Knowledge Search


×
 

[SRX/J Series] How to set up NAT hairpinning

  [KB24639] Show Article Properties


Summary:

This article provides instructions on how to set up NAT hairpinning on any J or SRX series device (supported as of Junos OS 11.2).

Symptoms:

When a public IP is used to gain access to a server in a private, internal network, the traffic will attempt to go out to the internet. In order to reach the server, the traffic will need to be redirected to the correct location. A useful technique for accessing an internal server using a public IP is NAT hairpinning.

Cause:

The cause is shown in the scenario below.



If the Destination NAT is used in this scenario:

  • The client sends a request to 155.100.1.1.

  • The SRX will use a Destination NAT rule to point it back into the network.

  • The server will reply directly to 10.0.0.15.

  • The client will drop the packet because it does not realize that 10.0.0.5 is the same server as 155.100.1.1.
Solution:

NAT hairpinning is a useful technique for accessing an internal server using a public IP.

In order to ensure that the flow occurs properly:

  • Both the source and destination IP addresses need to be modified so each device sees the traffic flowing to and from the correct locations. This allows the return traffic to return through the SRX, and the client to receive the packets from the correct IP.

  • Make sure a security policy is configured which will allow intrazone communication in the default zone.

Configuration Example


set security nat source rule-set hairpin from zone default
set security nat source rule-set hairpin to zone default
set security nat source rule-set hairpin rule hairpin-source match source-address 10.0.0.0/24
set security nat source rule-set hairpin rule hairpin-source then source-nat interface

set security nat destination pool server address 10.0.0.5/32
set security nat destination rule-set hairpin from zone default
set security nat destination rule-set hairpin rule hairpin-destination match destination-address 155.100.1.1/32
set security nat destination rule-set hairpin rule hairpin-destination then destination-nat pool server

set security policies from-zone default to-zone default policy INTRA-default match source-address any
set security policies from-zone default to-zone default policy INTRA-default match destination-address any
set security policies from-zone default to-zone default policy INTRA-default match application any
set security policies from-zone default to-zone default policy INTRA-default then permit

Note:
Related Links: