Junos
Highlighted
Junos

NAT on JunOS ES

‎06-24-2009 01:42 AM

Hi All,

 

I'm newbie on JunOS ES, and i have try to make some junos ES NAT policies base on Screen OS policy, on screen OS traffic is pass. But on junos ES traffic is block...

this is the screen os Policy :

 

 

this is the JunosES policy (from juniper convert tools):

security {
    nat {
        interface ge-0/0/0.0 {
            static-nat 192.168.0.170 host 10.121.2.10/32;
        }
    }
    zones {
        security-zone Trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {
                    http;
                    https;
                    ping;
                    ssh;
                    telnet;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone Untrust {
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        /* Conversion from set interface...ip manageable */
                        system-services {
                            http;
                            ping;
                        }
                    }
                }
            }
        }
        security-zone DMZ {
            tcp-rst;
            address-book {
                address Address_192_168_0_170_32  192.168.0.170/32;
            }
            interfaces {
                ge-0/0/2.0;
            }
        }
    }
    policies {
        from-zone Trust to-zone junos-global {
            policy 1 {
                match {
                    source-address any;
                    destination-address static_nat_192.168.0.170_32;
                    application any;
                }
                then {
                    permit {
                        source-nat {
                            interface;
                        }
                    }
                    log {
                        session-close;
                    }
                }
            }
        }
        from-zone Untrust to-zone junos-global {
            policy 2 {
                match {
                    source-address any;
                    destination-address static_nat_192.168.0.170_32;
                    application any;
                }
                then {
                    permit {
                        source-nat {
                            interface;
                        }
                    }
                    log {
                        session-close;
                    }
                }
            }
        }
        from-zone Untrust to-zone Trust {
            policy 4 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-close;
                    }
                }
            }
        }
    }
}
 

but traffic from Untrust to MIP(192.168.0.170) still can not pass....

is there any missed from this configuration ??

run on junos 9.1ES and 9.2 ES

Regards,

ND
4 REPLIES 4
Highlighted
Junos
Solution
Accepted by topic author NDCool
‎08-26-2015 01:27 AM

Re: NAT on JunOS ES

‎06-27-2009 11:35 PM
Does traffic from Trust to DMZ pass through correctly? I would expect it to since your static nat is configured on ge-0/0/0.0 in trust zone. However from Untrust to DMZ will NOT work because you do not have a static nat object on ge-0/0/1.0 in Untrust zone. Also you will not be able to create same static nat object on ge-0/0/1 if you already have same nat IP on ge-0/0/0. This is a limitation in JUNOS with enhanced services up until 9.4.

I would recommend upgrading to 9.5. With 9.5 and later, J-series uses SRX NAT. With 9.5, NAT is not bound to any interface. Instead NAT is rule based and independent of security policies. So with 9.5 you can basically create a static NAT rule with both Trust and Untrust as your "from zone". That should support what you are trying to do. But with 9.4 and earlier releases, your scenario will not work.

-Richard
Highlighted
Junos

Re: NAT on JunOS ES

‎06-29-2009 10:13 PM

Hi Richard,

 

Thanks to reply my message.

Yes, i have done on 9.5, and NAT is work. I must upgrade the junos on my customer router to make it running.

 

Regards,

 

ND

Regards,

ND
Highlighted
Junos

Re: NAT on JunOS ES

‎11-04-2009 08:11 AM

Hello, I think i'm in the same situation : with static-nat, I would like to get two same mapped IP address (172.17.0.140) in two differents interfaces; this interfaces are defined in differents VR (VR-XXX and VR-YYY)

 

security {
    nat {
        interface ge-0/0/0.0 {
...
        }
        interface ge-0/0/1.0 {
            static-nat 172.17.0.140/32 host 192.168.1.7/32 virtual-router VR-ZZZ; 
        }
        interface ge-0/0/1.1 {
            static-nat 172.17.0.140/32 host 192.168.1.7/32 virtual-router VR-ZZZ;
        }
    }

...

routing-instances {
    VR-ZZZ {
        instance-type virtual-router;
        interface ge-0/0/0.0;
        routing-options {
            static {
       ...            }
        }
    }
    VR-YYY {
        instance-type virtual-router;
        interface ge-0/0/1.1;
        routing-options {
            static {
                ...
            }
        }
        protocols {
            ospf {
            ...
                }
            }
        }
    }
    VR-XXX {
        instance-type virtual-router;
        interface ge-0/0/1.0;
        routing-options {
            static {
          ...
            }
        }
        protocols {
            ospf {
                ...
                }
            }
        }
    }
}

 

Unfortunaly, i've got an error on the interface ge0/0/1.1:
" '172.17.0.140' Static NAT overlaps with static NAT [172.17.0.140 172.17.0.140] defined on interface ge-0/0/1.0
error : configuration check-out failed.

 

I'm on a J6350 9.2R1.10 ES.

 

Can you confirm me that when i will upgrade in 9.5 ES, my configuration will be accepted and functionnal?

 

Thanks for your answers.

Highlighted
Junos

Re: NAT on JunOS ES

‎11-05-2009 09:55 PM

Beginning in JUNOS 9.5, NAT is decoupled from security policies and defined in nat rules. So your NAT config in its current state will not convert properly when you upgrade to 9.5 and later releases. You will need to remove NAT from your policies and add nat rules instead.  Refer to Next-Generation NAT app note for J-Series and SRX.

 

http://kb.juniper.net/index?page=content&id=TN8&actp=LIST

 

-Richard

Feedback