Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Can I use the interface IP address as part of a destination NAT?

0

0

Article ID: KB12330 KB Last Updated: 04 Mar 2017Version: 4.0
Summary:

Destination NAT using the same IP address and the ISP provided address.

Symptoms:

Can I use the ISP-provided IP address in a destination-NAT?

Solution:

Destination NAT to same IP as the interface is supported in JUNOS with Enhanced Services. But there are a few things to remember.

First, you will need to create an address book entry in the outside zone. Second, your policy will need to be from and to the same external zone. Remember that the policy lookup happens after the route lookup. The device will first determine that the destination address ( the interface IP address) is located in the outside zone. It then performs an outside-to-outside policy lookup.

You can do this many times using different ports. In the example below we can see an address book entry (host_public) that is located in the outside zone and uses the same IP address as the GE-0/0/1.0 interface. The policy is outside-to-outside since the 10.1.1.2 address is located in the outside zone. The policy specifies a destination-NAT to an address of 192.168.100.3 and port 23.

So, in short, when a user attempts to connect to 10.1.1.2 on port 5000, they will be destination NAT'ed to 192.168.100.3 port 25.

version 9.2R1.10;

interfaces {
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.1.1.2/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 192.168.100.2/24;
            }
        }
    }
}

security {
    nat {
        destination-nat host-100 address 192.168.100.3 port 23;
    }
    zones {
        security-zone inside {
            interfaces {
                ge-0/0/2.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone outside {
            address-book {
                address host_public 10.1.1.2/32;
            }
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone outside to-zone outside {
            policy telnet_100 {
                match {
                    source-address any;
                    destination-address host_public;
                    application tcp_port_5000;
                }
                then {
                    permit {
                        destination-nat {
                            host-100;
                        }
                    }
                }
            }
        }
    }
}
applications {
    application tcp_port_5000 {
        protocol tcp;
        destination-port 5000;
    }
}



 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search