Juniper SRX NAT configuration Example

In this blog post, we will go through the Juniper SRX NAT configuration examples. We will mainly be focusing on four scenarios that are Source NAT, Destination NAT, Static NAT and Port Forwarding.

This blog post assumes prior knowledge of Junos OS and NAT fundamentals. The example is based on vSRX running Junos 21.3R1.9.

Junos Flow Module

Junos order-of-operation is very important when working with NAT. As you can see on the flow module, Static NAT and Destination NAT happen before the Security Policy so, we need to specify the 'real-IP' on our policies. More on this later.

Diagram

The examples are based on the following diagram.

Source NAT

Junos Source NAT or Dynamic PAT (Dynamic Port Adress Translation) is the most commonly used NAT type where multiple internal hosts share the same public IP.

Almost all devices on internal networks don't get public IPs assigned to them (globally routable addresses). One of the main reasons is that there are only a very limited number of public IPs available for us to consume so, devices on internal networks usually have private IP addresses assigned to them (RFC-1918).

Method - 1 Source NAT to Interface IP

In our diagram, we want to translate the source IP address of the users subnet (10.16.1.0/24) to the wan interface IP address (116.85.10.1) of the SRX. For example, when 10.16.1.10 goes out to the Internet, its IP address gets translated to SRX's wan Interface IP 116.85.10.1

Please remember to configure appropriate security policies as well. I did create a wide-open outbound policy for the sake of this example.

set security policies from-zone users to-zone wan policy user_to_wan match destination-address any
set security policies from-zone users to-zone wan policy user_to_wan match application junos-icmp-ping
set security policies from-zone users to-zone wan policy user_to_wan then permit
set security nat source rule-set users_to_wan from zone users
set security nat source rule-set users_to_wan to zone wan
set security nat source rule-set users_to_wan rule snat_pat match source-address 10.16.1.0/24
set security nat source rule-set users_to_wan rule snat_pat match destination-address 0.0.0.0/0
set security nat source rule-set users_to_wan rule snat_pat then source-nat interface
admin@branch_srx# show security nat 
source {
    rule-set users_to_wan {
        from zone users;
        to zone wan;
        rule snat_pat {
            match {
                source-address 10.16.1.0/24;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
}

Now that we've configured the NAT, 10.16.1.10 should be able to ping 8.8.8.8. Let's test it out.

10_16_1_10_pc> ping 8.8.8.8   

84 bytes from 8.8.8.8 icmp_seq=1 ttl=53 time=29.665 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=53 time=33.538 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=53 time=25.339 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=53 time=29.825 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=53 time=28.356 ms

You can also use a couple of show commands to verify the status of the NAT.

admin@branch_srx> show security nat source rule snat_pat 
source NAT rule: snat_pat               Rule-set: users_to_wan
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : users
  To zone                    : wan
  Match
    Source addresses         : 10.16.1.0       - 10.16.1.255
    Destination addresses    : 0.0.0.0         - 255.255.255.255
  Action                        : interface
    Persistent NAT type         : N/A 
    Persistent NAT mapping type : address-port-mapping 
    Inactivity timeout          : 0
    Max session number          : 0
  Translation hits           : 135
    Successful sessions      : 135
  Number of sessions         : 4
admin@branch_srx> show security flow session    
Session ID: 286, Policy name: user_to_wan/6, State: Stand-alone, Timeout: 2, Valid
  In: 10.16.1.10/26726 --> 8.8.8.8/1;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, 
  Out: 8.8.8.8/1 --> 116.85.10.1/17322;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Method - 2 Source NAT to IP Pool

Instead of using the SRX's interface IP, you can also use another IP within the same subnet. Let's say we want to translate the source IP to 116.85.10.4 for this example.

💡
Please note that the Proxy ARP must be configured for the Source NAT to work properly when using IP Pools.

Without Proxy ARP, the SRX will not respond to any ARP requests for 116.85.10.4 as shown below in the Wireshark captures. By default, the firewall will respond to the ARP only if the specific IP is configured on one of its interfaces.

