SRX

Expand all | Collapse all

STATIC NAT and Security Policy on SRX

Jump to Best Answer
  • 1.  STATIC NAT and Security Policy on SRX

    Posted 09-08-2017 08:39

    Hi everyone,

     

    I apologize for the long winded email but I want to provide as much info as possible to get this concept straight.

     

    Please consider following cases:

     

    CASE1: STATIC NAT (Only Changing destination IP)

     

    H1 199.199.199.1/24--------199.199.199.10/24 -F1 SRX F2 -10.10.10.1-------10.10.10.2 SERVER

     

    F1 in Zone A

    F2 in Zone B

     

    All traffic from H1 destined to Server enters F1 on SRX with destination IP 200.200.200.2

    SRX has a Static NAT where we change destination 200.200.200.2 to 10.10.10.2 and route it to Server.

     

    Traffic from H1 to Server:

    1. Traffic enters F1 with destination IP 200.200.200.2 and SRC IP 199.199.199.1
    2. SRX has a static NAT rule which says all traffic with destination IP 200.200.200.2 and from Zone A, must have destination IP netted to 10.10.10.2
    3. We configure our Security Policy on POST NAT IP which says all traffic from ZONE1 to ZONE2 are allowed, note that the reference of Zones are determined after the NAT is already performed and using route look up we determine “from ZONE to Zone”
    4. Note above order of operation i.e. NAT then Security policy evaluation

     

    Return traffic:

    From Server to H1

    1. Traffic enters F2 on SRX with SRC IP 10.10.10.2 and destination IP 199.199.199.1

    What will happen next NAT or Security Policy evaluation?

    If NAT occurs first, i.e. SRC IP 10.10.10.2 replaced by 200.200.200.2 then Security Policy evaluation, then we have an issue:

     

    200.200.200.2 Is not configured on any interface on SRX so we cannot determine Zone for Security policy.

     

    If Security Policy occurs first, will the Zones for Security Policy determined based on PRE NAT IP i.e SRC IP 10.10.10.2 destination IP 199.199.199.1?

     

    ################

     

    Case2: (Only Changing SRC IP)

     

    H1 199.199.199.1/24--------199.199.199.10/24 F1 SRX F2 10.10.10.1-------10.10.10.2 SERVER

    F1 in Zone A

    F2 in Zone B

    GOAL:

    All traffic from H1 must reach Server with SRC IP 10.10.10.10

    Traffic from H1 to Server:

    Traffic with SRC IP 199.199.199.1, destination IP 10.10.10.2 enters F1 on SRX.

     

    Based on Order of operation diagram show below, NAT occurs first

     Capture.PNG

     

     

     

    On SRX we have NAT rule that says all traffic from ZONE A must have SRC NATTED to 10.10.10.10

    Based on the Diagram above, Zones for Security Policies are determined on POST NAT IP i.e. SRC IP 10.10.10.10 Right?

     

    Return traffic:

     

    Traffic with SRC IP 10.10.10.2 destination IP 10.10.10.10 enters F2 on SRX.

    What will happen next?

    Will SRX first perform NAT i.e. destination IP 10.10.10.10 is replaced by 199.199.199.1 then Security Policy evaluation, if yes, are Security Zones determined based POST NAT IP?

     

    OR

     

     

    Security Policy evaluation first then NAT if yes, are Security Zones determined based on PRE NAT IP?

     

    #####################

     

    Thanks and have nice weekend!!

     

     

     

     

     



  • 2.  RE: STATIC NAT and Security Policy on SRX
    Best Answer

     
    Posted 09-09-2017 05:53

    When doing destination nat this is evaluated before security policy check.

     

    When doing source nat security policy check is before nat address change.

     

    Security policy is only needed in the direction zone to zone of the initiator of that traffic.  Return packets will match this existing flow and will not be evalutated against new policies but the existing flow match.

     

    Static nat is slightly different, this applies source translation from the device out when a match occurs inside to outside.  And will apply desitination nat to the flow when the traffic direction is outside to inside on the same rule.  Static nat is a convenience to prevent having to create two nat rules, one for source out and another for destination in.  This creates a static mapping for an internal address to an external one.  This also means you cannot then share this external address across multiple internal servers splitting out the ports.



  • 3.  RE: STATIC NAT and Security Policy on SRX

    Posted 09-10-2017 09:38

    Hi Spuluka,

     

    Thanks for your response.

     

    Security policy is only needed in the direction zone to zone of the initiator of that traffic.  Return packets will match this existing flow and will not be evalutated against new policies but the existing flow match.

     

    ##############

     

    So basically:

     

    H1 199.199.199.1--199.199.199.2 F1 SRX-F2 10.10.10.2----10.10.10.10 SERVER

     

     where 200.200.200.2  destination IP is mapped to 10.10.10.10 using STATIC NAT on SRX:

     

     

    If we are sure traffic H1 will  always be intiator then we do not need  Security Poicy for return traffic as you mentioned  return traffic will be matched to existing flow.  

     

    On the other hand, if server has to intiate traffic, that means we need Security policy BASED ON  pre nat ip, however return traffic i.e host to server,  does not  need any security policy as it will match existing flow.

     

    Did I get it right?

     

     

    Have a nice weekend!!

     

     

     

     

     

     

     

     

     

     



  • 4.  RE: STATIC NAT and Security Policy on SRX

     
    Posted 09-11-2017 02:15

    Correct.



  • 5.  RE: STATIC NAT and Security Policy on SRX

    Posted 09-11-2017 07:15

    Thanks