Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Chapter Objectives
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-2
Agenda: Network Address Translation
NAT Overview
Source NAT Operation and Configuration
Destination NAT Operation and Configuration
Static NAT Operation and Configuration
Proxy ARP
Monitoring and Verifying NAT Operation
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-3
Network Address Translation
Internet
10.1.10.5 Private/Trust Public/Untrust
10.1.10.1 1.1.70.5
NAT
SRC-IP DST-IP Protocol SRC-Port DST-Port SRC-IP DST-IP Protocol SRC-Port DST-Port
10.1.10.5 221.1.8.5 6 36033 80 1.1.70.5 221.1.8.5 6 1025 80
PAT
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-4
Review: Packet Flow
Forwarding
Lookup
Reverse
Static Dest Source Services
Screens NAT NAT Route Zones Policy Static NAT
Session
ALG
NAT
Yes Yes
No
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-5
NAT Processing
Reverse Source
Static Destination
No Static No NAT Permit Packet
NAT NAT
NAT
Yes
Route/Zone Lookup Policy Lookup
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-6
Types of NAT
Source NAT
Internet
Private/Trust Public/Untrust
10.1.10.5 10.1.10.1 1.1.70.5
Destination NAT
Static NAT
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-7
Agenda: Network Address Translation
NAT Overview
Source NAT Operation and Configuration
Destination NAT Operation and Configuration
Static NAT Operation and Configuration
Proxy ARP
Monitoring and Verifying NAT Operation
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-8
Source NAT Overview
Translation is performed on the source address and
optionally, on the source port number
Three types of source NAT:
•Interface-based source NAT
• PAT always performed
•Pool-based source NAT is dynamic mapping using pools
• With or without PAT
•Source NAT with address-shifting
• One-to-one mapping with no PAT
• Maps private range to public range
Internet
10.1.10.5 Private Public
10.1.10.1 1.1.70.5
Source NAT
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-9
Source NAT Configuration Guidelines
Sample topology:
Trust ge 0/0/2.0 Untrust
Internet
Private Public
10.1.10.5
10.1.10.1 1.1.70.5
Source NAT
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-12
Interface Source NAT (2 of 3)
Configuration:
[edit security nat source]
user@host# show
rule-set 1 { Can be an interface,
from interface ge-0/0/2.0; a routing-instance, or a zone
to zone untrust;
rule 1A {
match {
source-address 0.0.0.0/0;
}
then {
source-nat interface;
}
}
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-13
Interface Source NAT (3 of 3)
Result:
user@host> show security flow session
Session ID: 42325, Policy name: default-permit/4, Timeout: 1790
In: 10.1.10.5/1739 --> 1.1.70.6/23;tcp, If: ge-0/0/2.0
Out: 1.1.70.6/23 --> 1.1.70.5/1083;tcp, If: ge-0/0/3.10
Total rules: 1
Rule name Rule set From To Action
1A 1 ge-0/0/2.0 untrust interface
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-14
Pool-Based Source NAT with PAT (1 of 3)
Sample topology:
Trust Untrust
Internet
Private Public
10.1.10.5
10.1.10.1 1.1.70.5
Source NAT
Public IP
207.17.137.229
•Enable pool-based source NAT with PAT from the trust zone
using a public address of 207.17.137.229
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-15
Pool-Based Source NAT with PAT (2 of 3)
Configuration:
[edit security nat source]
