SRX NAT Illustrated

Translate Destination IPs

Now we reverse the direction of our NAT, instead of substituting the source IP address in a packet, we'll translate the destination address. This is mainly used to have several servers "share" a public facing IP, remap services and ports to another service at a different location, or help with some network transitions.

We'll start with a simple scenario, where everthing that is aimed at the IP range 10.80.80.100-.103 will be translated to 10.80.80.84-.87 . Due to the way the SRX processes destination NAT, we only need to specify a "from" direction in the NAT rule. This is because we know ahat interface a the packet came in on, the source zone, but to find the destination zone the destination IP address in the packet needs to be translated so the route lookup can be done and the final outgoing interface (and the zone it belongs to) can be determied. Only then can it be looked up to see if a policy matches or not.

The config we use on the SRX for destination NAT is as follows:

SRX Config for destination NAT

juniper@SRX# show 
destination {
    pool DESTINATION-NAT {
        address 10.80.80.84/32 to 10.80.80.88/32;
    }
    rule-set DESTINATION-NAT {
        from zone UNTRUST;
        rule DESTINATION-NAT {
            match {
                destination-address 10.80.80.100/30;
            }
            then {
                destination-nat {
                    pool {
                        DESTINATION-NAT;
                    }
                }
            }
        }
    }
}

[edit security nat]
juniper@SRX#

To test this from the client, we'll modify one of our shell scripts to it creates a session from each of our IP's to be remapped from several of our IPs on the client. The new script is called nat-test_overload_dest.sh

shell script to test destination NAT

#!/bin/sh

RATELIMIT=20k
IP_PREFIX="192.168.200"
TARGET_PREFIX="10.80.80"
TARGET_FILE="file.10m"

for ip in `seq 84 88`; do
  TARGET_IP=$(($ip + 16))
  URL="http://$TARGET_PREFIX.$TARGET_IP/$TARGET_FILE"
  wget -q --bind-address=$IP_PREFIX.$ip -O /dev/null --limit-rate="$RATELIMIT" "$URL" &
done

Once we run this, we find that we have four sessions that were NAT'ed on the SRX.

SRX flow sessions with destination NAT

juniper@SRX# run show security flow session nat    
Session ID: 2181, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.86/37532 --> 10.80.80.102/80;tcp, If: ge-0/0/4.0, Pkts: 43, Bytes: 2364
  Out: 10.80.80.86/80 --> 192.168.200.86/37532;tcp, If: ge-0/0/3.0, Pkts: 130, Bytes: 183424

Session ID: 2182, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.87/40073 --> 10.80.80.103/80;tcp, If: ge-0/0/4.0, Pkts: 43, Bytes: 2364
  Out: 10.80.80.87/80 --> 192.168.200.87/40073;tcp, If: ge-0/0/3.0, Pkts: 140, Bytes: 201320

Session ID: 2183, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.84/35109 --> 10.80.80.100/80;tcp, If: ge-0/0/4.0, Pkts: 43, Bytes: 2364
  Out: 10.80.80.84/80 --> 192.168.200.84/35109;tcp, If: ge-0/0/3.0, Pkts: 140, Bytes: 201320

Session ID: 2184, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.85/49058 --> 10.80.80.101/80;tcp, If: ge-0/0/4.0, Pkts: 43, Bytes: 2364
  Out: 10.80.80.85/80 --> 192.168.200.85/49058;tcp, If: ge-0/0/3.0, Pkts: 140, Bytes: 201320
Total sessions: 4                       

[edit security nat]
juniper@SRX#

Netstat on the client shows:

sessions on client

juniper@client:~$ netstat -tn
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp   249518      0 192.168.200.86:37532    10.80.80.102:80         ESTABLISHED
tcp   320470      0 192.168.200.87:40073    10.80.80.103:80         ESTABLISHED
tcp   320470      0 192.168.200.85:49058    10.80.80.101:80         ESTABLISHED
tcp   320470      0 192.168.200.84:35109    10.80.80.100:80         ESTABLISHED
juniper@client:~$

And netstat on the server, with the destination IPs translated.

sessions on server

juniper@server:~$ netstat -tn
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:389           127.0.0.1:60387         ESTABLISHED
tcp        0      0 127.0.0.1:60387         127.0.0.1:389           ESTABLISHED
tcp        0  66632 10.80.80.87:80          192.168.200.87:40073    ESTABLISHED
tcp        0  66632 10.80.80.85:80          192.168.200.85:49058    ESTABLISHED
tcp        0  65472 10.80.80.86:80          192.168.200.86:37532    ESTABLISHED
tcp        0  66632 10.80.80.84:80          192.168.200.84:35109    ESTABLISHED
juniper@server:~$

Note that none of the destination ports were changed, only the destination IPs.

SRX NAT with Illustrated Examples

Translate Destination IPs