Junos OS

Expand all | Collapse all

Source and Destination NAT in SRX

  • 1.  Source and Destination NAT in SRX

    Posted 03-01-2019 06:05

    Hi,

    I am trying to establish a site-to-site IPSec tunnel with our client. The VPN would be in a seperate router but behind it, we have SRX1500 firewalls. I am needing help with NAT configuration and understanding return traffic flow.

     

    Here, is the HW and path setup:

    Client ----> Internet ----> (IPSec Router) -> (SRX FW1) -> (SRX FW2) -> InternalHost

     

    Here is the details:

    The client has host IP 10.10.1.0/24 (one end of VPN host) and asked us to use IP 10.10.2.0/24 (our end of VPN host) for their convenience of routing. So, we will NAT/translate this 10.10.2.0/24 (taking one IP 10.10.2.1) in SRX FW1 with our actual Internal Host IP 192.168.2.1. I would need help to verify this configuration,

     

    ==

    set security nat destination rule-set rulesetname rule rulename match source-address-name 10.10.1.0_24

    set security nat destination rule-set rulesetname rule rulename match destination-address-name 10.10.2.1

    set security nat destination rule-set rulesetname rule rulename then destination-nat pool pool_192-168-2-1

     

    set security policies from-zone untrustzone to-zone trustzone policy policyname match source-address 10.10.1.0/24

    set security policies from-zone untrustzone to-zone trustzone policy policyname match destination-address 192.168.2.1

    set security policies from-zone untrustzone to-zone trustzone policy policyname match application junos-https

    set security policies from-zone untrustzone to-zone trustzone policy policyname match application junos-ping

    set security policies from-zone untrustzone to-zone trustzone policy policyname then permit

    ==

     

    Now, we do not want to add their host route (10.10.1.0/24) in our environment and hence we intend to configure source-nat. The IP for source NAT we want to use is 192.168.1.1. Now, because the Internal host (192.168.2.1) is behind my 2nd FW (SRX FW2) hence I am kind a confuse and need help to understand,

    -> What would be the policy (Source & destination) I should put in SRX FW2 for my return traffic from Internal Host.

    -> What would be the source-NAT configuration in SRX FW1 and

    -> Do any configuration needed inside the Internal host, for the return traffic which will be for 10.10.1.1 (translated IP 192.168.1.1 in SRX FW2).

     

    Appreciate your help.

     

    BR//

    Adnan



  • 2.  RE: Source and Destination NAT in SRX

     
    Posted 03-01-2019 08:23

    Hi Adnan,

     

    First, I would use static NAT instead of destination/source nat.  

     

    Regarding policies, think about it this way: 

     

    - Destination NAT happens BEFORE a policy is applied.

    - Source NAT happens AFTER the policy is applied. 

     

    So when you write a policy, you need to match on the translated destination address (and port when applicable) and the unnatted source address. 

     

    Let me know if this helps,

     

    Regards,

     

    Yasmin. 



  • 3.  RE: Source and Destination NAT in SRX

     
    Posted 03-01-2019 08:58

    Not sure the picture was added to my previous post, so here it is:

     

    NAT.png



  • 4.  RE: Source and Destination NAT in SRX

    Posted 03-12-2019 08:42

    Hi Yasmin,

    Thank you for your reply. 

    This setup is only inbound connection only (meaning Client to InternalHost) (InternalHost will not make any outbound connection, otherthan replying to inbound connections from client). Hence, I believe, I do not need the right hand side configuration on your diagram. Can you please confirm?

     

    I do not want to route 10.10.1/24 to my FW2 (Trying not to inject any external route to my FW2). Do Static NAT is enough? or Do I need addition configuration (Such as sourceNAT?)?

     

    Thank you again.

     

    BR//

    Adnan



  • 5.  RE: Source and Destination NAT in SRX

     
    Posted 03-12-2019 13:52

    When you configure static NAT you are configuring destination NAT AND source NAT.  For example:

    STATIC NAT.png

     



  • 6.  RE: Source and Destination NAT in SRX

     
    Posted 03-12-2019 14:58

    OK, I think I understand your scenario a little better now. So you have two options: 
    - w/ static NAT

    - w/ Source and Destination NAT

     

    SOURCE and DESTINATION NAT OPTION.png

    STATIC NAT OPTION.png

    Let me know if this helps or if you have any questions. 

