Destination NAT (port forwarding, PAT, NAPT) on Juniper SRX series

There will be cases when a static 1:1 NAT from an external IP to an Internal IP is not applicable, for instance when there is only one IP available for your Juniper SRX device or when there are more internal servers to expose than external IPs available. Then static NAT and source NAT wont do the trick for you to expose your service. Then comes the destination NAT method into play (also called by other vendors under the names port forwarding, PAT and NAPT).

In this example we have a typical branch office having only one external IP available and a Juniper SRX100, but still the need to expose a web server (172.16.0.80) and a SMTP server (172.16.0.25). The SRX device will be configured with external IP is 193.221.119.254/24 and internal IP 172.16.0.1/24. Then we will build destination nat pools for each server with the trick that we only have one member per pool. Also needed is of course address book entries, security policies and destination nat policies.

First out configure the interfaces, internal vlan, zones, base policies and base source NAT:

set interfaces fe-0/0/0.0 family inet address 193.221.119.254/24
set interfaces vlan.1 family inet address 172.16.0.1/24
set vlans internal vlan-id 1
set vlans internal l3-interface vlan.1
set interfaces fe-0/0/1.0 family ethernet-switching port-mode access
set interfaces fe-0/0/1.0 family ethernet-switching vlan members internal
set interfaces fe-0/0/2.0 family ethernet-switching port-mode access
set interfaces fe-0/0/2.0 family ethernet-switching vlan members internal
set interfaces fe-0/0/3.0 family ethernet-switching port-mode access
set interfaces fe-0/0/3.0 family ethernet-switching vlan members internal
set interfaces fe-0/0/4.0 family ethernet-switching port-mode access
set interfaces fe-0/0/5.0 family ethernet-switching vlan members internal
set interfaces fe-0/0/6.0 family ethernet-switching port-mode access
set interfaces fe-0/0/6.0 family ethernet-switching vlan members internal
set interfaces fe-0/0/7.0 family ethernet-switching port-mode access
set interfaces fe-0/0/7.0 family ethernet-switching vlan members internal

set security zone security-zone trust interface vlan.1
set security zone security-zone trust host-inbound-traffic protocols all
set security zone security-zone trust host-inbound-traffic system-services all
set security zone security-zone untrust interface fe-0/0/0.0

set security policies from-zone trust to-zone untrust policy AllowAll match source-address any destination-address any application any
set security policies from-zone trust to-zone untrust policy AllowAll then permit
set security policies from-zone trust to-zone untrust policy DenyAll match source-address any destination-address any application any
set security policies from-zone trust to-zone untrust policy DenyAll then log session-init
set security policies from-zone trust to-zone untrust policy DenyAll then deny

set security policies from-zone untrust to-zone trust policy DenyAll match source-address any destination-address any application any
set security policies from-zone untrust to-zone trust policy DenyAll then log session-init
set security policies from-zone untrust to-zone trust policy DenyAll then deny

set security zone security-zone trust address-book address Webserver 172.16.0.80/32
set security zone security-zone trust address-book address Mailserver 172.16.0.25/32

set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule HideAll match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule HideAll then source-nat interface

Now create the destination NAT pools:

set security nat destination pool Webserver address 172.16.0.80/32
set security nat destination pool Webserver address port 80
set security nat destination pool Mailserver address 172.16.0.25/32
set security nat destination pool Mailserver address port 25

The we create the necessary destination nat policies:

set security nat destination rules-set dst-nat from zone untrust
set security nat destination rules-set dst-nat to zone trust
set security nat destination rules-set dst-nat rule Webserver match destination-address 193.221.119.254/32
set security nat destination rules-set dst-nat rule Webserver match destination-port 80
set security nat destination rules-set dst-nat rule Webserver then destination-nat pool Webserver
set security nat destination rules-set dst-nat rule Mailserver match destination-address 193.221.119.254/32
set security nat destination rules-set dst-nat rule Mailserver match destination-port 25
set security nat destination rules-set dst-nat rule Mailserver then destination-nat pool Mailserver

Lastly we need security policies to allow the traffic through the firewall. Please note that NAT takes place before security policy application, so security policies are written for the actual real internal IP addresses:

set security policies from-zone untrust to-zone trust policy Webserver match source-address any destination-address Webserver application junos-http
set security policies from-zone untrust to-zone trust policy Webserver then permit
set security policies from-zone untrust to-zone trust policy Mailserver match source-address any destination-address Mailserver application junos-smtp
set security policies from-zone untrust to-zone trust policy Mailserver then permit

Since we already had a DenyAll rule from zone untrust to zone trust, we need to make sure our newly written policies gets added before the DenyAll policy:

insert security policies from-zone untrust to-zone trust policy Webserver before policy DenyAll
insert security policies from-zone untrust to-zone trust policy Mailserver after policy Webserver

And now it should all be working fine!

Try it out!

This entry was posted in Juniper Networking, Juniper Security, Networking, Security. Bookmark the permalink.