal IP of the server-->this means no natting for server private IP

do source translation for the real IP which is hitting the destination IP from outside.

 

If the above explanation is wrong please give 1 best scenario to understand.

 

SRX gateways are stateful then why they need reverse NAT until and unless traffic is initiating from outside.

 

Thanks

 

Distinguished Expert
Posts: 675
Registered: ‎07-20-2010
0 Kudos

Re: Source Natting & Destination NAT

With Static NAT traffic would be originating from outside and inside.  An example of such would be a mail server.  It is a direct one to one mapping between the Mail Server and the SRX. Both the internal and remote host can initiate a connection.

 

In your case you require /24 subnets to be translated so Static NAT is not an option.  Static NAT will always take precedence over other NAT.

 

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Contributor
Posts: 95
Registered: ‎07-25-2010
0 Kudos

Re: Source Natting & Destination NAT

Hello Dear,

 

Thanks for ur patient's and bare with me to make me understand, and also i appreciate ur replies.

 

I m aware that static NAT are bidirectional but not destiantion NAT, do for destination NAT reverse static NAT does'nt implies, So when a traffic is hitting a destination NATTED IP with a source IP which is matching to source NAT then the source NAT will do the action otherwise the destination NAT will act as normal by matching his own condition.

 

IF the above is not correct , Please help me to understand by explantion of simple example why in my scenario source NAT is coming in flow,

 

Tx

Distinguished Expert
Posts: 675
Registered: ‎07-20-2010
0 Kudos

Re: Source Natting & Destination NAT

[ Edited ]

You are correct,  with Destination NAT there needs to be a Source NAT rule for traffic initiating from inside Provided you wish the internal serve/servers to be able to initiate traffic).  Static NAT does not require this as it creates both Source and Destination NAT.

 

This could be an interface based source NAT rule such as below:

 

Here the return traffic would go out on the IP of the External Interface you have configured on the SRX.  You could also configure a NAT pool if you have a Range of External Addressing.

 

 rule Current_LAN {
            match {
                source-address 192.168.1.0/24;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Contributor
Posts: 95
Registered: ‎07-25-2010
0 Kudos

Re: Source Natting & Destination NAT

Hello,

 

The above what i have explained is for the traffic going from outside to inside becz in my scenario the traffic is hitting from outside to inside and while entering inside the source IP are changing from the POOL specified.

 

But u r giving me the expalnation of source NAT for return packet, AS if i know that SRX is a stateful firewall when a packet comes in it will definately go out without any source NAT from inside if the traffic is initiated from the outside.

 

BUT

if the server is configured for destination NAT and when the server itself wants to initiate a connection then the server requires the source NAT from inside to outside, to reach the destination outside.

 

Tx

Distinguished Expert
Posts: 675
Registered: ‎07-20-2010

Re: Source Natting & Destination NAT

Sorry. If you only want initiated traffic from outside destination NAT alone is fine. I was trying to give you the reverse of static NAT using source and destination NAT

What you said above is correct
MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]