Overview:How to setup NATing on a JunOS firewall. Outbound PAT (source nat): 1: Zone To-From match:Define what the source and destination zones will be:
set security nat source rule-set source-nat from zone insideset security nat source rule-set source-nat to zone dmzWhere "inside" and "outside" are zones that are previously defined.
2: rule #1 - do not match for internal routesCreate a rule that does not nat traffic that is staying internal
set security nat source rule-set source-nat rule nat-off match source-address 10.100.0.0/16set security nat source rule-set source-nat rule nat-off match destination-address-name rfc3330set security nat source rule-set source-nat rule nat-off then source-nat offnote that "rfc3330" would be a address book name that defines all non-routable IPs. (see below for an example of this)
3: rule #2 - match everything elseCreate a rule that matches any other traffic, and applys the nat to it.
set security nat source rule-set source-nat rule patOut match source-address-name internalIpset security nat source rule-set source-nat rule patOut then source-nat pool patIp1Here "internalIP" would be another address book name that equated to the internal IPs behind the "inside" interface. With this example it would be the same as "10.100.0.0/16".
4: use this NAT IP for match:Define the IP that will be used for the PATting:
set security nat source pool patIp1 address 1.1.1.100/323-4: rule #2 -match everything else and NAT to external interface:If you want the NAT to simply use the external interface for the NAT IP, then you can use the "interface" variable instead of defining a different IP for the NAT. set security nat source rule-set source-nat rule patOut match source-address-name internalIpset security nat source rule-set source-nat rule patOut then source-nat interfaceInbound NAT (destination nat): Define the policy that will allow traffic to flow to the server from the outside: set security policies from-zone dmz1 to-zone prod3 policy webIn match source-address anyset security policies from-zone dmz1 to-zone prod3 policy webIn match destination-address web1set security policies from-zone dmz1 to-zone prod3 policy webIn match application webIGV-8083set security policies from-zone dmz1 to-zone prod3 policy webn match application junos-httpsset security policies from-zone dmz1 to-zone prod3 policy webIn then permit!set security address-book global address web1 10.33.64.108/32Define the VIP (and port it's listening on) set security nat destination rule-set Public_VIPs rule web-in match destination-address 9.30.6.25/32set security nat destination rule-set Public_VIPs rule web-in match destination-port 443set security nat destination rule-set Public_VIPs rule web-in then destination-nat pool web_443Define the Server (and port its listening on) set security nat destination pool web_443 address 10.33.64.108/32set security nat destination pool web_443 address port 443And listen from the outside interface set security nat destination rule-set Public_VIPs from zone dmz1And do a proxy arp so that it listens to traffic to that IP set security nat proxy-arp interface ge-0/0/0 address 9.30.6.254/32References:RFC3330 example:Just an easy way to define all non-routable IPs: set security address-book global address-set rfc3330 address thisset security address-book global address-set rfc3330 address 1918aset security address-book global address-set rfc3330 address loopbackset security address-book global address-set rfc3330 address linklocalset security address-book global address-set rfc3330 address 1918bset security address-book global address-set rfc3330 address testnetset security address-book global address-set rfc3330 address 6to4anycastset security address-book global address-set rfc3330 address 1918cset security address-book global address-set rfc3330 address benchmarkset security address-book global address-set rfc3330 address classdset security address-book global address-set rfc3330 address classeset security address-book global address this 0.0.0.0/8set security address-book global address 1918a 10.0.0.0/8set security address-book global address loopback 127.0.0.0/8set security address-book global address linklocal 169.254.0.0/16set security address-book global address 1918b 172.16.0.0/12set security address-book global address testnet 192.0.2.0/24set security address-book global address 6to4anycast 192.88.99.0/24set security address-book global address 1918c 192.168.0.0/16set security address-book global address benchmark 198.18.0.0/15set security address-book global address classd 224.0.0.0/4set security address-book global address classe 240.0.0.0/4Other Links:
|