<\/span><\/h3>\nDestination NAT is the translation of the destination IP address (and optionally the destination port). Destination NAT is commonly used for port forwarding scenario’s where multiple services are mapped (using a single) to many different servers .<\/p>\n
Some common destination NAT “feature(s)” are:
<\/strong>
Address Pools <\/strong>– This allows for a pool of destination addresses to be defined.<\/p>\n<\/span>Static NAT<\/strong><\/span><\/h3>\nStatic NAT allows for the translation in both directions. This allows for the source IP address to be translation for traffic originating from the server whilst also provide destination NAT for traffic destined inbound to the server.<\/p>\n
<\/span>NAT Flow Process<\/strong><\/span><\/h3>\nBelow shows the NAT process that traffic takes when transversing the SRX.<\/p>\n<\/p>\n
Based on the diagram above this raises 2 key requirements.<\/p>\n
\n- Destination IP translations – The security policy is written using the post translated address.<\/li>\n
- Source IP translations – The security policy is written using the pre translated address.<\/li>\n<\/ol>\n
<\/span>Configuration Examples
<\/strong><\/span><\/h3>\n<\/span>Source NAT<\/strong><\/span><\/h4>\nWithin this example all address from the trust zone destined to the untrust zone would be source NAT`d to the egress interface IP address.<\/p>\n
root@srx100# edit security nat source rule-set nat-trust-untrust
[edit security nat source rule-set nat-trust-untrust]<\/p>\n
root@srx100# set from zone trust
root@srx100# set to zone untrust
root@srx100# set rule source-nat-rule
root@srx100# set rule source-nat-rule match source-address 0.0.0.0
root@srx100# set rule source-nat-rule then source-nat interface<\/p>\n
<\/span>Destination NAT<\/strong><\/span><\/h4>\nWithin this example we translate the destination IP and port of 33.33.33.33:2222 to 192.168.1.5:22.<\/p>\n
Note<\/em><\/strong> : When adding the security policy for access into your server you must add the real IP address \/ Port.<\/p>\nroot@srx100# set security zones security-zone trust address-book address SERVERA-REALIP 192.168.1.5\/32<\/p>\n
root@srx100# set applications application SSH-DNAT protocol tcp
root@srx100# set applications application SSH-DNAT destination-port 2222<\/p>\n
root@srx100# set security nat destination pool DNAT-POOL-SERVERA address 192.168.1.5\/32
root@srx100# set security nat destination pool DNAT-POOL-SERVERA address port 22<\/p>\n
root@srx100# set security nat destination rule-set dst-nat from zone untrust<\/p>\n
root@srx100# set security nat destination rule-set dst-nat rule rule1 match destination-address 33.33.33.33\/32
root@srx100# set security nat destination rule-set dst-nat rule rule1 match destination-port 2222
root@srx100# set security nat destination rule-set dst-nat rule rule1 then destination-nat pool DNAT-POOL-SERVERA<\/p>\n
<\/span>Static NAT<\/strong><\/span><\/h4>\nWithin the following commands the host 192.168.1.1 will be accessible via the destination address 33.33.33.33 via the untrust zone. Like wise any traffic coming from this host will be source NAT`d behind 33.33.33.33.<\/p>\n
root@srx100# edit security nat static rule-set static-nat
[edit security nat static rule-set static-nat]<\/p>\n
root@srx100# set from zone untrust
root@srx100# set rule rule1 match destination-address 33.33.33.33\/32
root@srx100# set rule rule1 then static-nat prefix 192.168.1.1\/32<\/p>\n
<\/span>Miscellaneous<\/strong><\/span><\/h3>\n<\/span>Proxy ARP NAT<\/strong><\/span><\/h4>\nNAT proxy ARP instructs the SRX to proxy ARP (reply) on behalf of the IP address assigned within the subnet of the ingress interface.
Below shows you commands required if you wanted to publish (proxy arp) for the addresses 10.1.1.1-5 on interface fe-0\/0\/0.0.<\/p>\n
root@srx100# set security nat proxy-arp interface fe-0\/0\/0.0 address 10.1.1.1 to 10.1.1.5<\/p>\n