Specifically someone on the internet needs to access a device inside the network can be destination NAT’d to be reachable from the outside. Destination NATĭestination NAT is usually referring to incoming NAT. This is the Cisco equivalent to doing a NAT Zero, NAT 0, No NAT, or Identity NAT. That is because this traffic is going over a VPN and we don’t want it to be NAT’d but everything else must be source NAT’d to the interface IP. The first is called NO-NAT which specifically says source-nat off if the traffic matches the criteria. Set security nat source rule-set NAT-DMZ-TO-UNTRUST rule NAT-OFF then source-nat off Set security nat source rule-set NAT-DMZ-TO-UNTRUST rule NAT-OFF match destination-address 172.16.57.0/24 Set security nat source rule-set NAT-DMZ-TO-UNTRUST rule NAT-OFF match source-address 192.168.0.0/16 To conduct something like that you would use the off option. This would be useful if you are NAT’ing everything coming from DMZ going to UNTRUST, but you didn’t want to NAT a specific flow that is supposed to go over a VPN tunnel. It is possible to identify traffic that you specifically don’t want to NAT. If you have over 64,000 connections going through the firewall into a single IP, you can have multiple IP addresses in the pool and the SRX will alternate between the IP addresses defined in the pool. Take note that the pool will either be defined a source pool or destination pool. Set security nat source rule-set NAT-DMZ-TO-UNTRUST rule PAT-INTERFACE then source-nat pool POOL-PATĮven if you only have 1 IP you still make a pool. Set security nat source pool POOL-PAT address 199.199.199.199/32 To first do that you must define that IP in a pool. Suppose you don’t want to NAT to the interface but instead you want to use another IP. In the case above we use the option interface. There are three options that can be added here. In the NAT config above you see the then source-nat portion last. This is where many IPs can use the same single source IP as they are NAT’d through the firewall. In this particular case we are PAT’ing the traffic, also known as NAT overload. In the example above, the traffic coming from 192.168.0.0/16 that is destined for anywhere that is traveling from the DMZ zone to the UNTRUST zone will be source NAT’d to the interface of the UNTRUST interface IP address. Multiple rules can then be applied in that rule-set. Only one rule-set can be applied on a zone pair. To create a NAT you must create a rule-set and a rule within that rule-set. Set security nat source rule-set NAT-DMZ-TO-UNTRUST rule PAT-INTERFACE then source-nat interface Set security nat source rule-set NAT-DMZ-TO-UNTRUST rule PAT-INTERFACE match destination-address 0.0.0.0/0 Set security nat source rule-set NAT-DMZ-TO-UNTRUST rule PAT-INTERFACE match source-address 192.168.0.0/16 Set security nat source rule-set NAT-DMZ-TO-UNTRUST to zone UNTRUST Set security nat source rule-set NAT-DMZ-TO-UNTRUST from zone DMZ The config to conduct source NAT would look something like this: Meaning, traffic will be NAT’d one way, and be able to reply back, but it will not NAT going the other direction. Traffic from within your company that has private IPs that needs to get out to the internet is source NAT’d to a public IP. This generally refers to outgoing NAT only. If there are overlapping NAT rules, the most specific (longest prefix length) is used. After the policy is evaluated then the source of the static NAT or source NAT gets translated.Īs you might have guessed from looking at the diagram, static NAT takes precedence over any other kind of NAT. That is why the destination of a static NAT and destination NAT takes place first. In order for the SRX to process the policies, it first needs to know what zone the packet is trying to get to.
JunOS NAT packet processingĬonsider the image below of how a packet is flowing through an SRX in regards to NAT. This post assumes you know the basic concept of NAT and what it is and why we use it and why we need it. But with this knowledge you should be able to do NAT for almost any occasion. This post will only cover the basic and most common concepts and usage of NAT in SRX. Source NAT, destination NAT, and static NAT. There are 3 kinds of NAT for the JunOS SRX devices.
0 kommentar(er)
