Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

ScreenOS Cookbook Recipe 8.6 - Configure Destination NAT

0

0

Article ID: KB12631 KB Last Updated: 24 May 2019Version: 7.0
Summary:
ScreenOS Cookbook Recipe 8.6, copied from the ScreenOS Cookbook, documents how to configure Destination NAT (Network Address Translation).  It has been modified slightly for the NAT Resolution Guide.
Symptoms:
  • I want to configure a destination NAT for an internal server. 
  • Users on Internet will use the Server Public IP address 1.1.1.100 to access the internal server 192.168.1.100
 

Recipe 8.6 addresses how to configure Destination NAT (without port mapping) -- A Destination Public IP address is translated to a Private IP address.  Refer to ScreenOS Recipe 8.7 on how to configure Destination PAT (port mapping) -- A Destination Public IP address and predetermined port are translated to a Private IP address and another predetermined port. 

Solution:
This solution shows how to configure destination NAT (Policy NAT-Dst). 
 
  • Is your Server Public IP address on a different network than the firewall's external/public interface?   For example, in the network diagram above, the Server Public IP, 1.1.1.100, is on a different network than the firewall's Untrust interface IP, 2.2.2.2.
    If so, follow the 'Server Public IP address is on different network than the Untrust interface IP address' section in the Discussion below.

  • Is your Server Public IP address on the same network as the firewall's external/public interface?  For example, if the Server Public IP address is 2.2.2.3/24, and the firewall's Untrust interface IP is 2.2.2.2/24, then they are on the same network.
    If so, follow the 'Server Public IP address is on the same network as the Untrust interface IP address' section in the Discussion below.

  • Is the Server Public IP address the same IP as the firewall's external/public interface? 
    If so, policy NAT-Dst, which is documented in this recipe, cannot be used.   Instead, configure destination NAT with a VIP.  Go to ScreenOS Cookbook Recipe 8.7 - KB12608.
 

Solution Summary


Configure the address object for the public address:

set address trust server-pub 1.1.1.100/32

Configure a route for the public address to point in the direction of the private address:

set interface ethernet0/0 zone trust
set route 1.1.1.100/32 int e0/0

Configure the destination translation within a policy:

set policy from untrust to trust any server-pub any nat dst ip 192.168.1.100 permit

 


Discussion

Policy NAT-DST was introduced with ScreenOS 5.0. It was designed to replace MIP and VIP. A very common reason why policy NAT-DST is preferred over a MIP is because a MIP supports a public address in a different network than that of the ingress interface only if the ingress interface is in the Untrust zone. On all other zones, MIPs must be in the same network with the IP address of the interface on which they live. This limitation was lifted in ScreenOS 6.1. NAT-DST is not tied to an interface, and therefore, there is no such limitation. However, because MIP is so easy to understand and configure, NAT-DST is most often used for VIP-style configurations (see ScreenOS Recipe 8.7) or very controlled translations such as conditional translation. A policy NAT-DST is a static destination translation. The IP address, or the port, or both, can be translated.

Table 8-7 shows the destination NAT translation configuration.

Table 8-7. Destination NAT translation

Private or local portion Public or global portion
src-ip dst-ip src-port dst-port x-src-ip x-dst-ip x-src-port x-dst-port
Any 1.1.1.100 Any Any Original 192.168.1.100 Original Original



Server Public IP address is on different network than the Untrust interface IP address
First, you need to configure an address object for the public portion of the translation:
set address trust server-pub 1.1.1.100/32
Then, you need to route the public IP address toward the private IP, typically toward the Trust interface. This is important because NAT happens only after the policy check passes, and first the incoming packet needs to match a policy. Once this happens, the destination address of the packet is translated, and another route lookup for the private address follows. This is why the route for the public address does not have a gateway configured.
set interface ethernet0/0 zone trust
set route 192.168.1.0/24 int e0/0
set route 1.1.1.100/32 int e0/0

Unlike with all the other NAT elements, there is no configuration on the interface. The configuration happens within the policy only. The client connects from the
source zone; the server is located in the destination zone.
set policy from untrust to trust any server-pub any nat dst ip 192.168.1.100 permit
 
The preceding code will translate the server from its public IP address of 1.1.1.100 to the private IP address of 192.168.1.100.

This essentially explains how a policy goes from the zone where the client is located to the zone where the server is located. A route for the public portion of the server has to follow to the zone where the server is located.


Server Public IP address is on the same network as the Untrust interface IP address
There is one exception to this rule. When the public address of the server is in the same network with the IP of the ingress interface, you can optionally install an intra-zone policy. This policy would go from the zone where the public address is located to the same zone. In this case, no route for the public address of the server is necessary because it automatically matches the network of the ingress interface. Here is a sample configuration in which the public address of the server is in the same network as the IP of the ingress interface:
set interface ethernet0/0 zone trust
set interface ethernet0/1 zone untrust
set interface ethernet0/1 ip 1.1.1.2/24
set arp nat-dst
set address untrust server-pub 1.1.1.100/32

set policy from untrust to untrust any server-pub any nat dst ip 192.168.1.100 permit

Note that it is configured with an intra-zone policy (untrust to untrust); a policy from untrust to trust is not needed.
In the preceding configuration, the client is sitting behind the Untrust zone, but the server sits behind the Trust zone. The public IP address of 1.1.1.100 is in the same network with the IP of 1.1.1.2/24 on ingress interface e0/1. A route lookup of 1.1.1. 100 naturally would point back to the Untrust zone. Notice the use ofan additional command, set arp nat-dst. This command turns on ARP replies for 1.1.1.100.

Unlike with DIPs, MIPs, and VIPs, the firewall would not answer ARP requests for policy NAT-DST by default. In many cases, policy NAT-DST is used with public IP addresses, which are not in the same interface as the ingress interface. In this case, the neighboring router would not need ARP, but would need a route to the ingress interface.

 



Note: "This recipe/excerpt is used by permission of the publisher, O'Reilly Media, ©2008. All rights reserved. Excerpted from ScreenOS Cookbook, by Stefan Brunner, Ken Draper, David Delcourt, Joe Kelley, Vik Drakar, & Sunil Wadhwa.  ISBN: 0596510039."
Modification History:
2019-05-22: Content reviewed for accuracy.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search