Juniper SRX – NAT

The Juniper SRX offers 3 main types of NAT. These are source, destination and static. In this article we will be providing explanations and configuration examples for each.

Source NAT

As the name suggests source NAT translates the source IP address. There are 2 main types of source NAT these are:

Interface NAT – Traffic is translated to the IP address of the egress interface.
Address pools – Traffic is translated to an IP address within a pool.

There are a number of features and options with source NAT. These are:

Address Persistence – This ensures that all PAT translations for a given host are translated through the same IP address.
Disable PAT – When Port Address Translation (PAT) is disabled each address from a pool can only be assigned to a single host. An overflow pool can be defined to use the egress interface address should the pool become depleted. 
Overflow Pool Interface – This allows for addresses to be PAT/NAT`d using the egress interface address should the previous pool become exhausted.
Port Utilization – This provides the ability to alarm (including SNMP) at the point that the pool reaches a given threshold.
Address Shifting – This provides the ability to specifies the IP address where the original source IP address range begins. For for example allows you to map a 10.0.0.0/24 to 192.168.1.1/24 so that 10.0.0.1 would map to 192.168.1.1 and so on.

Destination NAT

Destination NAT is the translation of the destination IP address (and optionally the destination port). Destination NAT is commonly used for port forwarding scenario’s where multiple services are mapped (using a single) to many different servers .

Some common destination NAT “feature(s)” are:

Address Pools – This allows for a pool of destination addresses to be defined.

Static NAT

Static NAT allows for the translation in both directions. This allows for the source IP address to be translation for traffic originating from the server whilst also provide destination NAT for traffic destined inbound to the server.

NAT Flow Process

Below shows the NAT process that traffic takes when transversing the SRX.

Based on the diagram above this raises 2 key requirements.

  1. Destination IP translations – The security policy is written using the post translated address.
  2. Source IP translations – The security policy is written using the pre translated address.

Configuration Examples

Source NAT

Within this example all address from the trust zone destined to the untrust zone would be source NAT`d to the egress interface IP address.

root@srx100# edit security nat source rule-set nat-trust-untrust
[edit security nat source rule-set nat-trust-untrust]

root@srx100# set from zone trust
root@srx100# set to zone untrust
root@srx100# set rule source-nat-rule
root@srx100# set rule source-nat-rule match source-address 0.0.0.0
root@srx100# set rule source-nat-rule then source-nat interface

Destination NAT

Within this example we translate the destination IP and port of 33.33.33.33:2222 to 192.168.1.5:22.

Note : When adding the security policy for access into your server you must add the real IP address / Port.

root@srx100# set security zones security-zone trust address-book address SERVERA-REALIP 192.168.1.5/32

root@srx100# set applications application SSH-DNAT protocol tcp
root@srx100# set applications application SSH-DNAT destination-port 2222

root@srx100# set security nat destination pool DNAT-POOL-SERVERA address 192.168.1.5/32
root@srx100# set security nat destination pool DNAT-POOL-SERVERA address port 22

root@srx100# set security nat destination rule-set dst-nat from zone untrust

root@srx100# set security nat destination rule-set dst-nat rule rule1 match destination-address 33.33.33.33/32
root@srx100# set security nat destination rule-set dst-nat rule rule1 match destination-port 2222
root@srx100# set security nat destination rule-set dst-nat rule rule1 then destination-nat pool DNAT-POOL-SERVERA

Static NAT

Within the following commands the host 192.168.1.1 will be accessible via the destination address 33.33.33.33 via the untrust zone. Like wise any traffic coming from this host will be source NAT`d behind 33.33.33.33.

root@srx100# edit security nat static rule-set static-nat
[edit security nat static rule-set static-nat]

root@srx100# set from zone untrust
root@srx100# set rule rule1 match destination-address 33.33.33.33/32
root@srx100# set rule rule1 then static-nat prefix 192.168.1.1/32

Miscellaneous

Proxy ARP NAT

NAT proxy ARP instructs the SRX to proxy ARP (reply) on behalf of the IP address assigned within the subnet of the ingress interface.
Below shows you commands required if you wanted to publish (proxy arp) for the addresses 10.1.1.1-5 on interface fe-0/0/0.0.

root@srx100# set security nat proxy-arp interface fe-0/0/0.0 address 10.1.1.1 to 10.1.1.5

Show Commands

  • show security nat source rule all
  • show security nat source pool all
  • show security nat source summary
  • show security nat interface-nat-ports
  • show security flow session
Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial