JNCIS SEC PPT - NAT - Coruse 10.a

Junos for Security Platforms
Chapter 7: Network Address

Translation
© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Chapter Objectives
 After successfully completing this chapter, you will be

able to:
•Describe the purpose and functionality of NAT and PAT
•Describe NAT processing
•Configure source NAT
•Configure destination NAT
•Configure static NAT
•Monitor and verify proper operation of NAT
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-2
Agenda: Network Address Translation
NAT Overview
 Source NAT Operation and Configuration
 Destination NAT Operation and Configuration
 Static NAT Operation and Configuration
 Proxy ARP
 Monitoring and Verifying NAT Operation
Network Address Translation
 NAT provides a means of translation between public

and private IP addresses
•Might also support port translation
Internet
10.1.10.5 Private/Trust Public/Untrust
10.1.10.1 1.1.70.5
NAT
SRC-IP DST-IP Protocol SRC-Port DST-Port SRC-IP DST-IP Protocol SRC-Port DST-Port
10.1.10.5 221.1.8.5 6 36033 80 1.1.70.5 221.1.8.5 6 1025 80
PAT
Review: Packet Flow
Forwarding
Lookup
Reverse
Static Dest Source Services
Screens NAT NAT Route Zones Policy Static NAT
Session
ALG
NAT
Yes Yes
No
Per Per Match Per Per

Packet Packet Session? Yes Screens TCP
Services Packet Packet
NAT
Policer Filter ALG Filter Shaper
Junos Flow Module
NAT Processing
 NAT and PAT set up occurs during first packet

processing
Reverse Source
Static Destination
No Static No NAT Permit Packet
NAT NAT
NAT
Yes
Route/Zone Lookup Policy Lookup
If no route, drop packet Drop per policy
Types of NAT
 Three types of NAT and PAT

 Combination of destination and source NAT and PAT
 Dynamic versus static translation
Source NAT
Internet
Private/Trust Public/Untrust
10.1.10.5 10.1.10.1 1.1.70.5
Destination NAT
Static NAT
 NAT Overview
Source NAT Operation and Configuration
 Proxy ARP
Source NAT Overview
 Translation is performed on the source address and
optionally, on the source port number
 Three types of source NAT:
•Interface-based source NAT
• PAT always performed
•Pool-based source NAT is dynamic mapping using pools
• With or without PAT
•Source NAT with address-shifting
• One-to-one mapping with no PAT
• Maps private range to public range
Internet
10.1.10.5 Private Public
10.1.10.1 1.1.70.5
Source NAT
Source NAT Configuration Guidelines
 Two-layer matching conditions

•Traffic direction: specified with a from – to clause
• Can be either a routing-instance, zone, or interface
• If rule-sets overlap, the more specific rule-set takes effect
•Packet information: specified with a match clause
• Includes source address and destination address
 Actions available: off, pool, and interface
 Static NAT (reverse mapping) rules take precedence
over other rules
 Changes to NAT rule or pool tears down existing
sessions
Interface Source NAT (1 of 3)
 Sample topology:
Trust ge 0/0/2.0 Untrust
Internet
Private Public
10.1.10.5
10.1.10.1 1.1.70.5
Source NAT
•Enable interface-based source NAT for traffic entering the

ge-0/0/2.0 interface using the egress public interface
address 1.1.70.5
 Configuration:
[edit security nat source]
user@host# show
rule-set 1 { Can be an interface,
from interface ge-0/0/2.0; a routing-instance, or a zone
to zone untrust;
rule 1A {
match {
source-address 0.0.0.0/0;
}
then {
source-nat interface;
}
}
}
 Result:
user@host> show security flow session
Session ID: 42325, Policy name: default-permit/4, Timeout: 1790
In: 10.1.10.5/1739 --> 1.1.70.6/23;tcp, If: ge-0/0/2.0
Out: 1.1.70.6/23 --> 1.1.70.5/1083;tcp, If: ge-0/0/3.10
user@host> show security nat source summary

