This is an illustrated guide that shows how to configure the various types of Network Address Translation (NAT) on the Juniper SRX series. Each example lists the configuration on the SRX, as well as what the client and server on either side of the SRX doing the NATing see and experience through working examples.
Another approach to the routing problem, that doesn't assign that NAT'ed IP blocks to an actual interface, but still have the NAT device advertise the NAT'ed IP block is to use virtual routers along with static routes.
We'll start this method off by removing the secondary addresses from the host connected interface on SRX-11 and SRX-13. In their place, we'll create pair of logical tunnel interfaces. Note that this is another regular expression in the hostname indicating we're going to use the same config block on two devices to include the IP addresses. These IPs will just be used for a next hop within each SRX and will not be advertised outside of the device.
Logical Tunnel configuration on SRX-11 and SRX-13
[edit interfaces lt-0/0/0]
juniper@SRX-{11,13}# show
unit 0 {
encapsulation ethernet;
peer-unit 1;
family inet {
address 10.0.0.0/31;
}
}
unit 1 {
encapsulation ethernet;
peer-unit 0;
family inet {
address 10.0.0.1/31;
}
}
[edit interfaces lt-0/0/0]
juniper@SRX-{11,13}#
We will place unit 0 of each lt interface in the TRUST security zone, and unit 1 in the UNTRUST security zone. This will be applied on both SRX-11 and SRX-13.
Placing logical tunnel interfaces in security zones on SRX-11 and SRX-13
[edit] juniper@SRX-11# set security zones security-zone UNTRUST interfaces lt-0/0/0.1 [edit] juniper@SRX-11# set security zones security-zone TRUST interfaces lt-0/0/0.0 [edit] juniper@SRX-11#
Next we will create a virtual router called UNTRUST, and move everyting in the UNTRUST security zone into the virtual router. This is done on both devices that have overlapping IP address space.
UNTRUST virtual router configuration on SRX-11
[edit routing-instances UNTRUST]
juniper@SRX-11# show
instance-type virtual-router;
interface lt-0/0/0.1;
interface ge-0/0/5.0;
interface lo0.0;
protocols {
isis {
level 2 disable;
interface ge-0/0/5.0;
}
}
[edit routing-instances UNTRUST]
juniper@SRX-11#
UNTRUST virtual router configuration on SRX-13
[edit routing-instances UNTRUST]
juniper@SRX-13# show
instance-type virtual-router;
interface lt-0/0/0.1;
interface ge-0/0/5.0;
interface lo0.0;
protocols {
isis {
level 2 disable;
interface ge-0/0/5.0;
}
}
[edit routing-instances UNTRUST]
juniper@SRX-13#
On both SRX-11 and SRX-13, we add a default route in the main routing instance (inet.0), that points to the logical tunnel interface in the UNTRUST virtual routing instance.
default route for SRX-11 and SRX-13
[edit routing-options]
juniper@SRX-{11,13}# show
static {
route 0.0.0.0/0 next-hop 10.0.0.1;
}
[edit routing-options]
juniper@SRX-{11,13}#
Next we add in static routes in the UNTRUST virtual router on both SRX-11 and SRX-13. One static route is added for the overlapping IP address space, 192.168.1.0/24, which points to the global routing table by way of the logical tunnel interface that is anchored in the main routing instance. The other static route is the mapped IP space that is used for our NAT'ed IP space. This will be tagged with 6009, so we can write a nice simple export policy to advertise this static route out into IS-IS.
Static routes in SRX-11 UNTRUST virtual router
[edit routing-instances UNTRUST routing-options]
juniper@SRX-11# show
static {
route 192.168.81.0/24 {
next-hop 10.0.0.0;
tag 6009;
}
route 192.168.1.0/24 next-hop 10.0.0.0;
}
[edit routing-instances UNTRUST routing-options]
juniper@SRX-11#
Static routes in SRX-13 UNTRUST virtual router
[edit routing-instances UNTRUST routing-options]
juniper@SRX-11# show
static {
route 192.168.81.0/24 {
next-hop 10.0.0.0;
tag 6009;
}
route 192.168.1.0/24 next-hop 10.0.0.0;
}
[edit routing-instances UNTRUST routing-options]
juniper@SRX-11#
On both SRX-11 and SRX-13, we add a policy that matches any static route with a tag of 6009 and accepts it.
policy for SRX-11 and SRX-13 to match static routes tagged with 6009
[edit routing-instances UNTRUST routing-options]
juniper@SRX-{11,13}# show
policy-statement NAT-ROUTE {
from {
protocol static;
tag 6009;
}
then accept;
}
[edit policy-options]
juniper@SRX-{11,13}#
Then we apply this policy as an export policy to the IS-IS instance running the UNTRUST virtual router on both SRX-11 and SRX-13.
