This is an illustrated guide that shows how to configure the various types of Network Address Translation (NAT) on the Juniper SRX series. Each example lists the configuration on the SRX, as well as what the client and server on either side of the SRX doing the NATing see and experience through working examples.
By default on the SRX with static NAT there is no port translation. In order to enable this behavior, the port-mapping option needs to be configured under the static NAT rule for each prefix that will used. Unfortunately, this needs to be done on an IP by IP basis (think /32s) here or you get a commit error ( Junos 12.1X46 ). So if you want to remap a lot of different hosts, you will need a lot of individual rules. Also, only destination ports can be re-mapped. The source ports will remain constant.
Here is a quick example where we will translate ports 1 to 1023 to 50001 to 51023. Mapping the "privileged" ports to some mondain ones. The SRX config looks like the following:
config with port translation
[edit security nat]
juniper@SRX# show
static {
rule-set STATIC-NAT-UNTRUST {
from zone UNTRUST;
rule STATIC-NAT-UNTRUST {
match {
source-address 192.168.200.81/32;
destination-address 192.168.200.200/32;
destination-port 1 to 1023;
}
then {
static-nat {
prefix {
10.80.80.80/32;
mapped-port 50001 to 51023;
}
}
}
}
}
}
proxy-arp {
interface ge-0/0/4.0 {
address {
192.168.200.200/29;
}
}
interface ge-0/0/3.0 {
address {
10.80.80.200/29;
}
}
}
[edit security nat]
juniper@SRX#
To test it, we'll start our server up with a netcat session listening on port 50001.
netcat listener on port 50001
juniper@server:~$ nc -l 50001 < testfile
We'll connect to our server to port 1 of the NAT'd destination IP that matches our rule.
client connecting to port 1
juniper@client:~$ telnet 192.168.200.200 1 Trying 192.168.200.200... Connected to 192.168.200.200. Escape character is '^]'. THIS IS ANOTHER FLURKING TEST\! Connection closed by foreign host. juniper@client:~$
The SRX session for this NAT'd connection looks like the following:
SRX session
[edit security nat] juniper@SRX# run show security flow session Session ID: 4659, Policy name: ACCEPT-LOG/4, Timeout: 1796, Valid In: 192.168.200.81/53471 --> 192.168.200.200/1;tcp, If: ge-0/0/4.0, Pkts: 2, Bytes: 112 Out: 10.80.80.80/50001 --> 192.168.200.81/53471;tcp, If: ge-0/0/3.0, Pkts: 1, Bytes: 60 Total sessions: 1 [edit security nat] juniper@SRX#
The NAT related commands on the SRX for static nat paint a very good picture of the mapping that is occuring.
static nat mapping
juniper@SRX# run show security nat static rule all
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
Static NAT rule: STATIC-NAT-UNTRUST Rule-set: STATIC-NAT-UNTRUST
Rule-Id : 1
Rule position : 1
From zone : UNTRUST
Source addresses : 192.168.200.81 - 192.168.200.81
Destination addresses : 192.168.200.200
Destination ports : 1 - 1023
Host addresses : 10.80.80.80
Host ports : 50001 - 51023
Netmask : 32
Host routing-instance : N/A
Translation hits : 5
Successful sessions : 5
Failed sessions : 0
Number of sessions : 1
[edit security nat]
juniper@SRX#