JNCIS-SEC [ NAT ] | My Tech Notes & Juniper

http://rtoodtoo.net/2011/04/27/jncis-sec-nat/

My Tech Notes & Juniper

SRX,JunOS,Linux and some security:)

JNCIS-SEC [ NAT ]
Posted on 2011/04/27 To delve into NAT processing in Junos it is better to see the packet flow in ASCII. First PATH: Screens->Static NAT->Dest NAT->Route->Zones->Policy->Reverse Static NAT->Source NAT->Services ALG->Session Fast PATH: Screens->TCP->NAT->Services ALG Based on the first packet of session, JUNOS installes NAT and PAT information into the session table for fast path processing. You should pay attention to the fact that Destination NAT occurs before Source NAT which is clear in the first PATH diagram. We can classify NAT into three distinct category; * Source NAT : Translates source IP address of a packet * Destination NAT : Translates destination IP of a packet * Static NAT : This allows connections to be originated from either side of the network. Source NAT & PAT 1) Interface based source NAT: Original source address to the egress interface IP always with PAT 2) Pool based source NAT: Dynamic mapping of original source address to an address from a user-defined pool with or without PAT 3) Source NAT with address shifting : one-to-one matching of the original source address to a user-defined pool by shifting IP address without PAT NAT rules are akin to security policies both of which require some directional context. For source nat, each rule set has a from and to clause which can indicate an interface,zone or routing instance. If rule-sets overlap (if they target the same traffic), the rule-set with the most specific context takes precedence. Interfaces = most specific , routing instance = least specific

1 of 7

6/8/2012 12:38 PM

JNCIS-SEC [ NAT ] | My Tech Notes & Juniper

http://rtoodtoo.net/2011/04/27/jncis-sec-nat/

Overlapping *Static source NAT has higher precedence than dynamic source NAT * Addresses used in NAT pools either in source NAT pools or destination NAT pools should never overlap * If there is more than one rule-set matches the traffic, rule-set with the most specific context precedence * In a rule-set, order of the rules is significant

Live Changes As soon as a change is made in a NAT rule, Junos tears down the session after the commit. Interface Based Source NAT [edit security nat] root@host# show source { rule-set rs1 { from zone trust; to zone untrust; rule rl1 { match { source-address 10.200.2.0/24; } then { source-nat { interface; } } } } }You dont need to associate/apply this nat to any interface or something, like Cisco IOS. It just works. To display session table; root@host> show security flow session destination-prefix 74.125.224.83/32 Session ID: 38783, Policy name: trust-to-untrust/4, Timeout: 1790, Valid In: 10.200.2.11/51126 > 74.125.224.83/80;tcp, If: ge-0/0/8.0, Pkts: 5, Bytes: 662 Out: 74.125.224.83/80 > 172.16.16.226/48879;tcp, If: ge-0/0/0.0, Pkts: 4, Bytes: 2688 Session ID: 38789, Policy name: trust-to-untrust/4, Timeout: 1790, Valid In: 10.200.2.11/51128 > 74.125.224.83/80;tcp, If: ge-0/0/8.0, Pkts: 2, Bytes: 112 Out: 74.125.224.83/80 > 172.16.16.226/54369;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60 Total sessions: 2 Here 172.16.16.226 is our egress interfaces IP address. Local IP 10.200.2.11 is translated to 172.16.16.226 and passed onto upstream gateway for further processing.To display NAT rules;

2 of 7

6/8/2012 12:38 PM

JNCIS-SEC [ NAT ] | My Tech Notes & Juniper

http://rtoodtoo.net/2011/04/27/jncis-sec-nat/

root@host> show security nat source summary Total pools: 0 Total rules: 1 Rule name rl1 rs1 Rule set trust From untrust To Action interface

Pool Based Source Nat (with PAT) [edit security nat] root@host# show source { pool pool-admins { address { 172.16.16.226/32 to 172.16.16.230/32; } } rule-set rs1 { from zone trust; to zone untrust; rule rl1 { match { source-address 10.200.2.0/24; } then { source-nat { pool { pool-admins; } } } } } } In this configuration, instead of source natting to interface, we use a dynamic pool with PAT enabled. If you want to ensure that junos uses the same source address in translation, enable address-persistent [edit security nat] root@host# show source { address-persistent; } Pool Based Source Nat (without PAT) Be careful that disabling PAT reduces the amount of available address. Without PAT, each address in the source pool must use its original source port. overflow-pool is also configured as it can be seen below to prevent address