     



  • 7.  RE: Source and Destination NAT in SRX

    Posted 04-23-2020 12:02

    This was awesome - the diagrams illustrated the process very clearly - this helped me troubleshoot and fix an issue we were having with an ippsec tunnel with source and destination NAT at the same time. Thanks a lot!



  • 8.  RE: Source and Destination NAT in SRX

     
    Posted 03-01-2019 17:57

    Client ----> Internet ----> (IPSec Router) -> (SRX FW1) -> (SRX FW2) -> InternalHost

     

    If I follow you description correctly, you want on the inbound traffic from the VPN to destination nat the subnet 10.10.2.0/24 to 192.168.2.0/24

     

    At the same time you need to nat the incoming traffic 10.10.1.0/24 to 192.168.1.0/24.

     

    So we need to do double nat both source and destination translation in both directions of traffic.  

     

    This is best done on the SRX FW1 terminating the VPN using the zone of the st0.x interface of your route based VPN.

    Security policies will be with the zone of the st0.x interface and the interface zone facing SRX FW2

     

    Inbound:

    set security nat source pool src-nat-pool-1 address 192.168.1.0/24
    set security nat source rule-set rs1 from zone vpn_interface <<<<YOUR ZONE NAME
    set security nat source rule-set rs1 rule r1 match source-address 10.10.1.0/24
    set security nat source rule-set rs1 rule r1 then source-nat pool src-nat-pool-1
    set security nat destination pool dst-nat-pool-1 address 192.168.2.0/24
    set security nat destination rule-set rs1 from zone vpn_interface <<<<YOUR ZONE NAME
    set security nat destination rule-set rs1 rule r1 match destination-address 10.10.2.0/32
    set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1

    Outbound

    set security nat source pool src-nat-pool-1 address 10.10.2.0/24
    set security nat source rule-set rs1 from zone vpn_interface <<<<YOUR ZONE NAME
    set security nat source rule-set rs1 rule r1 match source-address 192.168.2.0/24
    set security nat source rule-set rs1 rule r1 match destination-address 0.0.0.0/0
    set security nat source rule-set rs1 rule r1 then source-nat pool src-nat-pool-1
    set security nat destination pool dst-nat-pool-1 address 10.10.1.0/24
    set security nat destination rule-set rs1 from zone vpn_interface <<<<YOUR ZONE NAME
    set security nat destination rule-set rs1 rule r1 match destination-address 192.168.1.0/32
    set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1

     



  • 9.  RE: Source and Destination NAT in SRX

    Posted 03-12-2019 08:36

    Hi Steve,

    Thank you for your reply. 

    This setup is only inbound connection only (meaning Client to InternalHost) (InternalHost will not make any outbound connection, otherthan replying to inbound connections from client). Hence, I believe, I do not need the Outbound configuration that you have provided.

     

    I rewrite the configuration that you have provided. Additionally, the Client will only accessing single InternalHost, so I changes few lines from /24 to /32 (using 192.168.2.2/32 as InternalHost, 10.10.2.2/32 as Natted IP for InternalHost. Can you please,

     

    1) Verify the below configuration:

    FW1:
    set security nat destination pool dst-nat-pool-1 address 192.168.2.2/32
    set security nat destination rule-set rs1 from zone vpn_interface <<<<YOUR ZONE NAME
    set security nat destination rule-set rs1 rule r1 match source-address 10.10.1.0/24
    set security nat destination rule-set rs1 rule r1 match destination-address 10.10.2.2/32
    set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1

    set security policies from-zone vpn to-zone internal policy yyyy match source-address 10.10.1.0/24
    set security policies from-zone vpn to-zone internal policy yyyy match destination-address 192.168.2.2/32
    set security policies from-zone vpn to-zone internal policy yyyy match application junos-ping
    set security policies from-zone vpn to-zone internal policy yyyy then permit

    set security nat source pool src-nat-pool-1 address 192.168.1.0/24
    set security nat source rule-set rs1 from zone vpn_interface <<<<YOUR ZONE NAME
    set security nat source rule-set rs1 rule r1 match source-address 10.10.1.0/24
    set security nat source rule-set rs1 rule r1 match destination-address 192.168.2.2/32
    set security nat source rule-set rs1 rule r1 then source-nat pool src-nat-pool-1

