JNCIS SEC NAT

To delve into NAT processing in Junos it is better to see the packet flow in ASCII.
First PATH: Screens->Static NAT->Dest NAT->Route->Zones->Policy->Reverse Static NAT>Source NAT->Services ALG->Session
Fast PATH: Screens->TCP->NAT->Services ALG
Based on the first packet of session, JUNOS installes NAT and PAT information into the session
table for fast path processing. You should pay attention to the fact that Destination NAT occurs
before Source NAT which is clear in the first PATH diagram.
We can classify NAT into three distinct category;
* Source NAT : Translates source IP address of a packet
* Destination NAT : Translates destination IP of a packet
* Static NAT : This allows connections to be originated from either side of the network.
Source NAT & PAT
1) Interface based source NAT: Original source address to the egress interface IP always with
PAT
2) Pool based source NAT: Dynamic mapping of original source address to an address from a
user-defined pool with or without PAT
3) Source NAT with address shifting : one-to-one matching of the original source address to a
user-defined pool by shifting IP address without PAT
NAT rules are akin to security policies both of which require some directional context. For
source nat, each rule set has a from and to clause which can indicate an interface,zone or routing
instance. If rule-sets overlap (if they target the same traffic), the rule-set with the most
specific context takes precedence. Interfaces = most specific , routing instance = least specific
Overlapping
*Static source NAT has higher precedence than dynamic source NAT
* Addresses used in NAT pools either in source NAT pools or destination NAT pools should
never overlap
* If there is more than one rule-set matches the traffic, rule-set with the most specific context

precedence
* In a rule-set, order of the rules is significant

Live Changes
As soon as a change is made in a NAT rule, Junos tears down the session after the commit.

Interface Based Source NAT

[edit security nat]
root@host# show
source {
rule-set rs1 {
from zone trust;
to zone untrust;
rule rl1 {
match {
source-address 10.200.2.0/24;
}
then {
source-nat {
interface;
}
}
}
}
}You dont need to associate/apply this nat to any interface or something, like Cisco
IOS. It just works.
To display session table;
root@host> show security flow session destination-prefix 74.125.224.83/32

Session ID: 38783, Policy name: trust-to-untrust/4, Timeout: 1790, Valid

In: 10.200.2.11/51126 > 74.125.224.83/80;tcp, If: ge-0/0/8.0, Pkts: 5, Bytes: 662
Out: 74.125.224.83/80 > 172.16.16.226/48879;tcp, If: ge-0/0/0.0, Pkts: 4, Bytes:
2688
Session ID: 38789, Policy name: trust-to-untrust/4, Timeout: 1790, Valid
In: 10.200.2.11/51128 > 74.125.224.83/80;tcp, If: ge-0/0/8.0, Pkts: 2, Bytes: 112
Out: 74.125.224.83/80 > 172.16.16.226/54369;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes:
60
Total sessions: 2
Here 172.16.16.226 is our egress interfaces IP address. Local IP 10.200.2.11 is
translated to 172.16.16.226 and passed onto upstream gateway for further
processing.To display NAT rules;

root@host> show security nat source summary

Total pools: 0
Total rules: 1
Rule name
rl1

Rule set
rs1

trust

From

To
untrust

Pool Based Source Nat (with PAT)

[edit security nat]
root@host# show
source {
pool pool-admins {
address {
172.16.16.226/32 to 172.16.16.230/32;
}
}
rule-set rs1 {
from zone trust;

Action
interface

to zone untrust;
rule rl1 {
match {
source-address 10.200.2.0/24;
}
then {
source-nat {
pool {
pool-admins;
}
}
}
}
}
}
In this configuration, instead of source natting to interface, we use a dynamic pool
with PAT enabled. If you want to ensure that junos uses the same source address in
translation, enable address-persistent
[edit security nat]
root@host# show
source {
address-persistent;

Pool Based Source Nat (without PAT)

Be careful that disabling PAT reduces the amount of available address. Without PAT, each
address in the source pool must use its original source port. overflow-pool is also configured as it
can be seen below to prevent address exhaustion.
[edit security nat]

root@host# show
source {
pool pool-admins {
address {
172.16.16.226/32 to 172.16.16.230/32;
}
port no-translation;
overflow-pool interface;
}
rule-set rs1 {
from zone trust;
to zone untrust;
rule rl1 {
match {
source-address 10.200.2.0/24;
}
then {
source-nat {
pool {
pool-admins;
}
}
}
}
}

}Pool Utilization

If you want to monitor utilization of the pool you can enable it as below;
[edit security nat]
root@host# show
{
pool-utilization-alarm raise-threshold 70 clear-threshold 50;
}raise-threshold: Junos sends an SNMP trap
clear-threshold: Junos sends another SNMP trap to clear the alarm

Source NAT with Address Shifting

This configuration is almost the same without address shifting. Once you enable
host-address-base which defines at which address shifting must start, PAT is
disabled.
[edit security nat]
root@host# show
source {
pool pool-admins {
address {
172.16.16.226/32 to 172.16.16.230/32;
}
host-address-base 10.200.2.11/32;
}
rule-set rs1 {
from zone trust;
to zone untrust;
rule rl1 {
match {
source-address 10.200.2.0/24;
}
then {

source-nat {
pool {
pool-admins;
}
}
}
}
}
}
root@host> show security nat source pool all
Total pools: 1
Pool name
Pool id

: pool-admins
:4

Routing instance : default

Host address base : 10.200.2.11
Port

: no translation

Total addresses

:5

Translation hits : 4

Address range
Single Ports Twin Ports
172.30.72.226 172.30.72.230
0

Pool-Based Destination NAT

[edit security nat]
root@host# show
destination {
pool pool-inside {
address 10.200.2.11/32;
}

rule-set rs1 {
from zone untrust;
rule rl1 {
match {
destination-address 172.16.16.226/32;
}
then {
destination-nat pool pool-inside;
}
}
}
}
This is a destination nat without PAT. Address 172.16.16.226 is translated into
10.200.2.11. This is a single address translation, if required multiple addresses can
be used on the pool by using to option.
You can change the configuration the following way to enable PAT
[edit security nat]
root@host# show
destination {
pool pool-inside {
address 10.200.2.11/32 port 8080;
}
rule-set rs1 {
from zone untrust;
rule rl1 {
match {
destination-address 172.16.16.226/32;

destination-port 80;
}
then {
destination-nat pool pool-inside;
}
}
}
}

Static Destination NAT

Static NAT requires a one-to-one match which means subnet masks must be the
same. If you select an IP address which isnt from interface, to be able to send ARP
replies, enable proxy-arp as below. Once destination NAT is configured,
reverse static source NAT is automatically enabled so that you dont need
to add another source nat rule.
[edit security nat]
root@host# show
static {
rule-set rs1 {
from zone untrust;
rule rl1 {
match {
destination-address 172.30.73.78/32;
}
then {
static-nat prefix 10.200.2.11/32;
}
}
}

}
proxy-arp {
interface ge-0/0/0.0 {
address {
172.30.73.78/32;
}
}
}Dropping non-NAT trafficIf you want to drop traffic not-translated, use dropuntranslated under the policy like below;
[edit security policies from-zone trust to-zone untrust]
root@host# show
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
destination-address {
drop-untranslated;
}
}
count;
}
}
Monitoring commands used so far

*
*
*
*

show
show
show
show

security
security
security
security

flow session
nat source rule rule-name
nat source pool all
nat source summary