3 of 7

6/8/2012 12:38 PM

JNCIS-SEC [ NAT ] | My Tech Notes & Juniper

http://rtoodtoo.net/2011/04/27/jncis-sec-nat/

exhaustion. [edit security nat] root@host# show source { pool pool-admins { address { 172.16.16.226/32 to 172.16.16.230/32; } port no-translation; overflow-pool interface; } rule-set rs1 { from zone trust; to zone untrust; rule rl1 { match { source-address 10.200.2.0/24; } then { source-nat { pool { pool-admins; } } } } } }Pool Utilization If you want to monitor utilization of the pool you can enable it as below; [edit security nat] root@host# show { pool-utilization-alarm raise-threshold 70 clear-threshold 50; }raise-threshold: Junos sends an SNMP trap clear-threshold: Junos sends another SNMP trap to clear the alarm Source NAT with Address Shifting This configuration is almost the same without address shifting. Once you enable host-address-base which defines at which address shifting must start, PAT is disabled. [edit security nat] root@host# show source {

4 of 7

6/8/2012 12:38 PM

JNCIS-SEC [ NAT ] | My Tech Notes & Juniper

http://rtoodtoo.net/2011/04/27/jncis-sec-nat/

pool pool-admins { address { 172.16.16.226/32 to 172.16.16.230/32; } host-address-base 10.200.2.11/32; } rule-set rs1 { from zone trust; to zone untrust; rule rl1 { match { source-address 10.200.2.0/24; } then { source-nat { pool { pool-admins; } } } } } } root@host> show security nat source pool all Total pools: 1 Pool name Pool id : pool-admins :4

Routing instance : default Host address base : 10.200.2.11 Port : no translation :5 Single Ports Twin Ports 0 Total addresses Address range

Translation hits : 4 172.30.72.226 172.30.72.230 Pool-Based Destination NAT [edit security nat] root@host# show destination { pool pool-inside { address 10.200.2.11/32; } rule-set rs1 {

5 of 7

6/8/2012 12:38 PM

JNCIS-SEC [ NAT ] | My Tech Notes & Juniper

http://rtoodtoo.net/2011/04/27/jncis-sec-nat/

from zone untrust; rule rl1 { match { destination-address 172.16.16.226/32; } then { destination-nat pool pool-inside; } } } } This is a destination nat without PAT. Address 172.16.16.226 is translated into 10.200.2.11. This is a single address translation, if required multiple addresses can be used on the pool by using to option. You can change the configuration the following way to enable PAT [edit security nat] root@host# show destination { pool pool-inside { address 10.200.2.11/32 port 8080; } rule-set rs1 { from zone untrust; rule rl1 { match { destination-address 172.16.16.226/32; destination-port 80; } then { destination-nat pool pool-inside; } } } } Static Destination NAT Static NAT requires a one-to-one match which means subnet masks must be the same. If you select an IP address which isnt from interface, to be able to send ARP replies, enable proxy-arp as below. Once destination NAT is configured, reverse static source NAT is automatically enabled so that you dont need to add another source nat rule. [edit security nat] root@host# show static { rule-set rs1 { from zone untrust;

6 of 7

6/8/2012 12:38 PM

JNCIS-SEC [ NAT ] | My Tech Notes & Juniper

http://rtoodtoo.net/2011/04/27/jncis-sec-nat/

rule rl1 { match { destination-address 172.30.73.78/32; } then { static-nat prefix 10.200.2.11/32; } } } } proxy-arp { interface ge-0/0/0.0 { address { 172.30.73.78/32; } } }Dropping non-NAT trafficIf you want to drop traffic not-translated, use drop-untranslated under the policy like below; [edit security policies from-zone trust to-zone untrust] root@host# show policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit { destination-address { drop-untranslated; } } count; } } Monitoring commands used so far * show security flow session * show security nat source rule rule-name * show security nat source pool all * show security nat source summary This entry was posted in jncis-sec by rtoodtoo. Bookmark the permalink [http://rtoodtoo.net/2011/04 /27/jncis-sec-nat/] .

7 of 7

6/8/2012 12:38 PM