Export policy on SRX-11
[edit routing-instances]
juniper@SRX-11# show
UNTRUST {
instance-type virtual-router;
interface lt-0/0/0.1;
interface ge-0/0/5.0;
interface lo0.0;
routing-options {
static {
route 192.168.81.0/24 {
next-hop 10.0.0.0;
tag 6009;
}
route 192.168.1.0/24 next-hop 10.0.0.0;
}
}
protocols {
isis {
export NAT-ROUTE;
level 2 disable;
interface ge-0/0/5.0;
}
}
}
[edit routing-instances]
juniper@SRX-11#
Export policy on SRX-11
[edit routing-instances UNTRUST]
juniper@SRX-13# show
instance-type virtual-router;
interface lt-0/0/0.1;
interface ge-0/0/5.0;
interface lo0.0;
routing-options {
static {
route 192.168.80.0/24 {
next-hop 10.0.0.0;
tag 6009;
}
route 192.168.1.0/24 next-hop 10.0.0.0;
}
}
protocols {
isis {
export NAT-ROUTE;
level 2 disable;
interface ge-0/0/5.0;
}
}
[edit routing-instances UNTRUST]
juniper@SRX-13#
Then we commit our new configuration and check our routing tables to make sure everything is being advertised properly and our static routes have become active.
SRX-11 routing tables
juniper@SRX-11> show route
inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:44:58
> to 10.0.0.1 via lt-0/0/0.0
10.0.0.0/31 *[Direct/0] 00:45:39
> via lt-0/0/0.0
10.0.0.0/32 *[Local/0] 00:46:53
Local via lt-0/0/0.0
10.0.99.0/24 *[Direct/0] 05:59:43
> via ge-0/0/0.0
10.0.99.11/32 *[Local/0] 05:59:44
Local via ge-0/0/0.0
192.168.1.0/24 *[Direct/0] 05:59:42
> via ge-0/0/4.0
192.168.1.1/32 *[Local/0] 05:59:43
Local via ge-0/0/4.0
UNTRUST.inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.0.0.0/31 *[Direct/0] 00:45:39
> via lt-0/0/0.1
10.0.0.1/32 *[Local/0] 00:45:39
Local via lt-0/0/0.1
172.18.1.0/24 *[Direct/0] 01:30:36
> via ge-0/0/5.0
172.18.1.11/32 *[Local/0] 01:30:36
Local via ge-0/0/5.0
172.18.2.0/24 *[IS-IS/15] 01:30:28, metric 20
> to 172.18.1.12 via ge-0/0/5.0
192.168.1.0/24 *[Static/5] 00:27:50
> to 10.0.0.0 via lt-0/0/0.1
192.168.11.11/32 *[Direct/0] 01:30:36
> via lo0.0
192.168.80.0/24 *[IS-IS/160] 01:17:29, metric 20, tag 6009
> to 172.18.1.12 via ge-0/0/5.0
192.168.81.0/24 *[Static/5] 00:37:14, tag 6009
> to 10.0.0.0 via lt-0/0/0.1
UNTRUST.iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
49.0000.0000.0000.0011/72
*[Direct/0] 01:30:36
> via lo0.0
juniper@SRX-11>
SRX-13 routing tables
juniper@SRX-13> show route
inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:40:31
> to 10.0.0.1 via lt-0/0/0.0
10.0.0.0/31 *[Direct/0] 00:40:31
> via lt-0/0/0.0
10.0.0.0/32 *[Local/0] 00:40:31
Local via lt-0/0/0.0
10.0.99.0/24 *[Direct/0] 05:57:44
> via ge-0/0/0.0
10.0.99.13/32 *[Local/0] 05:57:45
Local via ge-0/0/0.0
192.168.1.0/24 *[Direct/0] 05:57:44
> via ge-0/0/3.0
192.168.1.1/32 *[Local/0] 05:57:45
Local via ge-0/0/3.0
UNTRUST.inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.0.0.0/31 *[Direct/0] 00:40:31
> via lt-0/0/0.1
10.0.0.1/32 *[Local/0] 00:40:31
Local via lt-0/0/0.1
172.18.1.0/24 *[IS-IS/15] 01:29:28, metric 20
> to 172.18.2.224 via ge-0/0/5.0
172.18.2.0/24 *[Direct/0] 01:29:37
> via ge-0/0/5.0
172.18.2.13/32 *[Local/0] 01:29:37
Local via ge-0/0/5.0
192.168.1.0/24 *[Static/5] 00:27:41
> to 10.0.0.0 via lt-0/0/0.1
192.168.13.13/32 *[Direct/0] 01:29:37
> via lo0.0
192.168.80.0/24 *[Static/5] 00:37:14, tag 6009
> to 10.0.0.0 via lt-0/0/0.1
192.168.81.0/24 *[IS-IS/160] 01:18:25, metric 20, tag 6009
> to 172.18.2.224 via ge-0/0/5.0
UNTRUST.iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
49.0000.0000.0000.0013/72
*[Direct/0] 01:29:37
> via lo0.0
juniper@SRX-13>
Next we check connectivity.
