Home‎ > ‎Juniper‎ > ‎Basic JunOS Configs‎ > ‎

NAT


Overview: 

How to setup NATing on a JunOS firewall. 

Outbound PAT: 

 

1: Zone To-From match: 

Define what the source and destination zones will be: 
set security nat source rule-set source-nat from zone inside
set security nat source rule-set source-nat to zone dmz
Where "inside" and "outside" are zones that are previously defined.  

2: rule #1 - do not match for internal routes

Create a rule that does not nat traffic that is staying internal
set security nat source rule-set source-nat rule nat-off match source-address 10.100.0.0/16
set security nat source rule-set source-nat rule nat-off match destination-address-name rfc3330
set security nat source rule-set source-nat rule nat-off then source-nat off
note that "rfc3330" would be a address book name that defines all non-routable IPs.  (see below for an example of this)

3: rule #2 - match everything else

Create a rule that matches any other traffic, and applys the nat to it.  
set security nat source rule-set source-nat rule patOut match source-address-name internalIp
set security nat source rule-set source-nat rule patOut then source-nat pool patIp1
Here "internalIP" would be another address book name that equated to the internal IPs behind the "inside" interface.  With this example it would be the same as "10.100.0.0/16".  

4: use this NAT IP for match: 

Define the IP that will be used for the PATting: 
set security nat source pool patIp1 address 1.1.1.100/32

3-4: rule #2 -match everything else and NAT to external interface: 

If you want the NAT to simply use the external interface for the NAT IP, then you can use the "interface" variable instead of defining a different IP for the NAT.  
set security nat source rule-set source-nat rule patOut match source-address-name internalIp
set security nat source rule-set source-nat rule patOut then source-nat interface

Inbound NAT: 



Define the inside server and create a policy to it
set security address-book global address remoteDevice 10.3.3.3
set security policies from-zone outside to-zone inside policy natAccross match source-address any 
set security policies from-zone outside to-zone inside policy natAccross match destination-address remoteDevice 
set security policies from-zone outside to-zone inside policy natAccross match application any
set security policies from-zone outside to-zone inside policy natAccross then permit

define the outside VIP
set security nat destination pool dstIP address 10.3.3.3
set security nat destination rule-set rule1 from zone outside
set security nat destination rule-set rule1 rule r1 match destination-address 3.3.3.3
set security nat destination rule-set rule1 rule r1 then destination-nat pool dstIP

And bind the external VIP to the interface
set security nat proxy-arp interface ge-0/0/0.0 address 3.3.3.3


References: 

RFC3330 example: 

Just an easy way to define all non-routable IPs: 
set security address-book global address-set rfc3330 address this
set security address-book global address-set rfc3330 address 1918a
set security address-book global address-set rfc3330 address loopback
set security address-book global address-set rfc3330 address linklocal
set security address-book global address-set rfc3330 address 1918b
set security address-book global address-set rfc3330 address testnet
set security address-book global address-set rfc3330 address 6to4anycast
set security address-book global address-set rfc3330 address 1918c
set security address-book global address-set rfc3330 address benchmark
set security address-book global address-set rfc3330 address classd
set security address-book global address-set rfc3330 address classe

set security address-book global address this 0.0.0.0/8
set security address-book global address 1918a 10.0.0.0/8
set security address-book global address loopback 127.0.0.0/8
set security address-book global address linklocal 169.254.0.0/16
set security address-book global address 1918b 172.16.0.0/12
set security address-book global address testnet 192.0.2.0/24
set security address-book global address 6to4anycast 192.88.99.0/24
set security address-book global address 1918c 192.168.0.0/16
set security address-book global address benchmark 198.18.0.0/15
set security address-book global address classd 224.0.0.0/4
set security address-book global address classe 240.0.0.0/4

Other Links: 


Comments