Configure Destination NAT in Juniper SRX

Spread the love




Today I will show you how to configure destination NAT (Network Address Translation) in Juniper SRX device. There are different types of NAT that you can configure per your need. Different types of NAT are, source NAT, destination NAT and static NAT. Destination NAT is a type of NAT that is configured when you want to get access to your internal network from outside. This type of NAT is also called destination PAT because in this type of NAT, you simply translate different ports to reach various services with same IP address.

The diagram below shows our scenarioConfigure Destination NAT in Juniper SRX

In the given scenario, there are two zones – the untrust zone and trust zone. Our need is to get access to the Mail Server of the trust zone or internal network. We will translate ports 25 and 110 with the public IP address 2.2.2.2/30. The firewall will translate the destination IP address of packets from 2.2.2.2 to 192.168.101.2 and forward to internal network if the request was coming for port 25 and 110.

Configure Destination NAT in Juniper SRX

Start configuring in SRX device. You must be on configuration mode to configure this. At first, we will configure pool for Mail Server under edit security nat destination hierarchy. Then create rule for POP3 (110) service.



[edit security nat destination]

root@srx#set pool MailServer address 192.168.101.2
[edit security nat destination]
root@srx# edit rule-set NatRule 
[edit security nat destination rule-set NatRule]
root@srx# set from zone untrust
[edit security nat destination rule-set NatRule]
root@srx# edit rule Rule1POP
[edit security nat destination rule-set NatRule rule Rule1POP]
root@srx# set match destination-address 2.2.2.2
[edit security nat destination rule-set NatRule rule Rule1POP]
root@srx# set match destination-port 110
[edit security nat destination rule-set NatRule rule Rule1POP]
root@srx# set then destination-nat pool MailServer

You can view your configuration by typing show command by staying in the current hierarchy.

[edit security nat destination rule-set NatRule rule Rule1POP]

root@srx# show
match {
destination-address 2.2.2.2/32;
destination-port 110;
}
then {
destination-nat pool MailServer;
}
 
Now create a rule for SMTP (25) service under same hierarchy but with different term name.

[edit security nat destination rule-set NatRule rule Rule1POP]

root@srx# up
[edit security nat destination rule-set NatRule]
root@srx# edit rule Rule2SMTP
[edit security nat destination rule-set NatRule rule Rule2SMTP]
root@srx# set match destination-address 2.2.2.2
[edit security nat destination rule-set NatRule rule Rule2SMTP]
root@srx# set match destination-port 25
[edit security nat destination rule-set NatRule rule Rule2SMTP]
root@srx# set then destination-nat pool MailServer

You can again hit the show command under the current hierarchy to view your configuration.

[edit security nat destination rule-set NatRule rule Rule2SMTP]

root@srx# show
match {
destination-address 2.2.2.2/32;
destination-port 25;
}
then {
destination-nat pool MailServer;
}
 
Configuring Security Policy

We have successfully created NAT rule. So now we will configure security policy. The policy will be configured to allow any hosts from outside to inside with service of SMTP and POP3.

Configure address set in trust zone for Mail Server at first.

[edit security zones security-zone trust]
root@srx# show
address-book {
address MailServer 192.168.101.2;
}
root@srx# edit security policies from-zone untrust to-zone trust
[edit security policies from-zone untrust to-zone trust]
root@srx# edit policy MailPolicy [Creates a policy named MailPolicy]
[edit security policies from-zone untrust to-zone trust policy MailPolicy]
root@srx# set match source-address any [This allows any client from the Internet to get to Mail Server]
[edit security policies from-zone untrust to-zone trust policy MailPolicy]
root@srx# set match destination-address MailServer [Matches destination address of MailServer i.e. 192.168.101.2]
[edit security policies from-zone untrust to-zone trust policy MailPolicy]
root@srx# set match application junos-pop3 [Matches POP Protocol]
[edit security policies from-zone untrust to-zone trust policy MailPolicy]
root@srx# set match application junos-smtp [Matches SMTP Protocol]
[edit security policies from-zone untrust to-zone trust policy MailPolicy]
root@srx# set then permit
 
[edit security policies from-zone untrust to-zone trust policy MailPolicy]
root@srx# show
match {
source-address any;
destination-address MailServer;
application [ junos-pop3 junos-smtp ];
}
then {
permit;
}

References

  1. Configuring Destination NAT on SRX-series Services Gateways
  2. SRX Getting Started – Configure NAT



The following two tabs change content below.
Bipin is a freelance Network and System Engineer with expertise on Cisco, Juniper, Microsoft, VMware, and other technologies. You can hire him on UpWork. Bipin enjoys writing articles and tutorials related to Network technologies. Some of his certifications are, MCSE:Messaging, JNCIP-SEC, JNCIS-ENT, and others.

Latest posts by Bipin (see all)

scroll to top