Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
To delve into NAT processing in Junos it is better to see the packet flow in ASCII.
First PATH: Screens->Static NAT->Dest NAT->Route->Zones->Policy->Reverse Static NAT>Source NAT->Services ALG->Session
Fast PATH: Screens->TCP->NAT->Services ALG
Based on the first packet of session, JUNOS installes NAT and PAT information into the session
table for fast path processing. You should pay attention to the fact that Destination NAT occurs
before Source NAT which is clear in the first PATH diagram.
We can classify NAT into three distinct category;
* Source NAT : Translates source IP address of a packet
* Destination NAT : Translates destination IP of a packet
* Static NAT : This allows connections to be originated from either side of the network.
Source NAT & PAT
1) Interface based source NAT: Original source address to the egress interface IP always with
PAT
2) Pool based source NAT: Dynamic mapping of original source address to an address from a
user-defined pool with or without PAT
3) Source NAT with address shifting : one-to-one matching of the original source address to a
user-defined pool by shifting IP address without PAT
NAT rules are akin to security policies both of which require some directional context. For
source nat, each rule set has a from and to clause which can indicate an interface,zone or routing
instance. If rule-sets overlap (if they target the same traffic), the rule-set with the most
specific context takes precedence. Interfaces = most specific , routing instance = least specific
Overlapping
*Static source NAT has higher precedence than dynamic source NAT
* Addresses used in NAT pools either in source NAT pools or destination NAT pools should
never overlap
* If there is more than one rule-set matches the traffic, rule-set with the most specific context
precedence
* In a rule-set, order of the rules is significant
Live Changes
As soon as a change is made in a NAT rule, Junos tears down the session after the commit.
Rule set
rs1
trust
From
To
untrust
Action
interface
to zone untrust;
rule rl1 {
match {
source-address 10.200.2.0/24;
}
then {
source-nat {
pool {
pool-admins;
}
}
}
}
}
}
In this configuration, instead of source natting to interface, we use a dynamic pool
with PAT enabled. If you want to ensure that junos uses the same source address in
translation, enable address-persistent
[edit security nat]
root@host# show
source {
address-persistent;
root@host# show
source {
pool pool-admins {
address {
172.16.16.226/32 to 172.16.16.230/32;
}
port no-translation;
overflow-pool interface;
}
rule-set rs1 {
from zone trust;
to zone untrust;
rule rl1 {
match {
source-address 10.200.2.0/24;
}
then {
source-nat {
pool {
pool-admins;
}
}
}
}
}
}Pool Utilization
If you want to monitor utilization of the pool you can enable it as below;
[edit security nat]
root@host# show
{
pool-utilization-alarm raise-threshold 70 clear-threshold 50;
}raise-threshold: Junos sends an SNMP trap
clear-threshold: Junos sends another SNMP trap to clear the alarm
source-nat {
pool {
pool-admins;
}
}
}
}
}
}
root@host> show security nat source pool all
Total pools: 1
Pool name
Pool id
: pool-admins
:4
: no translation
Total addresses
:5
Translation hits : 4
Address range
Single Ports Twin Ports
172.30.72.226 172.30.72.230
0
rule-set rs1 {
from zone untrust;
rule rl1 {
match {
destination-address 172.16.16.226/32;
}
then {
destination-nat pool pool-inside;
}
}
}
}
This is a destination nat without PAT. Address 172.16.16.226 is translated into
10.200.2.11. This is a single address translation, if required multiple addresses can
be used on the pool by using to option.
You can change the configuration the following way to enable PAT
[edit security nat]
root@host# show
destination {
pool pool-inside {
address 10.200.2.11/32 port 8080;
}
rule-set rs1 {
from zone untrust;
rule rl1 {
match {
destination-address 172.16.16.226/32;
destination-port 80;
}
then {
destination-nat pool pool-inside;
}
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
172.30.73.78/32;
}
}
}Dropping non-NAT trafficIf you want to drop traffic not-translated, use dropuntranslated under the policy like below;
[edit security policies from-zone trust to-zone untrust]
root@host# show
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
destination-address {
drop-untranslated;
}
}
count;
}
}
Monitoring commands used so far
*
*
*
*
show
show
show
show
security
security
security
security
flow session
nat source rule rule-name
nat source pool all
nat source summary