Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Configuration Example: Destination NAT two destinations to same IP address and distinguish based on source address

0

0

Article ID: KB27819 KB Last Updated: 15 Jul 2013Version: 1.0
Summary:
Destination NAT happens prior to source NAT in Junos flow. What if the translated destination is the same for two destination NAT rules? This article discusses how to use routing instances to meet such a requirement. It also provides the translated destination in match condition for source NAT.
Symptoms:
Two IP address are destination NATed to the same IP address. For example, IP addresses are: 192.168.69.2 and 192.168.69.3 which are getting NATed to the IP address 192.168.70.2. When a user accesses the IP address 192.168.69.2, we want to NAT the traffic to 192.168.71.1 and when a user accesses the IP address 192.168.69.3, the traffic should be NATed to 192.168.72.1

To summarize the requirement:
When accessing 192.168.69.2:
Change the destination IP to 192.168.70.2 and source IP to 192.168.71.1

When accessing 192.168.69.3
Change the destination IP to 192.168.70.2 and source IP to 192.168.72.1

Cause:

If the packets are entering the device through the Untrust zone and after NAT going to the Trust zone, the following destination NAT configuration can be used:

security {
    nat {
        destination {
            pool poolA {
                address 192.168.70.2/32;
            }
            rule-set from-Untrust {
                from zone Untrust;
                rule r1 {
                    match {
                        destination-address 192.168.69.2/32;
                    }
                    then {
                        destination-nat pool poolA;
                    }
                }
                rule r2 {
                    match {
                        destination-address 192.168.69.3/32;
                    }
                    then {
                        destination-nat pool poolA;
                    }
                }
            }
        }
    }
}

Define the source NAT rule as per the requirement as follows:

security {
    nat {
        source {
            pool poolA {
                address {
                    192.168.71.1/32;
                }
            }
            pool poolB {
                address {
                    192.168.72.1/32;
                }
            }
            rule-set Untrust-to-Trust {
                from zone Untrust;
                to zone Trust;
                rule r1 {
                    match {
                        destination-address 192.168.70.2/32;
                    }
                    then {
                        source-nat {
                            pool {
                                poolA;
                            }
                        }
                    }
                }
                rule r2 {
                    match {
                        destination-address 192.168.70.2/32;
                    }
                    then {
                        source-nat {
                            pool {
                                poolB;
                            }
                        }
                    }
                }
            }
        }
    }
}


Here only rule r1 will be hit as both rules have same context and match condition.

Solution:

Topology



Click here for a larger image:

Configuration

  1. Create a firewall filter to redirect traffic for different destinations (which are later translated to same destination) to different routing-instances as below:

    root@SRX240HM-15# show firewall
    filter nat-workaround {
        term 1 {
            from {
                destination-address {
                    192.168.69.2/32;
                }
            }
            then {
                routing-instance RI69-2;
            }
        }
         term 2 {
            from {
                destination-address {
                    192.168.69.3/32;
                }
            }
            then {
                routing-instance RI69-3;
            }
        }
        term 3 {
            then accept;
        }
    }


  2. Configure the routing instance:

    root@SRX240HM-15# show routing-instances
    RI69-2 {
        instance-type virtual-router;
        interface ge-0/0/4.0;
       routing-options {
            static {
                route 0.0.0.0/0 next-table inet.0;
            }
        }
    }
    RI69-3 {
        instance-type virtual-router;
        interface ge-0/0/6.0;
        routing-options {
            static {
                route 0.0.0.0/0 next-table inet.0;
            }
        }
    }

    Note:  192.168.70.2 should be reachable through both the interfaces ge-0/0/4.0 and ge-0/0/6.0. On the router/host connected to these interface we need to give route as below:

    For 192.168.71.2 next-hop 192.168.70.1
    For 192.168.72.2 next-hop 192.168.70.3


  3. Configure the destination NAT rule:

    root@SRX240HM-15# show security nat destination
    pool 192-168-70-2 {
        address 192.168.70.2/32;
    }
    rule-set 1 {
        from zone Untrust;
        rule 1 {
            match {
                destination-address 192.168.69.3/32;
            }
            then {
                destination-nat pool 192-168-70-2;
            }
        }
        rule 2 {
            match {
                destination-address 192.168.69.2/32;
            }
            then {
                destination-nat pool 192-168-70-2;
            }
        }
    }


  4. Configure the source NAT rule:

    root@SRX240HM-15# show security nat source
    pool 192-168-71-1 {
        address {
            192.168.71.1/32;
        }
    }
    pool 192-168-72-1 {
        address {
            192.168.72.1/32;
        }
    }
    rule-set 71-1 {
        from routing-instance default;
        to routing-instance RI69-2;
        rule 1 {
            match {
                destination-address 192.168.70.2/32;
            }
            then {
                source-nat {
                    pool {
                        192-168-71-1;
                    }
                }
            }
        }
    }

    rule-set 72-1 {
        from routing-instance default;
        to routing-instance RI69-3;
        rule 2 {
            match {
                destination-address 192.168.70.2/32;
            }
            then {
                source-nat {
                    pool {
                        192-168-72-1;
                    }
                }
            }
        }
    }

    Here we have two rules with similar match conditions but in different context (rule-sets).


  5. Complete the rest of the configuration: proxy-arp, interfaces, zones, policy etc.

    root@SRX240HM-15# show interfaces
    ge-0/0/4 {
        unit 0 {
            family inet {
                address 192.168.70.1/24;
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family inet {
                filter {
                    input nat-workaround;
                }
                address 192.168.69.4/28;
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family inet {
                address 192.168.70.3/24;
            }
        }
    }

    root@SRX240HM-15# show security nat proxy-arp
    interface ge-0/0/5.0 {
        address {
            192.168.69.2/32;
            192.168.69.3/32;
        }
    }

    root@SRX240HM-15# show security zones
    security-zone Untrust {
        host-inbound-traffic {
            system-services {
                all;
            }
        }
        interfaces {
            ge-0/0/5.0;
        }
    }
    security-zone Trust {
    address-book {
    address 192.168.70.2/32 192.168.70.2/32;
    }
        host-inbound-traffic {
            system-services {
                all;
            }
        }
        interfaces {
            ge-0/0/4.0;
        }
    }
    security-zone Trust-1 {
    address-book {

    address 192.168.70.2/32 192.168.70.2/32;
        host-inbound-traffic {
            system-services {
                all;
            }
        }
        interfaces {
            ge-0/0/6.0;
        }
    }

    root@SRX240HM-15# show security policies
    from-zone Untrust to-zone Trust {
         policy Pol1 {
             match {
                 source-address any;
                 destination-address 192.168.70.2/32;
                 application any;
             }
             then {
                 permit;
             }
         }
    }
    from-zone Untrust to-zone Trust-1 {
         policy Pol1 {
             match {
                 source-address any;
                 destination-address 192.168.70.2/32;
                 application any;
             }
             then {
                 permit;
             }
        }
    }

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search