This is an illustrated guide that shows how to configure the various types of Network Address Translation (NAT) on the Juniper SRX series. Each example lists the configuration on the SRX, as well as what the client and server on either side of the SRX doing the NATing see and experience through working examples.
For this example, we'll translate anything going to 10.80.80.100 thgourh .103 port 7777 to port 5555. First we'll start up netcat on the server, listening on port 5555 and waiting to server up another awesome message.
juniper@server:~$ echo "THIS IS ANOTHER FLURKING TEST\!" > testfile juniper@server:~$ nc -l 5555 < testfile
Before the destination port translation is enabled, we'll do a baseline test from the client.
juniper@client:~$ telnet 10.80.80.100 7777 Trying 10.80.80.100... telnet: Unable to connect to remote host: Connection refused juniper@client:~$
Next, we'll enable our desired translation by commiting the following configlet on the SRX:
[edit security nat] juniper@SRX# show destination { pool DESTINATION-NAT { address 10.80.80.84/32 port 5555; } rule-set DESTINATION-NAT { from zone UNTRUST; rule DESTINATION-NAT { match { destination-address 10.80.80.100/30; } then { destination-nat { pool { DESTINATION-NAT; } } } } } } [edit security nat] juniper@SRX#
Taking a look at the session on the SRX, we can see the desired translation has taken place.
juniper@SRX# run show security flow session Session ID: 2749, Policy name: ACCEPT-LOG/4, Timeout: 1792, Valid In: 192.168.200.81/50872 --> 10.80.80.100/7777;tcp, If: ge-0/0/4.0, Pkts: 3, Bytes: 170 Out: 10.80.80.84/5555 --> 192.168.200.81/50872;tcp, If: ge-0/0/3.0, Pkts: 2, Bytes: 112 Total sessions: 1 [edit security nat] juniper@SRX#
The client recieved the message from port 7777 on 10.80.80.100.
juniper@client:~$ telnet 10.80.80.100 7777 Trying 10.80.80.100... Connected to 10.80.80.100. Escape character is '^]'. THIS IS ANOTHER FLURKING TEST\! Connection closed by foreign host. juniper@client:~$
Just for comparison, and easy viewing we'll run through the same scenario but just translating the destiation port, not the IP address.
[edit security nat] juniper@SRX# show destination { pool DESTINATION-NAT { address 10.80.80.80/32 port 5555; } rule-set DESTINATION-NAT { from zone UNTRUST; rule DESTINATION-NAT { match { destination-address 10.80.80.80/32; } then { destination-nat { pool { DESTINATION-NAT; } } } } } } [edit security nat] juniper@SRX#
After commiting, and connecting with the client with the above parameters, we see the following sessin on the SRX.
juniper@SRX# run show security flow session Session ID: 2771, Policy name: ACCEPT-LOG/4, Timeout: 1798, Valid In: 192.168.200.81/39479 --> 10.80.80.80/7777;tcp, If: ge-0/0/4.0, Pkts: 2, Bytes: 112 Out: 10.80.80.80/5555 --> 192.168.200.81/39479;tcp, If: ge-0/0/3.0, Pkts: 1, Bytes: 60 Total sessions: 1 [edit security nat] juniper@SRX#