Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to set up NAT hairpinning

0

0

Article ID: KB24639 KB Last Updated: 23 Jul 2020Version: 5.0
Summary:

This article provides instructions on how to set up NAT hairpinning on any SRX series device (supported as of Junos OS 11.2).

Symptoms:

When a public IP is used to gain access to a server in a private, internal network, the traffic will attempt to go out to the internet. In order to reach the server, the traffic will need to be redirected to the correct location. A useful technique for accessing an internal server using a public IP is NAT hairpinning.

Cause:

The cause is shown in the scenario below.



If the Destination NAT is used in this scenario:

  • The client sends a request to 155.100.1.1.
  • The SRX will use a Destination NAT rule to point it back into the network.
  • The server will reply directly to 10.0.0.15.
  • The client will drop the packet because it does not realize that 10.0.0.15 is the same server as 155.100.1.1.
Solution:

NAT hairpinning is a useful technique for accessing an internal server using a public IP.

In order to ensure that the flow occurs properly:
  • Both the source and destination IP addresses need to be modified so each device sees the traffic flowing to and from the correct locations. This allows the return traffic to return through the SRX, and the client to receive the packets from the correct IP.

  • Make sure a security policy is configured which will allow intra-zone communication in the default zone.


Configuration Example
 
set security nat source rule-set hairpin from zone default
set security nat source rule-set hairpin to zone default
set security nat source rule-set hairpin rule hairpin-source match source-address 10.0.0.0/24
set security nat source rule-set hairpin rule hairpin-source then source-nat interface

set security nat destination pool server address 10.0.0.15/32
set security nat destination rule-set hairpin from zone default
set security nat destination rule-set hairpin rule hairpin-destination match destination-address 155.100.1.1/32
set security nat destination rule-set hairpin rule hairpin-destination then destination-nat pool server

set security policies from-zone default to-zone default policy INTRA-default match source-address any
set security policies from-zone default to-zone default policy INTRA-default match destination-address any
set security policies from-zone default to-zone default policy INTRA-default match application any
set security policies from-zone default to-zone default policy INTRA-default then permit

Notes:
Modification History:
2020-07-18: Article reviewed for accuracy; made minor non-technical edits.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search