Total pools: 0
Total rules: 1
Rule name Rule set From To Action
1A 1 ge-0/0/2.0 untrust interface
Pool-Based Source NAT with PAT (1 of 3)
Trust Untrust
Internet
Private Public
10.1.10.5
10.1.10.1 1.1.70.5
Source NAT
Public IP
207.17.137.229
•Enable pool-based source NAT with PAT from the trust zone
using a public address of 207.17.137.229
 Configuration:
user@host# show PAT is enabled by default
pool A { for Pool A
address {
207.17.137.229/32;
}
}
rule-set 1A {
Can be an interface,
from zone trust;
a routing-instance, or a zone
to zone untrust;
rule 1 {
match {
} Can be 0.0.0.0/0 for all
then {
source-nat pool A;
}
}
}
 Result:
In: 10.1.10.5/1970 --> 1.1.70.6/23;tcp, If: ge-0/0/2.0
Out: 1.1.70.6/23 --> 207.17.137.229/1035;tcp, If: ge-0/0/3.10
1 sessions displayed

Total pools: 1
Pool Address Routing PAT Total
Name Range Instance Address
A 207.17.137.229-207.17.137.229 default yes 1
Total rules: 1
1 1A trust untrust A
Address-Persistent Option
 By default, PAT is performed for pool-based source

NAT
•Port pool is 1024–65535, leaving approximately 64 k
source translations per IP address
 No guarantee that the same host will use the same
address
•Use address-persistent option
[edit security nat]

user@host# show
source {
address-persistent;
}
Pool-Based Source NAT Without PAT (1 of 3)
Trust Untrust
Internet
Private Public
10.1.10.5
10.1.10.1 1.1.70.5
Source NAT
Public IP
207.17.137/24
•Enable pool-based source NAT without PAT from the trust

zone using a public address range of 207.17.137/24
•Specify an overflow pool using the egress interface, in case
the pool addresses are exhausted
Pool-Based Source NAT Without PAT (2 of 3)
 Configuration:
user@host# show
pool A {
address {
207.17.137.1/32 to 207.17.137.254/32;
} Must manually disable PAT
port no-translation;
overflow-pool interface;
} Overflow can be
rule-set 1A { pool or interface
from zone trust;
to zone untrust;
rule 1 { Can be an interface,
match { a routing-instance, or a zone
}
then {
source-nat pool A;
}
}
}
Pool-Based Source NAT without PAT (3 of 3)
 Result:
In: 10.1.10.5/1978 --> 1.1.70.6/23;tcp, If: ge-0/0/2.0
Out: 1.1.70.6/23 --> 207.17.137.127/1978;tcp, If: ge-0/0/3.10

Total pools: 1
Pool Address Routing PAT Total
Name Range Instance Address
A 207.17.137.1-207.17.137.254 default no 254
Total rules: 1
1 1A trust untrust A
Pool Utilization
 If all addresses in a pool are in use, further packets

requiring NAT drop
•Use overflow pool
•Set utilization alarm thresholds to receive SNMP trap
notification

user@host# show
pool-utilization-alarm raise-threshold 50 clear-threshold 40;
Default is 80% of
raise-threshold
Source NAT with Address Shifting (1 of 3)
Trust Untrust
Internet
Private Public
10.1.10.5 10.1.10.1 1.1.70.5
Source NAT
Public IP
207.17.137/24
•Enable pool-based source NAT using a one-to-one mapping

from a range of private addresses to a range of public
addresses
•Use a base private address of 10.1.10.5
•Use a public address range of 207.17.137/24
 Configuration:
user@host# show
pool A {
address {
207.17.137.1/32 to 207.17.137.254/32;
Enables one-to-one
}
address shifting
host-address-base 10.1.10.5/32;
}
rule-set 1A {
Can be an interface,
from zone trust;
to zone untrust;
rule 1 {
match {
}
then {
source-nat pool A;
}
}
}
 Result:
In: 10.1.10.5/2023 --> 1.1.70.6/23;tcp, If: ge-0/0/2.0
Out: 1.1.70.6/23 --> 207.17.137.1/2023;tcp, If: ge-0/0/3.10
user@host> show security nat source pool all

