Junos OS

last person joined: 22 hours ago 

Ask questions and share experiences about Junos OS.
  • 1.  NAT on JunOS ES

    Posted 06-24-2009 01:43

    Hi All,

     

    I'm newbie on JunOS ES, and i have try to make some junos ES NAT policies base on Screen OS policy, on screen OS traffic is pass. But on junos ES traffic is block...

    this is the screen os Policy :

     

     

    this is the JunosES policy (from juniper convert tools):

    security {
        nat {
            interface ge-0/0/0.0 {
                static-nat 192.168.0.170 host 10.121.2.10/32;
            }
        }
        zones {
            security-zone Trust {
                tcp-rst;
                host-inbound-traffic {
                    system-services {
                        http;
                        https;
                        ping;
                        ssh;
                        telnet;
                    }
                }
                interfaces {
                    ge-0/0/0.0;
                }
            }
            security-zone Untrust {
                interfaces {
                    ge-0/0/1.0 {
                        host-inbound-traffic {
                            /* Conversion from set interface...ip manageable */
                            system-services {
                                http;
                                ping;
                            }
                        }
                    }
                }
            }
            security-zone DMZ {
                tcp-rst;
                address-book {
                    address Address_192_168_0_170_32  192.168.0.170/32;
                }
                interfaces {
                    ge-0/0/2.0;
                }
            }
        }
        policies {
            from-zone Trust to-zone junos-global {
                policy 1 {
                    match {
                        source-address any;
                        destination-address static_nat_192.168.0.170_32;
                        application any;
                    }
                    then {
                        permit {
                            source-nat {
                                interface;
                            }
                        }
                        log {
                            session-close;
                        }
                    }
                }
            }
            from-zone Untrust to-zone junos-global {
                policy 2 {
                    match {
                        source-address any;
                        destination-address static_nat_192.168.0.170_32;
                        application any;
                    }
                    then {
                        permit {
                            source-nat {
                                interface;
                            }
                        }
                        log {
                            session-close;
                        }
                    }
                }
            }
            from-zone Untrust to-zone Trust {
                policy 4 {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                        log {
                            session-close;
                        }
                    }
                }
            }
        }
    }
     

    but traffic from Untrust to MIP(192.168.0.170) still can not pass....

    is there any missed from this configuration ??

    run on junos 9.1ES and 9.2 ES



  • 2.  RE: NAT on JunOS ES
    Best Answer

    Posted 06-27-2009 23:36
    Does traffic from Trust to DMZ pass through correctly? I would expect it to since your static nat is configured on ge-0/0/0.0 in trust zone. However from Untrust to DMZ will NOT work because you do not have a static nat object on ge-0/0/1.0 in Untrust zone. Also you will not be able to create same static nat object on ge-0/0/1 if you already have same nat IP on ge-0/0/0. This is a limitation in JUNOS with enhanced services up until 9.4.

    I would recommend upgrading to 9.5. With 9.5 and later, J-series uses SRX NAT. With 9.5, NAT is not bound to any interface. Instead NAT is rule based and independent of security policies. So with 9.5 you can basically create a static NAT rule with both Trust and Untrust as your "from zone". That should support what you are trying to do. But with 9.4 and earlier releases, your scenario will not work.

    -Richard


  • 3.  RE: NAT on JunOS ES

    Posted 06-29-2009 22:14

    Hi Richard,

     

    Thanks to reply my message.

    Yes, i have done on 9.5, and NAT is work. I must upgrade the junos on my customer router to make it running.

     

    Regards,

     

    ND



  • 4.  RE: NAT on JunOS ES

    Posted 11-04-2009 08:11

    Hello, I think i'm in the same situation : with static-nat, I would like to get two same mapped IP address (172.17.0.140) in two differents interfaces; this interfaces are defined in differents VR (VR-XXX and VR-YYY)

     

    security {
        nat {
            interface ge-0/0/0.0 {
    ...
            }
            interface ge-0/0/1.0 {
                static-nat 172.17.0.140/32 host 192.168.1.7/32 virtual-router VR-ZZZ; 
            }
            interface ge-0/0/1.1 {
                static-nat 172.17.0.140/32 host 192.168.1.7/32 virtual-router VR-ZZZ;
            }
        }

    ...

    routing-instances {
        VR-ZZZ {
            instance-type virtual-router;
            interface ge-0/0/0.0;
            routing-options {
                static {
           ...            }
            }
        }
        VR-YYY {
            instance-type virtual-router;
            interface ge-0/0/1.1;
            routing-options {
                static {
                    ...
                }
            }
            protocols {
                ospf {
                ...
                    }
                }
            }
        }
        VR-XXX {
            instance-type virtual-router;
            interface ge-0/0/1.0;
            routing-options {
                static {
              ...
                }
            }
            protocols {
                ospf {
                    ...
                    }
                }
            }
        }
    }

     

    Unfortunaly, i've got an error on the interface ge0/0/1.1:
    " '172.17.0.140' Static NAT overlaps with static NAT [172.17.0.140 172.17.0.140] defined on interface ge-0/0/1.0
    error : configuration check-out failed.

     

    I'm on a J6350 9.2R1.10 ES.

     

    Can you confirm me that when i will upgrade in 9.5 ES, my configuration will be accepted and functionnal?

     

    Thanks for your answers.



  • 5.  RE: NAT on JunOS ES

    Posted 11-05-2009 21:55

    Beginning in JUNOS 9.5, NAT is decoupled from security policies and defined in nat rules. So your NAT config in its current state will not convert properly when you upgrade to 9.5 and later releases. You will need to remove NAT from your policies and add nat rules instead.  Refer to Next-Generation NAT app note for J-Series and SRX.

     

    http://kb.juniper.net/index?page=content&id=TN8&actp=LIST

     

    -Richard