This is an illustrated guide that shows how to configure the various types of Network Address Translation (NAT) on the Juniper SRX series. Each example lists the configuration on the SRX, as well as what the client and server on either side of the SRX doing the NATing see and experience through working examples.
I wrote this guide in order to help myself understand the workings of the various NAT modes that the SRX series supports as of Junos version 12.1X45-D10 in preparation for the JNCIE-SEC exam. This guide doesn't take much for granted, and uses a pair of Linux boxes running Ubuntu 12.04 to actually experience the different types of NAT. We'll capture session flows, netstats, stun information, tcpdumps and packet traces along the way to really see what is happening.
The terms client and server will be used here, but don't get stuck on which one is the client and which one is the server, as depeding on what test we're looking at, they're roles may change. The same goes for the TRUST and UNTRUST security zones, they could have just as well been called X and Y. Don't get hung up on the names.
The output of any commands run on any of the boxes involved, or any configuration sections will be separated in it's own color coded pre-formatted text box to help indicate which box is involved and what the text section is supposed to be indicating -- output or configuration. Sample outputs are below:
SRX Config Section
This is a SRX configlet.
SRX Output
This the output of commands run on an SRX.
Client Output
These are commands run on the Linux box named "client."
Server Output
These are commands run on the Linux box named "server."
For the SRX to perform NAT it must be in flow (stateful) mode. This is the mode the SRX operates in by default, so unless you stuck your box in packet mode it should already be running in flow mode. Addtionally, this guide will be using IPv6 in flow mode, which must be configured, and IS-IS as one of the routing protocols in use, so ISO packet mode must also be enabled. Each time a flow mode for an address family is changed, the SRX must be rebooted in order for it to take effect.
Since NAT only functions on the SRX in flow mode, it is important to understand how the flow module on the SRX processes packets. I could regurgitate the countless other articles on this, but instead I'll point to a definative source on how this works KB16110. To summarize though, Static NAT and Destination NAT are processed early on in the session setup. This is necessary in order to match the outgoing interface so the appropriate policy can be matched to see if the packet is to be permitted or not. Then any reverse Static NAT and Source NAT operations are performed. Static NAT has precedence over any other type of NAT if mutiple NAT rules match a flow. We will be performing alot of trace options to troubleshoot problems and get a better idea of what and how the SRX is processing traffic.