This is an illustrated guide that shows how to configure the various types of Network Address Translation (NAT) on the Juniper SRX series. Each example lists the configuration on the SRX, as well as what the client and server on either side of the SRX doing the NATing see and experience through working examples.
For this example, we'll translate anything going to 10.80.80.100 thgourh .103 port 7777 to port 5555. First we'll start up netcat on the server, listening on port 5555 and waiting to server up another awesome message.
netcat listener on port 5555 on server
juniper@server:~$ echo "THIS IS ANOTHER FLURKING TEST\!" > testfile juniper@server:~$ nc -l 5555 < testfile
Before the destination port translation is enabled, we'll do a baseline test from the client.
client test to port 7777 on server
juniper@client:~$ telnet 10.80.80.100 7777 Trying 10.80.80.100... telnet: Unable to connect to remote host: Connection refused juniper@client:~$
Next, we'll enable our desired translation by commiting the following configlet on the SRX:
SRX config for destination NAT with port translation
[edit security nat]
juniper@SRX# show
destination {
pool DESTINATION-NAT {
address 10.80.80.84/32 port 5555;
}
rule-set DESTINATION-NAT {
from zone UNTRUST;
rule DESTINATION-NAT {
match {
destination-address 10.80.80.100/30;
}
then {
destination-nat {
pool {
DESTINATION-NAT;
}
}
}
}
}
}
[edit security nat]
juniper@SRX#
Taking a look at the session on the SRX, we can see the desired translation has taken place.
SRX sessions for destination NAT with port translation
juniper@SRX# run show security flow session Session ID: 2749, Policy name: ACCEPT-LOG/4, Timeout: 1792, Valid In: 192.168.200.81/50872 --> 10.80.80.100/7777;tcp, If: ge-0/0/4.0, Pkts: 3, Bytes: 170 Out: 10.80.80.84/5555 --> 192.168.200.81/50872;tcp, If: ge-0/0/3.0, Pkts: 2, Bytes: 112 Total sessions: 1 [edit security nat] juniper@SRX#
The client recieved the message from port 7777 on 10.80.80.100.
client test to server using port 7777
juniper@client:~$ telnet 10.80.80.100 7777 Trying 10.80.80.100... Connected to 10.80.80.100. Escape character is '^]'. THIS IS ANOTHER FLURKING TEST\! Connection closed by foreign host. juniper@client:~$
Just for comparison, and easy viewing we'll run through the same scenario but just translating the destiation port, not the IP address.
SRX config with only port translation
[edit security nat]
juniper@SRX# show
destination {
pool DESTINATION-NAT {
address 10.80.80.80/32 port 5555;
}
rule-set DESTINATION-NAT {
from zone UNTRUST;
rule DESTINATION-NAT {
match {
destination-address 10.80.80.80/32;
}
then {
destination-nat {
pool {
DESTINATION-NAT;
}
}
}
}
}
}
[edit security nat]
juniper@SRX#
After commiting, and connecting with the client with the above parameters, we see the following sessin on the SRX.
SRX session with only port translation
juniper@SRX# run show security flow session Session ID: 2771, Policy name: ACCEPT-LOG/4, Timeout: 1798, Valid In: 192.168.200.81/39479 --> 10.80.80.80/7777;tcp, If: ge-0/0/4.0, Pkts: 2, Bytes: 112 Out: 10.80.80.80/5555 --> 192.168.200.81/39479;tcp, If: ge-0/0/3.0, Pkts: 1, Bytes: 60 Total sessions: 1 [edit security nat] juniper@SRX#