This is an illustrated guide that shows how to configure the various types of Network Address Translation (NAT) on the Juniper SRX series. Each example lists the configuration on the SRX, as well as what the client and server on either side of the SRX doing the NATing see and experience through working examples.
To make the mappings more consistent and less dynamic, we will delete the source and destination NAT configuraton on SRX-11 and replace it with a single static NAT configlet. Static NAT in both directions is also known as double NAT, as there are two NAT operations that each packet matching the rules will be subjected to. This can be a bit confusing, but it helps to look at the ruleset from the perseective of devices that are on the outside of the NAT device. When outside devices want to contact a host in the client IP space, they will send a packet destined to the 192.168.81.0/24 space. So SRX-11 should see a packet for 192.168.81.0/24 come in through the UNTRUST security zone. It should then NAT this to the 192.168.1.0/24 space internally. Using static nat will install a bidirectional rule, so any outing traffic will be NATed from 192.168.1.0/24 to 192.168.81.0/24 as well.
[edit security nat static] juniper@SRX-11# show rule-set CLIENT-2-SERVER { from zone UNTRUST; rule CLIENT-2-SERVER { match { destination-address 192.168.81.0/24; } then { static-nat { prefix { 192.168.1.0/24; } } } } } [edit security nat static] juniper@SRX-11#
Next, we test our NAT rule.
juniper@client:~$ nc 192.168.80.80 5555
We look at the flow, now the .80 address is mapped to the .80 address in the other subnet.
[edit security nat static] juniper@SRX-11# run show security flow session Session ID: 4214, Policy name: default-policy-00/2, Timeout: 1794, Valid In: 192.168.1.80/42946 --> 192.168.80.80/5555;tcp, If: ge-0/0/4.0, Pkts: 2, Bytes: 112 Out: 192.168.80.80/5555 --> 192.168.81.80/42946;tcp, If: ge-0/0/5.0, Pkts: 1, Bytes: 60 Total sessions: 1 [edit security nat static] juniper@SRX-11#
We configure the same type of rule on the other side on SRX-13.
[edit security nat static] juniper@SRX-13# show rule-set SERVER-2-CLIENT { from zone UNTRUST; rule SERVER-2-CLIENT { match { destination-address 192.168.80.0/24; } then { static-nat { prefix { 192.168.1.0/24; } } } } } [edit security nat static] juniper@SRX-13#
We repeat our test from the client to the server.
juniper@server:~$ nc -l 6666 < testfile
juniper@client:~$ nc 192.168.80.80 6666 This is a IP overlap test. Client to Server juniper@client:~$
The session on SRX-11.
juniper@SRX-11# run show security flow session Session ID: 4236, Policy name: default-policy-00/2, Timeout: 1794, Valid In: 192.168.1.80/41947 --> 192.168.80.80/6666;tcp, If: ge-0/0/4.0, Pkts: 2, Bytes: 112 Out: 192.168.80.80/6666 --> 192.168.81.80/41947;tcp, If: ge-0/0/5.0, Pkts: 1, Bytes: 60 Total sessions: 1 [edit security nat static] juniper@SRX-11#
The session on SRX-13.
juniper@SRX-13# run show security flow session Session ID: 4406, Policy name: default-policy-00/2, Timeout: 1792, Valid In: 192.168.81.80/41947 --> 192.168.80.80/6666;tcp, If: ge-0/0/5.0, Pkts: 2, Bytes: 112 Out: 192.168.1.80/6666 --> 192.168.81.80/41947;tcp, If: ge-0/0/3.0, Pkts: 1, Bytes: 60 Total sessions: 1 [edit security nat static] juniper@SRX-13#
And with this simple config on both SRX-11 and SRX-13, the connecivity works in the opposite direction as well without any rules.
juniper@client:~$ nc -l 7777 < testfile
juniper@server:~$ nc 192.168.81.80 7777 This is a IP overlap test. Server to Client. juniper@server:~$
The supporting SRX sessions for the connection in the reverse direction.
juniper@SRX-13# run show security flow session Session ID: 4408, Policy name: default-policy-00/2, Timeout: 1798, Valid In: 192.168.1.80/53301 --> 192.168.81.80/7777;tcp, If: ge-0/0/3.0, Pkts: 2, Bytes: 112 Out: 192.168.81.80/7777 --> 192.168.80.80/53301;tcp, If: ge-0/0/5.0, Pkts: 1, Bytes: 60 Total sessions: 1 [edit security nat static] juniper@SRX-13#
juniper@SRX-11# run show security flow session Session ID: 4238, Policy name: default-policy-00/2, Timeout: 1796, Valid In: 192.168.80.80/53301 --> 192.168.81.80/7777;tcp, If: ge-0/0/5.0, Pkts: 2, Bytes: 112 Out: 192.168.1.80/7777 --> 192.168.80.80/53301;tcp, If: ge-0/0/4.0, Pkts: 1, Bytes: 60 Total sessions: 1 [edit security nat static] juniper@SRX-11#