user@host# show PAT is enabled by default
pool A { for Pool A
address {
207.17.137.229/32;
}
}
rule-set 1A {
Can be an interface,
from zone trust;
a routing-instance, or a zone
to zone untrust;
rule 1 {
match {
source-address 10.1.10.0/24;
} Can be 0.0.0.0/0 for all
then {
source-nat pool A;
}
}
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-16
Pool-Based Source NAT with PAT (3 of 3)
Result:
user@host> show security flow session
Session ID: 46690, Policy name: default-permit/4, Timeout: 1774
In: 10.1.10.5/1970 --> 1.1.70.6/23;tcp, If: ge-0/0/2.0
Out: 1.1.70.6/23 --> 207.17.137.229/1035;tcp, If: ge-0/0/3.10
1 sessions displayed
Total rules: 1
Rule name Rule set From To Action
1 1A trust untrust A
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-17
Address-Persistent Option
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-18
Pool-Based Source NAT Without PAT (1 of 3)
Sample topology:
Trust Untrust
Internet
Private Public
10.1.10.5
10.1.10.1 1.1.70.5
Source NAT
Public IP
207.17.137/24
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-19
Pool-Based Source NAT Without PAT (2 of 3)
Configuration:
[edit security nat source]
user@host# show
pool A {
address {
207.17.137.1/32 to 207.17.137.254/32;
} Must manually disable PAT
port no-translation;
overflow-pool interface;
} Overflow can be
rule-set 1A { pool or interface
from zone trust;
to zone untrust;
rule 1 { Can be an interface,
match { a routing-instance, or a zone
source-address 10.1.10.0/24;
}
then {
source-nat pool A;
}
}
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-20
Pool-Based Source NAT without PAT (3 of 3)
Result:
user@host> show security flow session
Session ID: 46943, Policy name: default-permit/4, Timeout: 1518
In: 10.1.10.5/1978 --> 1.1.70.6/23;tcp, If: ge-0/0/2.0
Out: 1.1.70.6/23 --> 207.17.137.127/1978;tcp, If: ge-0/0/3.10
Total rules: 1
Rule name Rule set From To Action
1 1A trust untrust A
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-21
Pool Utilization
Default is 80% of
raise-threshold
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-22
Source NAT with Address Shifting (1 of 3)
Sample topology:
Trust Untrust
Internet
Private Public
10.1.10.5 10.1.10.1 1.1.70.5
Source NAT
Public IP
207.17.137/24
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-23
Source NAT with Address Shifting (2 of 3)
Configuration:
[edit security nat source]
user@host# show
pool A {
address {
207.17.137.1/32 to 207.17.137.254/32;
Enables one-to-one
}
address shifting
host-address-base 10.1.10.5/32;
}
rule-set 1A {
Can be an interface,
from zone trust;
a routing-instance, or a zone
to zone untrust;
rule 1 {
match {
source-address 10.1.10.0/24;
}
then {
source-nat pool A;
}
}
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-24
Source NAT with Address Shifting (3 of 3)
Result:
user@host> show security flow session
Session ID: 57737, Policy name: default-permit/4, Timeout: 1772
In: 10.1.10.5/2023 --> 1.1.70.6/23;tcp, If: ge-0/0/2.0
Out: 1.1.70.6/23 --> 207.17.137.1/2023;tcp, If: ge-0/0/3.10
Pool name : A
Pool id : 4
Routing instance : default
Host address base : 10.1.10.5 PAT disabled
Port : no translation
Total addresses : 254
Translation hits : 6
Address range Single Ports Twin Ports
207.17.137.1 - 207.17.137.254 0 0
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-25
Check Your Knowledge
What is the purpose of a source NAT off action?
