We have the following network scenario..
In the this scenario we need to do DNAT using the actual external interface IP (192.168.200.200).
So the flows will go like this..
PRENAT POSTNAT
192.168.200.10 --> 192.168.200.200:8088 192.168.200.10 --> 10.31.254.17:80
192.168.200.10 --> 192.168.200.200:2088 192.168.200.10 --> 10.31.254.17:22
DNAT is a one way translation. It does not itself permit the destination to initiate to the source.
The destination can of course statefully reply to a session initiated to it.
Steps to configure and test..
1) CREATE ADDRESS ENTRIES
The only address book entry we need is the real IP of the destination
srx> show configuration security address-book | display set | match 10.31.254.17
set security address-book global address SERVER_REAL_10.31.254.17 10.31.254.17/32
2) CREATE DNAT RULES
srx> show configuration security nat destination | display set
set security nat destination pool TESTA address 10.31.254.17/32
set security nat destination pool TESTA address port 80
set security nat destination pool TESTA_2 address 10.31.254.17/32
set security nat destination pool TESTA_2 address port 22
set security nat destination rule-set DNAT1 from zone untrust
set security nat destination rule-set DNAT1 rule r1 match destination-address 192.168.200.200/32
set security nat destination rule-set DNAT1 rule r1 match destination-port 8088
set security nat destination rule-set DNAT1 rule r1 then destination-nat pool TESTA
set security nat destination rule-set DNAT1 rule r2 match destination-address 192.168.200.200/32
set security nat destination rule-set DNAT1 rule r2 match destination-port 2088
set security nat destination rule-set DNAT1 rule r2 then destination-nat pool TESTA_2
Looks like this in the heirachical config..
srx> show configuration security nat destination
pool TESTA {
address 10.31.254.17/32 port 80;
}
pool TESTA_2 {
address 10.31.254.17/32 port 22;
}
rule-set DNAT1 {
from zone untrust;
rule r1 {
match {
destination-address 192.168.200.200/32;
destination-port 8088;
}
then {
destination-nat pool TESTA;
}
}
rule r2 {
match {
destination-address 192.168.200.200/32;
destination-port 2088;
}
then {
destination-nat pool TESTA_2;
}
}
}
3) CREATE SECURITY POLICIES
The main point to note here is that we use the translated destination IP in the rule as DNAT takes place before the security policy is processed. Also the port to be used is the post translation destination port.
srx> show configuration security policies from-zone untrust to-zone trust | display set
set security policies from-zone untrust to-zone trust policy p1 match source-address any
set security policies from-zone untrust to-zone trust policy p1 match destination-address SERVER_REAL_10.31.254.17
set security policies from-zone untrust to-zone trust policy p1 match application junos-http
set security policies from-zone untrust to-zone trust policy p1 then permit destination-address drop-untranslated
set security policies from-zone untrust to-zone trust policy p1 then log session-init
set security policies from-zone untrust to-zone trust policy p2 match source-address any
set security policies from-zone untrust to-zone trust policy p2 match destination-address SERVER_REAL_10.31.254.17
set security policies from-zone untrust to-zone trust policy p2 match application junos-ssh
set security policies from-zone untrust to-zone trust policy p2 then permit destination-address drop-untranslated
set security policies from-zone untrust to-zone trust policy p2 then log session-init
Looks like this in the heirachical config..
srx> show configuration security policies from-zone untrust to-zone trust
policy p1 {
match {
source-address any;
destination-address SERVER_REAL_10.31.254.17;
application junos-http;
}
then {
permit {
destination-address {
drop-untranslated;
}
}
log {
session-init;
}
}
}
policy p2 {
match {
source-address any;
destination-address SERVER_REAL_10.31.254.17;
application junos-ssh;
}
then {
permit {
destination-address {
drop-untranslated;
}
}
log {
session-init;
}
}
}
We have the source set as any as the source in these types of rules is often coming from the Internet.
For extra security we are only permitting packets that are subjected to being translated - "drop-untranslated"
4) TESTING
a) Checking if our DNAT rules have hits..
srx> show security nat destination rule all
Total destination-nat rules: 2
Total referenced IPv4/IPv6 ip-prefixes: 2/0
Destination NAT rule: r1 Rule-set: DNAT1
Rule-Id : 1
Rule position : 1
From zone : untrust
Destination addresses : 192.168.200.200 - 192.168.200.200
Destination port : 8088
Action : TESTA
Translation hits : 44
Destination NAT rule: r2 Rule-set: DNAT1
Rule-Id : 2
Rule position : 2
From zone : untrust
Destination addresses : 192.168.200.200 - 192.168.200.200
Destination port : 2088
Action : TESTA_2
Translation hits : 3
b) Checking if the security policy rules have hits..
srx> show security policies hit-count from-zone untrust to-zone trust
Logical system: root-logical-system
Index From zone To zone Name Policy count
1 untrust trust p1 44
2 untrust trust p2 3
Number of policy: 2
c) We should see active flow sessions..
srx> show security flow session source-prefix 192.168.200.10
Session ID: 24519, Policy name: p2/7, Timeout: 1780, Valid
In: 192.168.200.10/35673 --> 192.168.200.200/2088;tcp, If: vlan.3, Pkts: 67, Bytes: 5762
Out: 10.31.254.17/22 --> 192.168.200.10/35673;tcp, If: vlan.2, Pkts: 45, Bytes: 5629
Session ID: 24794, Policy name: p1/6, Timeout: 1194, Valid
In: 192.168.200.10/54017 --> 192.168.200.200/8088;tcp, If: vlan.3, Pkts: 30, Bytes: 5251
Out: 10.31.254.17/80 --> 192.168.200.10/54017;tcp, If: vlan.2, Pkts: 27, Bytes: 29397
d) Finally we can also check the logs as we are logging on "session-init"
In the below you can clearly see the pre nat dest IP being DNATed to the post nat IP in the initial session setup..
srx> show log POLICY | match 192.168.200.10
Apr 29 14:49:19 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.200.10/35673->192.168.200.200/2088 junos-ssh 192.168.200.10/35673->10.31.254.17/22 None r2 6 p2 untrust trust 24519 N/A(N/A) vlan.3
Apr 29 14:49:56 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.200.10/54017->192.168.200.200/8088 junos-http 192.168.200.10/54017->10.31.254.17/80 None r1 6 p1 untrust trust 24794 N/A(N/A) vlan.3
5) PROXY ARP
In the above example I have not used proxy arp as we are using the actual interface address as the initial target for the source. But what if the destination address was 192.168.200.201 rather than the interface's IP of 192.168.200.200.
I.e What if we changed NAT rule r1 to be like this?
rule-set DNAT1 {
from zone untrust;
rule r1 {
match {
destination-address 192.168.200.201/32;
destination-port 8088;
}
then {
destination-nat pool TESTA;
}
}
Then in this case we do need proxy-arp as we meet this criteria as defined by Juniper in KB21785 http://kb.juniper.net/InfoCenter/index?page=content&id=KB21785
"When addresses in the original destination address entry in the destination NAT rules are in the same subnet as that of the ingress interface (Destination NAT scenario)"
This is what we need to make it work..
set security nat proxy-arp interface vlan.3 address 192.168.200.201/32
vlan.3 in our case is the untrust VLAN.
Model: srx210he
JUNOS Software Release [12.1R5.5]
No comments:
New comments are not allowed.