Total pools: 1
Pool name : A
Pool id : 4
Routing instance : default
Host address base : 10.1.10.5 PAT disabled
Port : no translation
Total addresses : 254
Translation hits : 6
Address range Single Ports Twin Ports
207.17.137.1 - 207.17.137.254 0 0
Check Your Knowledge
 What is the purpose of a source NAT off action?
[edit security nat source rule-set 1A]
user@host# show
from zone trust;
to zone external;
rule 1 {
match {
destination-address 172.18.20.0/24;
}
then {
source-nat off;
}
}
rule 2 {
match {
}
then {
source-nat pool A;
}
}
 NAT Overview
Destination NAT Operation and Configuration
 Proxy ARP
Destination NAT Overview
 Translation is performed on the destination address
and optionally, on the destination port number
 One type of destination NAT:
•Interface-based destination NAT
• PAT available
•Pool-based NAT is a one-to-one mapping using pools
• PAT available
 VoIP ALGs dynamically generate allow-incoming
table for packets entering a private network
Internet
Private Public
10.1.10.5 10.1.10.1 1.1.70.5
Destination NAT
Destination NAT Configuration Guidelines
 Two-layer matching conditions

•Traffic direction: specified with a from clause
• Can be either a routing-instance, zone, or interface
• If rule-sets overlap, the more specific rule-set takes effect
•Packet information: specified with a match clause
• Includes source address, destination address, and destination port
number (only destination address for static NAT rule)
 Actions include off or pool
•Exception for static NAT rule
 Static NAT rules take precedence over other rules
 Changes to NAT rule or pool tears down existing
sessions
Pool-Based Destination NAT (1 of 6)
Trust Untrust
Internet
10.1.10.6 1.1.70.5 1.1.70.6
Server A
10.1.10.5
Destination NAT
•Enable pool-based destination NAT to Server A using a

public address of 100.0.0.1/32
 Single address with no port translation:

[edit security nat destination]
user@host# show
pool A {
address 10.1.10.5/32;
}
from zone untrust; a routing-instance, or a zone
rule 1A {
match {
}
then {
destination-nat pool A;
}
}
}
 Destination NAT with address pool:

user@host# show
pool A {
address 10.1.10.5/32 to 10.1.10.6/32;
}
from zone untrust;
rule 1A {
match {
}
then {
}
}
}
 Destination NAT with port translation:

user@host# show
pool A {
address 10.1.10.5/32 port 8080;
} Can be an interface,
rule-set 1 { a routing-instance, or a zone
from zone untrust;
rule 1A {
match {
destination-port 80;
}
then {
}
}
}
 Result of NAT with PAT:
In: 1.1.70.6/58204 --> 100.0.0.1/80;tcp, If: ge-0/0/3.10
Out: 10.1.10.5/8080 --> 1.1.70.6/58204;tcp, If: ge-0/0/2.0
1 sessions displayed
user@host> show security nat destination pool all

Total destination-nat pools: 1
Pool name : A
Pool id : 1
Routing instance: default
Total address : 1
Translation hits: 1
Address range Port
10.1.10.5 - 10.1.10.5 8080
 Result of NAT with PAT (contd.):

user@host> show security nat destination rule all
Total destination-nat rules: 1
Destination NAT rule: 1A Rule-set: 1

Rule-Id : 1
Rule position : 1
From zone : untrust
Destination addresses : 100.0.0.1 - 100.0.0.1
Action : A
Destination port : 80
Translation hits : 6
 NAT Overview
Static NAT Operation and Configuration
 Proxy ARP
Static NAT (1 of 3)
Trust Untrust
Internet
10.1.10.6 1.1.70.5 1.1.70.6
Server A
10.1.10.5
Static NAT
•Enable static destination NAT to Server A using a public

address of 100.0.0.1/32
Static NAT (2 of 3)
 Configuration:
[edit security nat static]
root@host# show
rule-set r1 {
from zone untrust;
rule a {
match {
}
then {
static-nat prefix 10.1.10.5/32;
}
}
}
Static NAT (3 of 3)
 Result:
In: 1.1.70.6/17 --> 100.0.0.1/2326;icmp, If: ge-0/0/3.10
Out: 10.1.10.5/2326 --> 1.1.70.6/17;icmp, If: ge-0/0/2.0
 Reverse static source NAT is automatically enabled:

In: 10.1.10.5/64513 --> 1.1.70.6/512;icmp, If: ge-0/0/2.0
Out: 1.1.70.6/512 --> 100.0.0.1/64513;icmp, If: ge-0/0/3.10
•Session does not create until triggered
Dropping Non-NAT Traffic
 drop-untranslated
ge-0/0/3.10
Trust Untrust
Internet
10.1.10.6 1.1.70.5 1.1.70.6
Host A
10.1.10.5
[edit security policies]
root@host# show
from-zone untrust to-zone trust {
policy reject-untranslated {
match {
source-address any;
application any;
}
then {
permit {
destination-address {
drop-untranslated;
}
…
 NAT Overview
Proxy ARP
NAT Proxy ARP
 Required for IP addresses that need NAT and belong

to subnet of ingress interface
[edit security nat]
user@host# show
proxy-arp {
interface interface-name {
address {
starting-address to ending-address;
address;
} Can specify single
} address, range of
addresses, or both
}
NAT Proxy ARP Example
ge-0/0/3.10
Trust Untrust
Internet
10.1.10.5 Private Public
10.1.10.1 1.1.70.5
Source NAT with Public IP range
1.1.70.10 to 1.1.70.100
Return traffic
needs Proxy ARP
[edit security nat]
user@host# show
proxy-arp {
interface ge-0/0/3.10 {
address {
1.1.70.10/32 to 1.1.70.100/32;
}
}
}
 NAT Overview
 Proxy ARP
Monitoring and Verifying NAT Operation
Monitoring and Verifying NAT Operation
 Key commands (can use source or destination):

• show security flow session
• show security nat source rule rule-name
• show security nat source pool pool-name
• show security nat source summary
 Traceoptions
•Configured under the edit security nat stanza
•Logs to file /var/log/security-trace by default
•Can flag source, destination, and static NAT operations on
the Packet Forwarding Engine and the Routing Engine
Summary
 In this chapter, we:

•Described the purpose and functionality of NAT and PAT
•Described NAT processing
•Learned to configure source NAT
•Learned to configure destination NAT
•Learned to configure static NAT
•Discussed the monitoring and verification of NAT operation
Review Questions
1. Does destination NAT occur before or after security

policy processing in the first path packet flow?
2. Does the Junos OS support static source NAT?
3. What is the purpose of a NAT off action?
4. When is a proxy ARP configuration required?
5. List three commands used to monitor NAT operation.
Lab 5: Network Address Translation
 Perform tasks normally associated with NAT

configuration and monitoring.
Worldwide Education Services

JNCIS SEC PPT - NAT - Coruse 10.a

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

JNCIS SEC PPT - NAT - Coruse 10.a

Caricato da

Copyright:

Formati disponibili

Junos for Security Platforms

Chapter 7: Network Address

 After successfully completing this chapter, you will be

 NAT provides a means of translation between public

Per Per Match Per Per

Junos Flow Module

 NAT and PAT set up occurs during first packet

If no route, drop packet Drop per policy

 Three types of NAT and PAT

 Two-layer matching conditions

•Enable interface-based source NAT for traffic entering the

user@host> show security nat source summary

user@host> show security nat source summary

 By default, PAT is performed for pool-based source

[edit security nat]

•Enable pool-based source NAT without PAT from the trust

user@host> show security nat source summary

 If all addresses in a pool are in use, further packets

[edit security nat source]

•Enable pool-based source NAT using a one-to-one mapping

user@host> show security nat source pool all

 Two-layer matching conditions

•Enable pool-based destination NAT to Server A using a

 Single address with no port translation:

 Destination NAT with address pool:

 Destination NAT with port translation:

user@host> show security nat destination pool all

 Result of NAT with PAT (contd.):

Destination NAT rule: 1A Rule-set: 1

•Enable static destination NAT to Server A using a public

 Reverse static source NAT is automatically enabled:

•Session does not create until triggered

 Required for IP addresses that need NAT and belong

 Key commands (can use source or destination):

 In this chapter, we:

1. Does destination NAT occur before or after security

 Perform tasks normally associated with NAT

Potrebbero piacerti anche