SRX

Expand all | Collapse all

Destination NAT

Jump to Best Answer
  • 1.  Destination NAT

    Posted 07-28-2017 18:24

    Hi all, 

    I have two scenarios shown below. 

    1. Destination NAT same IP address facing the Internet. 

    PC:80 (web service) -------- SRX:80 (IP: x.x.x.x) ---------the Internet

    I have PC and SRX also turn on service port 80, after that, I operate destination from untrust zone with IP x.x.x.x which is the IP on SRX facing the Internet destination NAT to PC's address.
    What's happen when I type https://x.x.x.x on a web browser?  I think it will access PC:80 instead of SRX:80. Anyone verify this for me?

    2. Destination NAT range pool to range destination NAT IP 
    PC1, PC2, PC3  ---------- SRX --------- the Internet
    I have destination NAT pool is y.y.y.y/29 (present PC1, PC2, PC3) and destination NAT IP is x.x.x.x/29. When I do destination NAT from untrust zone with x.x.x.x/29 to pool y.y.y.y/29. What's happening to go on? 
    Having some situations going on but I don't know which is true
    a. I ping test x.x.x.1 it's mapping to PC1, x.x.x2 mapping to PC2 etc... 
    b. I ping test x.x.x.x it's also mapping to PC1. 
    c. I ping test x.x.x.1 it's random mapping to y.y.y.y/29 

    Regards, 
    Hoang Nguyen Huy



  • 2.  RE: Destination NAT
    Best Answer

     
    Posted 07-29-2017 03:03
    1. Destination NAT same IP address facing the Internet. 
    
    PC:80 (web service) -------- SRX:80 (IP: x.x.x.x) ---------the Internet
    
    I have PC and SRX also turn on service port 80, after that, I operate destination from
    untrust zone with IP x.x.x.x which is the IP on SRX facing the Internet destination NAT
    to PC's address. What's happen when I type https://x.x.x.x on a web browser? I think it will access
    PC:80 instead of SRX:80. Anyone verify this for me?

    No, when you use https:  the port becomes 443 by default not 80 in a web browser.

    So the traffic will no longer hit your destination NAT rule.

     

    If you have the web service enabled on the SRX on http you will need to move it to a custom port before you can use destination NAT to forward 80 on the SRX address as well.  You cannot have the same port on a single address sent to two devices.

     

    2. Destination NAT range pool to range destination NAT IP 
    PC1, PC2, PC3  ---------- SRX --------- the Internet
    I have destination NAT pool is y.y.y.y/29 (present PC1, PC2, PC3) and destination NAT IP is x.x.x.x/29. When I do destination NAT from untrust zone with x.x.x.x/29 to pool y.y.y.y/29. What's happening to go on? 
    Having some situations going on but I don't know which is true
    a. I ping test x.x.x.1 it's mapping to PC1, x.x.x2 mapping to PC2 etc... 
    b. I ping test x.x.x.x it's also mapping to PC1. 
    c. I ping test x.x.x.1 it's random mapping to y.y.y.y/29 

    A - Destination NAT on a range passes block to block.

     

    https://www.juniper.net/documentation/en_US/junos/topics/concept/nat-security-destination-understanding.html

     

    Destination NAT allows connections to be initiated only for incoming network connections—for example, from the Internet to a private network. Destination NAT is commonly used to perform the following actions:

    • Translate a single IP address to another address (for example, to allow a device on the Internet to connect to a host on a private network).
    • Translate a contiguous block of addresses to another block of addresses of the same size (for example, to allow access to a group of servers).
    • Translate a destination IP address and port to another destination IP address and port (for example, to allow access to multiple services using the same IP address but different ports).