Ping test and traceroute from client to server.
juniper@client:~$ ping -c 5 192.168.80.88 PING 192.168.80.88 (192.168.80.88) 56(84) bytes of data. 64 bytes from 192.168.80.88: icmp_req=1 ttl=59 time=7.82 ms 64 bytes from 192.168.80.88: icmp_req=2 ttl=59 time=7.67 ms 64 bytes from 192.168.80.88: icmp_req=3 ttl=59 time=5.46 ms 64 bytes from 192.168.80.88: icmp_req=4 ttl=59 time=7.00 ms 64 bytes from 192.168.80.88: icmp_req=5 ttl=59 time=5.82 ms --- 192.168.80.88 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4007ms rtt min/avg/max/mdev = 5.460/6.755/7.821/0.963 ms juniper@client:~$ traceroute -n 192.168.80.88 traceroute to 192.168.80.88 (192.168.80.88), 30 hops max, 60 byte packets 1 192.168.1.1 11.336 ms 11.302 ms 11.286 ms 2 10.0.0.1 11.288 ms 11.281 ms 11.267 ms 3 172.18.1.12 13.621 ms 11.221 ms 13.606 ms 4 172.18.2.13 15.667 ms 25.355 ms 26.283 ms 5 172.18.2.13 15.626 ms 25.324 ms 26.271 ms 6 192.168.80.88 26.267 ms 10.572 ms 10.478 ms juniper@client:~$
Ping test and traceroute from server to client.
juniper@server:~$ ping -c 5 192.168.81.81 PING 192.168.81.81 (192.168.81.81) 56(84) bytes of data. 64 bytes from 192.168.81.81: icmp_req=1 ttl=59 time=5.47 ms 64 bytes from 192.168.81.81: icmp_req=2 ttl=59 time=6.87 ms 64 bytes from 192.168.81.81: icmp_req=3 ttl=59 time=6.42 ms 64 bytes from 192.168.81.81: icmp_req=4 ttl=59 time=7.31 ms 64 bytes from 192.168.81.81: icmp_req=5 ttl=59 time=10.6 ms --- 192.168.81.81 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4007ms rtt min/avg/max/mdev = 5.471/7.355/10.692/1.779 ms juniper@server:~$ traceroute -n 192.168.81.81 traceroute to 192.168.81.81 (192.168.81.81), 30 hops max, 60 byte packets 1 192.168.1.1 5.029 ms 4.881 ms 4.867 ms 2 10.0.0.1 4.773 ms 4.793 ms 4.779 ms 3 172.18.2.224 8.682 ms 5.467 ms 8.649 ms 4 172.18.1.11 22.376 ms 22.377 ms 22.351 ms 5 172.18.1.11 22.692 ms 22.674 ms 22.653 ms 6 192.168.81.81 23.827 ms 17.805 ms 18.422 ms juniper@server:~$
Next we'll keep a session open from the client to the server using nc -s 192.168.1.80 -p 10004 192.168.80.80 20004 on the client and nc -l 20004 on the server so we can view the session tables in each one of our SRXes.
Session table on SRX-11
juniper@SRX-11> show security flow session nat extensive
Session ID: 4251, Status: Normal
Flag: 0x4000000
Policy name: default-policy-00/2
Source NAT pool: Null
Maximum timeout: 1800, Current timeout: 1798
Session State: Valid
Start time: 7535, Duration: 2
In: 192.168.1.80/10004 --> 192.168.80.80/20004;tcp,
Interface: lt-0/0/0.1,
Session token: 0x5006, Flag: 0x21
Route: 0x140010, Gateway: 10.0.0.0, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 2, Bytes: 112
Out: 192.168.80.80/20004 --> 192.168.81.80/10004;tcp,
Interface: ge-0/0/5.0,
Session token: 0x5006, Flag: 0x20
Route: 0x150010, Gateway: 172.18.1.12, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 1, Bytes: 60
Total sessions: 1
juniper@SRX-11>
Session table on SRX-12
juniper@SRX-12> show security flow session Session ID: 3787, Policy name: default-policy-00/2, Timeout: 1736, Valid In: 192.168.81.80/10004 --> 192.168.80.80/20004;tcp, If: ge-0/0/4.0, Pkts: 2, Bytes: 112 Out: 192.168.80.80/20004 --> 192.168.81.80/10004;tcp, If: ge-0/0/5.0, Pkts: 1, Bytes: 60 Total sessions: 1 juniper@SRX-12>
Session table on SRX-13
juniper@SRX-13> show security flow session nat extensive
Session ID: 4437, Status: Normal
Flag: 0x4000000
Policy name: default-policy-00/2
Source NAT pool: Null
Maximum timeout: 1800, Current timeout: 1714
Session State: Valid
Start time: 7371, Duration: 86
In: 192.168.81.80/10004 --> 192.168.80.80/20004;tcp,
Interface: ge-0/0/5.0,
Session token: 0x5007, Flag: 0x21
Route: 0x150010, Gateway: 172.18.2.224, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 2, Bytes: 112
Out: 192.168.1.80/20004 --> 192.168.81.80/10004;tcp,
Interface: lt-0/0/0.1,
Session token: 0x5007, Flag: 0x20
Route: 0x140010, Gateway: 10.0.0.0, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 1, Bytes: 60
Total sessions: 1
juniper@SRX-13>