[edit security nat source rule-set 1A]
user@host# show
from zone trust;
to zone external;
rule 1 {
match {
destination-address 172.18.20.0/24;
}
then {
source-nat off;
}
}
rule 2 {
match {
source-address 10.1.10.0/24;
}
then {
source-nat pool A;
}
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-26
Agenda: Network Address Translation
NAT Overview
Source NAT Operation and Configuration
Destination NAT Operation and Configuration
Static NAT Operation and Configuration
Proxy ARP
Monitoring and Verifying NAT Operation
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-27
Destination NAT Overview
Translation is performed on the destination address
and optionally, on the destination port number
One type of destination NAT:
•Interface-based destination NAT
• PAT available
•Pool-based NAT is a one-to-one mapping using pools
• PAT available
VoIP ALGs dynamically generate allow-incoming
table for packets entering a private network
Internet
Private Public
10.1.10.5 10.1.10.1 1.1.70.5
Destination NAT
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-28
Destination NAT Configuration Guidelines
Sample topology:
Trust Untrust
Internet
10.1.10.6 1.1.70.5 1.1.70.6
Server A
10.1.10.5
Destination NAT
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-31
Pool-Based Destination NAT (2 of 6)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-32
Pool-Based Destination NAT (3 of 6)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-33
Pool-Based Destination NAT (4 of 6)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-34
Pool-Based Destination NAT (5 of 6)
Result of NAT with PAT:
user@host> show security flow session
Session ID: 12554, Policy name: default-permit/4, Timeout: 14
In: 1.1.70.6/58204 --> 100.0.0.1/80;tcp, If: ge-0/0/3.10
Out: 10.1.10.5/8080 --> 1.1.70.6/58204;tcp, If: ge-0/0/2.0
1 sessions displayed
Pool name : A
Pool id : 1
Routing instance: default
Total address : 1
Translation hits: 1
Address range Port
10.1.10.5 - 10.1.10.5 8080
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-35
Pool-Based Destination NAT (6 of 6)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-36
Agenda: Network Address Translation
NAT Overview
Destination NAT Operation and Configuration
Source NAT Operation and Configuration
Static NAT Operation and Configuration
Proxy ARP
Monitoring and Verifying NAT Operation
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-37
Static NAT (1 of 3)
Sample topology:
Trust Untrust
Internet
10.1.10.6 1.1.70.5 1.1.70.6
Server A
10.1.10.5
Static NAT
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-38
Static NAT (2 of 3)
Configuration:
[edit security nat static]
root@host# show
rule-set r1 {
from zone untrust;
rule a {
match {
destination-address 100.0.0.1/32;
}
then {
static-nat prefix 10.1.10.5/32;
}
}
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-39
Static NAT (3 of 3)
Result:
user@host> show security flow session
Session ID: 7724, Policy name: default-permit/4, Timeout: 2
In: 1.1.70.6/17 --> 100.0.0.1/2326;icmp, If: ge-0/0/3.10
Out: 10.1.10.5/2326 --> 1.1.70.6/17;icmp, If: ge-0/0/2.0
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-40
Dropping Non-NAT Traffic
drop-untranslated
ge-0/0/3.10
Trust Untrust
Internet
10.1.10.6 1.1.70.5 1.1.70.6
Host A
10.1.10.5
[edit security policies]
root@host# show
from-zone untrust to-zone trust {
policy reject-untranslated {
match {
source-address any;
destination-address 10.1.10.5/32;
application any;
}
then {
permit {
destination-address {
drop-untranslated;
}
…
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-41
Agenda: Network Address Translation
NAT Overview
Destination NAT Operation and Configuration
Source NAT Operation and Configuration
Static NAT Operation and Configuration
Proxy ARP
Monitoring and Verifying NAT Operation
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-42
NAT Proxy ARP
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-43
NAT Proxy ARP Example
ge-0/0/3.10
Trust Untrust
Internet
10.1.10.5 Private Public
10.1.10.1 1.1.70.5
Source NAT with Public IP range
1.1.70.10 to 1.1.70.100
Return traffic
needs Proxy ARP
[edit security nat]
user@host# show
proxy-arp {
interface ge-0/0/3.10 {
address {
1.1.70.10/32 to 1.1.70.100/32;
}
}
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-44
Agenda: Network Address Translation
NAT Overview
Destination NAT Operation and Configuration
Source NAT Operation and Configuration
Static NAT Operation and Configuration
Proxy ARP
Monitoring and Verifying NAT Operation
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-45
Monitoring and Verifying NAT Operation
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-46
Summary
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-48
Review Questions
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-49
Lab 5: Network Address Translation
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7-50
Worldwide Education Services