     

    FW2:
    set security policies from-zone fw1 to-zone fw2internal policy yyyy match source-address 192.168.1.0/24
    set security policies from-zone fw1 to-zone fw2internal policy yyyy match destination-address 192.168.2.2/32
    set security policies from-zone fw1 to-zone fw2internal policy yyyy match application junos-ping
    set security policies from-zone fw1 to-zone fw2internal policy yyyy then permit

     

    2) Can you please confirm if I can change 192.168.1.0/24 to 192.168.1.2/32 in the following line and will still work.

    "set security nat source pool src-nat-pool-1 address 192.168.1.0/24" ---> change to "set security nat source pool src-nat-pool-1 address 192.168.1.2/32"

     

    Thank you again. 

     

    BR//

    Adnan

     

     



  • 10.  RE: Source and Destination NAT in SRX

     
    Posted 03-13-2019 03:01

    Since the traffic is inbound only you will need only one direction of nat. 

    Static nat is only needed when the device initiates communications in both directions.  

    Also in this case you need to double nat, change the incoming packets both source and destination.  I have found using source nat at the same time as static nat does not work.

     

    So your configuration is double nat in one dirction only changing both the source and destination address of the same packet.

     

    1) Verify the below configuration:

    FW1:

    Looks good
    set security nat destination pool dst-nat-pool-1 address 192.168.2.2/32
    set security nat destination rule-set rs1 from zone vpn_interface <<<<YOUR ZONE NAME
    set security nat destination rule-set rs1 rule r1 match source-address 10.10.1.0/24
    set security nat destination rule-set rs1 rule r1 match destination-address 10.10.2.2/32
    set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1

    Looks good

    set security policies from-zone vpn to-zone internal policy yyyy match source-address 10.10.1.0/24
    set security policies from-zone vpn to-zone internal policy yyyy match destination-address 192.168.2.2/32
    set security policies from-zone vpn to-zone internal policy yyyy match application junos-ping
    set security policies from-zone vpn to-zone internal policy yyyy then permit

    I assume this pool changes based on question below

    set security nat source pool src-nat-pool-1 address 192.168.1.2/32 
    set security nat source rule-set rs1 from zone vpn_interface <<<<YOUR ZONE NAME
    set security nat source rule-set rs1 rule r1 match source-address 10.10.1.0/24
    set security nat source rule-set rs1 rule r1 match destination-address 192.168.2.2/32
    set security nat source rule-set rs1 rule r1 then source-nat pool src-nat-pool-1

     

    FW2: 

    Looks good:
    set security policies from-zone fw1 to-zone fw2internal policy yyyy match source-address 192.168.1.0/24
    set security policies from-zone fw1 to-zone fw2internal policy yyyy match destination-address 192.168.2.2/32
    set security policies from-zone fw1 to-zone fw2internal policy yyyy match application junos-ping
    set security policies from-zone fw1 to-zone fw2internal policy yyyy then permit

     

    2) Can you please confirm if I can change 192.168.1.0/24 to 192.168.1.2/32 in the following line and will still work.

    Yes, this is good

    "set security nat source pool src-nat-pool-1 address 192.168.1.0/24" ---> change to

    "set security nat source pool src-nat-pool-1 address 192.168.1.2/32"

     

    You will also need to be sure the return route on FW2 points the nat pool address 192.168.1.2/32 back to FW1 or it otherwise has this route in the table.

     

    I assume the destination nat address is the real address of the local device so that route is already available.

     



  • 11.  RE: Source and Destination NAT in SRX

    Posted 03-13-2019 08:51

    Thank you very much Steve, for reviewing the config. 

    I will proceed with the solution that you mentioned. In case, anything need to change, I will let you know. Thanks again for your quick reply.