I'm going to amend the configuration to use the IP Pool instead of the Interface IP.

set security nat proxy-arp interface ge-0/0/0.0 address 116.85.10.4
set security nat source pool source_nat address 116.85.10.4/32
set security nat source rule-set users_to_wan from zone users
set security nat source rule-set users_to_wan to zone wan
set security nat source rule-set users_to_wan rule snat_pat match source-address 10.16.1.0/24
set security nat source rule-set users_to_wan rule snat_pat match destination-address 0.0.0.0/0
set security nat source rule-set users_to_wan rule snat_pat then source-nat pool source_nat
source {
    pool source_nat {
        address {
            116.85.10.4/32;
        }
    }
    rule-set users_to_wan {
        from zone users;
        to zone wan;
        rule snat_pat {
            match {
                source-address 10.16.1.0/24;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    pool {
                        source_nat;
                    }
                }
            }
        }
    }
}

proxy-arp {
    interface ge-0/0/0.0 {
        address {
            116.85.10.3/32;
            116.85.10.4/32;
        }
    }
}

Destination NAT

Junos Destination NAT is generally used where the traffic destined for a public address is sent to a private address. For example, let's say we have a public-facing web server in our company which is accessible from the Internet and we want to translate the public IP address to the real private IP of the server.

Let's say a user from the Internet initiates a connection to 116.85.10.3 and when the connection arrives at the SRX's wan interface, we want to translate the IP address from 116.85.10.3 to 10.16.9.10 and forward it to the webserver.

💡
Please note that the Proxy ARP must be configured for the destination NAT to work properly. 

Without Proxy ARP, the SRX will not respond to any ARP requests for 116.85.10.3 as shown below in the Wireshark captures.

As I mentioned at the beginning of the post, you need to use the real-address on the Security Policies (10.16.9.10) because the NAT translation happens before the security policies.

Please keep in mind that you also need to configure appropriate security policies to allow connections originating from the Internet to your web-server. I allowed any IP address on any application to talk to the web-server.

set security zones security-zone dmz address-book address web_server_ip 10.16.9.10/32

set security policies from-zone wan to-zone dmz policy to_web_server match source-address any
set security policies from-zone wan to-zone dmz policy to_web_server match destination-address web_server_ip
set security policies from-zone wan to-zone dmz policy to_web_server match application any
set security policies from-zone wan to-zone dmz policy to_web_server then permit
set security nat proxy-arp interface ge-0/0/0.0 address 116.85.10.3/32
set security nat destination pool web_server address 10.16.9.10/32
set security nat destination rule-set to_web_server from zone wan
set security nat destination rule-set to_web_server rule web_server_incoming match destination-address 116.85.10.3/32
set security nat destination rule-set to_web_server rule web_server_incoming then destination-nat pool web_server
destination {
    pool web_server {
        address 10.16.9.10/32;
    }
    rule-set to_web_server {
        from zone wan;
        rule web_server_incoming {
            match {
                destination-address 116.85.10.3/32;
            }
            then {
                destination-nat {
                    pool {
                        web_server;
                    }
                }
            }
        }
    }
}
proxy-arp {
    interface ge-0/0/0.0 {
        address {
            116.85.10.3/32;
        }
    }
}
admin@branch_srx> show security nat destination rule all   
Total destination-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/0
Destination NAT rule: web_server_incoming    Rule-set: to_web_server
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : wan
    Destination addresses    : 116.85.10.3     - 116.85.10.3
  Action                     : web_server
  Translation hits           : 447
    Successful sessions      : 440
  Number of sessions         : 5

Please note that both Source and Destination NAT are unidirectional meaning the traffic is NATed only in one way. (Due to the Stateful nature of the NAT, the reply traffic is always NATed)

Static NAT

Junos Static NAT is used to create a one-to-one mapping from one IP address to another IP address. The mapping includes destination IP address translation in one direction and source IP address translation in the reverse direction.

