How to Configure NAT on a Junos SRX

NAT can translate addresses in different ways. You can configure rules to apply to traffic to see what kind of NAT should be used in a particular case. You can configure the SRX to perform the following NAT services:

  • Use the IP address of the egress interface.

  • Use a pool of addresses for translation.

Usually, you will not include the first two services on the same SRX, because they are two different things entirely. So if you do one, you can’t do the other at the same time. But you may find reasons to use egress translation on one interface and a pool on another interface.

Configure Source NAT Using the Egress Interface Address

First, you need to create a rule set called internet-nat with a distinctive name and establish the context of the traffic you're applying NAT to. In this case, the rule applies to traffic from the admins LAN zone to any untrusted zone (untrust). You can also specify interfaces or virtual routers, but it’s best to think of everything on the SRX in terms of zones.

root# edit security nat source rule-set internet-nat
[edit security nat source rule-set internet-nat]
root# set from zone admins
root# set to zone untrust

Now, you configure the actual rule (admins-access) that matches all the LAN traffic going to any location and applies NAT to the packets:

[edit security nat source rule-set internet-nat]
root# edit rule admins-access
[edit security nat source rule-set internet-nat rule admins-access]
root# set match source-address 192.168.2.0/24
root# set match destination-address all
root# set then source-nat interface

The last line sets the NAT source translation to the egress interface. Here’s what it looks like:

[edit security nat]
source {
  rule-set internet-nat {
   from {
     zone admins;
   }
   to {
     zone untrust;
   }
   rule admins-access {
     match {
      source-address 192.168.2.0/24;
      destination-address 0.0.0.0/0;
     }
     then {
      source-nat interface;
     }
   }  
  }

Configure a source NAT translation pool

In many cases, the address space allocated to an interface is not sufficient to cover all the addresses in the LAN. If this is the case, it is better to establish a pool of addresses that devices on the LAN can use when they send traffic outside the trusted zone.

To reconfigure the previous example to use a pool of IP addresses, first, you must configure the pool, public_NAT_range. Here, you use a small pool of six addresses:

[edit security nat source]
root# set pool public_NAT_range address 66.129.250.10 to 66.129.250.15

This statement structure lets you change the pools in one place, rather than all over the rule sets. You apply the pool at the then level of the NAT hierarchy:

[edit security nat source]
root# edit rule-set internet-nat rule admins-access
[edit security nat source rule-set internet-nat rule admins-access]
root# set then source-nat pool public_NAT_range

Only one statement really changes, but that makes all the difference:

[edit security nat]
source {
  rule-set internet-nat {
   from {
     zone admins;
   }
   to {
     zone untrust;
   }
   rule admins-access {
     match {
      source-address 192.168.2.0/24;
      destination-address 0.0.0.0/0;
     }
     then {
      source-nat pool public_NAT_range;
     }
   }  
  }
blog comments powered by Disqus
Advertisement

Inside Dummies.com

Dummies.com Sweepstakes

Win $500. Easy.