Source NAT :
user@host > show security flow session
Session ID 45454 ,
policy name default-permit/4
In : 192.168.0.10/1739 --->
11.11.11.11/80 tcp If:
ge-0/0/2.0
Out: 11.11.11.11/80 ---> 12.12.12.12/5454 if: ge-0/0/3.0
Ok.
So based on the source the SRX will change the IP address of the outgoing flow.
To configure this you can use.
set security NAT source rule-set 1
from zone LAN
to zone WAN
rule 1A
match {
source-address 0.0.0.0/0
}
then {
source-nat interface
}
}
So very simply this said. Create a NAT source .
Inside it we can have many rules. So we first create the Rule-set which will house the rules.
The first rule in the rule-set is rule 1A.
We want to MATCH anything that comes from zone LAN to WAN.
The first rule in the rule-set is rule 1A.
We want to MATCH anything that comes from zone LAN to WAN.
Those packets will get source-natted.
The IP that will be placed in the packet will be the one on the outgoing interface (source-nat interface)
The IP that will be placed in the packet will be the one on the outgoing interface (source-nat interface)
So for example.
If the packet goes out interface GE-0/0/0.0 the SRX will place the IP 11.11.11.11
if it goes out the other interface then it will place the IP 11.11.11.12
Sometimes you want to dictate what IP will be placed in the outgoing packet.
For that you can use an IP pool.
For that you can use an IP pool.
You create an IP pool under the source NAT stanza and then invoke it in the
source NAT rule-set rule statement.
source NAT rule-set rule statement.
set security nat source pool A address 11.11.11.13/32
now I can invoke it.
rule-set 1A
from zone LAN
to zone WAN
rule 1
match
source-address 0.0.0.0/0
then
source-nat pool A
as you can see we simply replaced the interface option with a POOL called A.
both of the above use PAT.
Port Address translation.
Which means, they will all go out with one IP and each flow will have a different port.
Sometimes though you want to have a Direct NAT. So that the port does not change.
To do that simply configure a pool address that will allocate a new ip to every flow.
Till it runs out of IPs and then it will drop them.
Port Address translation.
Which means, they will all go out with one IP and each flow will have a different port.
Sometimes though you want to have a Direct NAT. So that the port does not change.
To do that simply configure a pool address that will allocate a new ip to every flow.
Till it runs out of IPs and then it will drop them.
pool B {
address {
11.11.11.1/32 to 11.11.11.254/32 #I set up 254 IPs
}
port no-translation
There we are 254 IPs and don't do PAT.
only problem is if we run out of IPs, it will drop the packets :(((.
To solve the dropped packets you can OVERFLOW.
pool C {
address {
11.11.11.1/32 to 11.11.11.254/32 #I set up 254 IPs
}
port no-translation
overflow-pool Z
so basically now if I run out of IPs I can use another backup pool.
In general it is a good idea to know if this is happening.
You can set up an alarm to tell you
set security nat source pool-utilization-alarm raise-threshold 50 clear-threshold 40
You can set up an alarm to tell you
set security nat source pool-utilization-alarm raise-threshold 50 clear-threshold 40
so if it reaches 50% it will send a trap
and when it drops back to 40% it will send another trap.
Sometimes you might want to be able to match the PUBLIC IP to the LAN IP.
For that you can use address shifting.
For that you can use address shifting.
pool D {
address {
11.11.11.1/32 to 11.11.11.254/32 #I set up 254 IPs
}
host-address-base 192.168.0.1/32
so now
192.168.0.1 will always get ip 11.11.11.11
192.168.0.1 will always get ip 11.11.11.11
192.168.0.2 will always get ip 11.11.11.12
etc, etc
The pool sizes should match.
Last thing is an exception.
You can set one up for a sepcific destination and then turn off the NAT
You can set one up for a sepcific destination and then turn off the NAT
then {
source-nat off;
}
}
OK.
Same thing the other way around
Destination NAT.
Destination NAT.
Destination NAT will happen before the ZONES , simply because the destination it needs to go to
will affect which zone handles the security.
will affect which zone handles the security.
rule-sets work from a zone.
Set security nat destination pool a address 192.168.0.1/32
rule-set 1
from zone WAN
rule 1A
match {
destination-address 11.11.11.11/32
}
}
then {
destination-nat pool A;
so very simply. In destnation NAT the pool is the LAN host.
The destination address in the rule is the WAN interface
if you get a hit on it then convert it to the LAN one.
The destination address in the rule is the WAN interface
if you get a hit on it then convert it to the LAN one.
Same thing can be done with a pool of IPs.
Set security nat destination pool a address 192.168.0.1/32 to 192.168.0.100/32
Yo ucan be more granular
and specify a destination port.
This is useful for PAT.
and specify a destination port.
This is useful for PAT.
rule-set 1
from zone WAN
rule 2A
match {
destination-address 11.11.11.11/32
destination-port 80
}
destination-port 80
}
then {
destination-nat pool C;
Set security nat destination pool C address 192.168.0.1/32 port 8080
so now we added a destination port on the rule and a destination port on the POOL.
As you noticed each one had ONE direction either source or destination.
Instead of writing two rules, if we have a static NAT.
We can write one rule.
Instead of writing two rules, if we have a static NAT.
We can write one rule.
set security nat static rule-set R1
from zone WAN
rule A {
match {
destination-address 11.11.11.11/32
then {
static-nat prefix 192.168.0.1/32
so basically all IP in to 11.11.11.11 will translate and all IP out from 192.168.0.1 will be too.
The reverse is automatically enables.
Now,
You can drop untranslated traffic.
You can drop untranslated traffic.
drop-translated;
commands for monitoring.
show security flow session this will show you the translation if it happened.
show security nat source rule rule1a this will show a summary of a rule.
show security nat source pool this shows info on the pool.
show security nat source summary. a summary.
No comments:
Post a Comment