Static NAT allows connections to be originated from either side of the network (bidirectional), but translation is limited to one-to-one or between blocks of addresses of the same size. For each private address, a public address must be allocated. To demonstrate static NAT, let's create a static NAT between 10.16.9.20 and 116.85.10.5

As usual, let's configure security policies, Proxy ARP and finally NAT.

set security zones security-zone dmz address-book address auth_server_ip 10.16.9.20/32

set security policies from-zone wan to-zone dmz policy to_web_server match source-address any
set security policies from-zone wan to-zone dmz policy to_web_server match destination-address auth_server_ip
set security policies from-zone wan to-zone dmz policy to_web_server match application any
set security policies from-zone wan to-zone dmz policy to_web_server then permit
set security nat proxy-arp interface ge-0/0/0.0 address 116.85.10.5/32

set security nat static rule-set static_nat_auth_server from zone wan
set security nat static rule-set static_nat_auth_server rule auth_server match destination-address 116.85.10.5/32
set security nat static rule-set static_nat_auth_server rule auth_server then static-nat prefix 10.16.9.20/32
static {
    rule-set static_nat_auth_server {
        from zone wan;
        rule auth_server {
            match {
                destination-address 116.85.10.5/32;
            }
            then {
                static-nat {
                    prefix {
                        10.16.9.20/32;
                    }
                }
            }
        }                               
    }
}

proxy-arp {
    interface ge-0/0/0.0 {
        address {
            116.85.10.3/32;
            116.85.10.4/32;
            116.85.10.5/32;
        }
    }
}
admin@branch_srx> show security nat static rule all 
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
Static NAT rule: auth_server            Rule-set: static_nat_auth_server
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : wan
  Destination addresses      : 116.85.10.5
  Host addresses             : 10.16.9.20
  Netmask                    : 32
  Host routing-instance      : N/A
  Translation hits           : 18
    Successful sessions      : 8
  Number of sessions         : 0

Port Forwarding

Junos Port-forwarding falls under the Destination NAT hierarchy whereas you can not only translate the destination IP but also the port number. To demonstrate this, let's assume a client on the Internet initiates the connection to 116.85.10.2 on port 8000 and we want to send the traffic to our DMZ server 10.16.9.15 on port 80.

set security nat proxy-arp interface ge-0/0/0.0 address 116.85.10.2/32

set security zones security-zone dmz address-book address port_foward_server_ip 10.16.9.15/32

set security policies from-zone wan to-zone dmz policy port_forward match source-address any
set security policies from-zone wan to-zone dmz policy port_forward match destination-address port_foward_server_ip
set security policies from-zone wan to-zone dmz policy port_forward match application any
set security policies from-zone wan to-zone dmz policy port_forward then permit

set security nat destination pool port_foward_server address 10.16.9.15/32
set security nat destination pool port_foward_server address port 80

set security nat destination rule-set to_web_server rule port_forwarding match destination-address 116.85.10.2/32
set security nat destination rule-set to_web_server rule port_forwarding match destination-port 8000
set security nat destination rule-set to_web_server rule port_forwarding then destination-nat pool port_foward_server
admin@branch_srx# show | compare 
[edit security nat destination]
      pool web_server { ... }
+     pool port_foward_server {
+         address 10.16.9.15/32 port 80;
+     }
[edit security nat destination rule-set to_web_server]
       rule web_server_incoming { ... }
+      rule port_forwarding {
+          match {
+              destination-address 116.85.10.2/32;
+              destination-port {
+                  8000;
+              }
+          }
+          then {
+              destination-nat {
+                  pool {
+                      port_foward_server;
+                  }
+              }
+          }
+      }
[edit security nat proxy-arp interface ge-0/0/0.0 address]
       116.85.10.5/32 { ... }
+      116.85.10.2/32;
[edit security policies from-zone wan to-zone dmz]
      policy to_web_server { ... }
+     policy port_forward {
+         match {
+             source-address any;
+             destination-address port_foward_server_ip;
+             application any;
+         }
+         then {
+             permit;
+         }
+     }
[edit security zones security-zone dmz address-book]
       address auth_server_ip { ... }
+      address port_foward_server_ip 10.16.9.15/32;

Closing Thoughts

I have to admit that I got caught up by the Proxy ARP when I started working with SRX firewalls. I spent hours trying to figure out why my NAT wasn't working.

I hope you like my blog post. If you have any thoughts or questions about Junos NAT, please feel free to leave a comment or send me a message. I would love to continue the discussion and hear your perspective. Again, thank you for taking the time to read my post and for supporting my writing.