SRX firewall NAT configuration
Why Address Translation
NAT is primarily to provide public network, conversion between the IP address of the private network, also supports port translation
When NAT routing missing, routing conflicts can be solved by converting address
Security, external server to hide the real IP
SRX packet processing
NAT translated address must know
The first step we need to make sure, provide external planned conversion of the virtual IP, (for example, public IP)
Ø one server port mappings: apply in a single server, providing a plurality of external services;
Problem: network management can not blanket from outside the firewall!
Ø port mapping port-based servers: for multiple servers, each providing a plurality of external services;
Can do multiple servers, external network port and server port can be different!
Ø internal network access the public network, the source NAT, network address translation upcoming public network interface to access the public network address
Note: a public IP address can only support up to 64,000 sessions
When the NAT public network address and the public network interface is the same network segment, enable NAT Proxy ARP, so too SRX peer device able to resolve this MAC address to a public address, packets can be sent to facilitate the return to the normal firewall SRX
Proxy ARP
When our public network interface address is not enough, or run out of the same segment address, we need to again apply for some of the public network operators, these addresses with the address of the interface, not in the same subnet.
Peer needs to present the route to the external network interface IP firewall directed wall do not require additional processing, can be directly NAT
[edit security nat]
user@host# show
proxy-arp {
interface ge-0/0/3.10 {
address {
1.1.70.10/32 to 1.1.70.100/32;
}
NAT translated address must know
When our public network interface address is not enough, or run out of the same segment address, we need to again apply for some of the public network operators, these addresses with the address of the interface, not in the same subnet.
Peer needs to present the route to the external network interface IP firewall directed wall do not require additional processing, can be directly NAT
Network Address Translation
NAT is primarily to provide public network, conversion between the IP address of the private network, also supports port translation
NAT type
Two types of NAT and PAT:
• Based on destination NAT: include converting the destination address and port
• 基于源地址的NAT:包括源IP地址及端口的转换
目的及源NAT、PAT的组合
动态与静态的地址转换
NAT类型
SRX还提供第三种NAT:Static NAT
静态地址翻译:提供双向NAT功能,由source static nat与destination static nat组合而成
目的NAT
目的NAT的两种类型:
• Static NAT:此为1对1的地址映射,此NAT没有PAT端口转换
• Rule-based NAT:基于动态地址池的地址映射,此NAT选择是否做PAT端口转换
VoIP ALGs 会动态产生allow-incoming表来允许数据进入内部网络
静态目的地址转换
Sample topology:
Enable static destination NAT to host A using a public address of 100.0.0.1/32
将内网主机10.1.10.5与公网IP地址100.0.0.1绑定做一对一的静态映射
一对一的地址转换,在NETSCREEN中称之为MIP
静态目的地址转换
具体配置如下,destination-address定义为公网IP地址
[edit security]
user@host# show
nat {
static {
rule-set r1 {
from zone untrust;
rule a {
match {
destination-address 100.0.0.1/32;
}
then {
static-nat prefix 10.1.10.5/32;
静态目的地址转换
set interfaces ge-0/0/0 unit 0 family inetaddress 222.0.0.1/27
set interfaces ge-0/0/1 unit 0 family inetaddress 192.168.1.1/24
set security natproxy-arpinterface ge-0/0/0.0 address 222.0.0.8/32
set security natproxy-arpinterface ge-0/0/0.0 address 222.0.0.7/32
set security zones security-zone untrustinterfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security natstaticrule-set static-natfrom zone untrust
set security nat static rule-set static-natrule 1 match destination-address222.0.0.6/32
set security nat static rule-set static-natrule 1 then static-natprefix 192.168.1.6/32
set security natstaticrule-set static-natrule 2 match destination-address222.0.0.7/32
set security natstaticrule-set static-natrule 2 then static-natprefix 192.168.1.7/32
set security natstaticrule-set static-natrule 3 match destination-address222.0.0.8/32
set security natstaticrule-set static-natrule 3 then static-natprefix 192.168.1.8/32
show security nat static rule 3
View NAT correspondence, verify that NAT is accessed from outside the network launched the hit to line up failure
Static destination address translation
Reverse static source NAT is automatically enabled:
If the host within the network 192.168.1.8 network access request initiated outside, IP addresses are automatically converted to 222.0.0.8
Session is not created until triggered NAT session with no direct relationship, only to see the establishment of a session initiation