NAT setting¶
Operation Confirmed version: vSRX Version15.1X49-D105.1, vSRX Version19.2R1.8, vSRX Version20.4R2
NAT conversion of a source IP address¶
Specify communications initiated from a specific source IP address and perform NAT conversion of the source IP address.
Presumed case for sample setting
To execute NAT for packets from a trust zone to an untrust zone
I want to convert the source IP address 192.168.2.11 to 192.168.3.200
Setting flow in a presumed case
Note
Command to be entered with CLI
user01@vSRX-02# set security nat source pool POOL1 address 192.168.3.200/32
user01@vSRX-02# set security nat source pool POOL1 port no-translation
user01@vSRX-02# set security nat source rule-set RULE from zone trust
user01@vSRX-02# set security nat source rule-set RULE to zone untrust
user01@vSRX-02# set security nat source rule-set RULE rule RULE1-1 match source-address 192.168.2.0/24
user01@vSRX-02# set security nat source rule-set RULE rule RULE1-1 then source-nat pool POOL1
user01@vSRX-02# set security nat proxy-arp interface ge-0/0/2.0 address 192.168.3.200/32
The configuration after completion of appropriate settings is as follows.
security{
nat {
source {
pool POOL1 {
address {
192.168.3.200/32;
}
port {
no-translation;
}
}
rule-set RULE {
from zone trust;
to zone untrust;
rule RULE1-1 {
match {
source-address 192.168.2.0/24;
}
then {
source-nat {
pool {
POOL1;
}
}
}
}
}
}
proxy-arp {
interface ge-0/0/2.0 {
address {
192.168.3.200/32;
}
}
}
}
}
Operation check result
When you communicate from the virtual server (192.168.2.11) to the virtual server (192.168.3.13) in the verification configuration diagram, you can see that it has been converted to 192.168.3.200 by vSRX-02, so the source IP address I was able to confirm that NAT for is working.
Communication confirmation result from virtual server (192.168.2.11) to virtual server (192.168.3.13)
user01@vRouter-02:~$ ping 192.168.3.13 count 5
PING 192.168.3.13 (192.168.3.13) 56(84) bytes of data.
64 bytes from 192.168.3.13: icmp_seq=1 ttl=63 time=3.97 ms
64 bytes from 192.168.3.13: icmp_seq=2 ttl=63 time=1.42 ms
64 bytes from 192.168.3.13: icmp_seq=3 ttl=63 time=1.25 ms
64 bytes from 192.168.3.13: icmp_seq=4 ttl=63 time=1.38 ms
64 bytes from 192.168.3.13: icmp_seq=5 ttl=63 time=1.25 ms
--- 192.168.3.13 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 1.250/1.856/3.971/1.060 ms
Result of NAT operation verification with vSRX
user01@vSRX-02> show security flow session
Session ID: 107, Policy name: default-permit/5, Timeout: 1786, Valid
In: 192.168.2.11/33606 --> 192.168.3.13/22;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 33, Bytes: 4127,
Out: 192.168.3.13/22 --> 192.168.3.200/33606;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 29, Bytes: 4979,
Total sessions: 1
NAT conversion of a destination IP Address¶
Perform NAT conversion of a destination IP address, in terms of communications to a specific IP address.
Presumed case for sample setting
To execute NAT for packets which come from an untrust zone
I want to make communication to 192.168.3.102 by NAT to 192.168.2.11.
Setting flow in a presumed case
Command to be entered with CLI
user01@vSRX-02# set security nat destination pool POOL1 address 192.168.2.11/32
user01@vSRX-02# set security nat destination rule-set RULE1 from zone untrust
user01@vSRX-02# set security nat destination rule-set RULE1 rule RULE1-1 match destination-address 192.168.3.102/32
user01@vSRX-02# set security nat destination rule-set RULE1 rule RULE1-1 then destination-nat pool POOL1
The configuration after completion of appropriate settings is as follows.
security {
nat {
destination {
pool POOL1 {
address 192.168.2.11/32;
}
rule-set RULE1 {
from zone untrust;
rule RULE1-1 {
match {
destination-address 192.168.3.102/32;
}
then {
destination-nat {
pool {
POOL1;
}
}
}
}
}
}
}
}
Operation check result
Since the communication from the virtual server (192.168.3.13) to the vSRX-02 (192.168.3.102) in the verification configuration diagram is NAT and the communication to 192.168.2.11 is successful, NAT to the destination IP address works.
Communication result from virtual server (192.168.3.13) to vSRX-02 (192.168.3.102)
vRouter-03:~$ ssh user01@192.168.3.102
Welcome to Brocade Vyatta Network OS
user01@192.168.3.102's password:
Welcome to Brocade Vyatta Network OS
Version: 5.2R4
Description: Brocade Vyatta Network OS 5600 5.2R4 Standard
Last login: Mon Sep 18 09:46:49 2017 from 192.168.2.102
user01@vRouter-02:~$
Result of NAT operation verification with vSRX-02
user01@vSRX-02> show security flow session
Session ID: 2026, Policy name: POL1/6, Timeout: 1800, Valid
In: 192.168.3.13/56922 --> 192.168.3.102/22;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 118, Bytes: 9159,
Out: 192.168.2.11/22 --> 192.168.3.13/56922;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 97, Bytes: 14543,
Total sessions: 1
user01@vSRX-02>
NAPT Conversion of a Source IP Address¶
Perform NAPT conversion of a source IP address, in terms of communications initiated from a specific source IP address.
Presumed case for sample setting
To execute NAPT for packets from a trust zone to an untrust zone
I want to convert the source IP address 192.168.2.11 to the IP address of the output interface
Setting flow in a presumed case
Command to be entered with CLI
user01@vSRX-02# set security nat source rule-set RULE1 from zone trust
user01@vSRX-02# set security nat source rule-set RULE1 to zone untrust
user01@vSRX-02# set security nat source rule-set RULE1 rule RULE1-1 match source-address 192.168.2.11/32
user01@vSRX-02# set security nat source rule-set RULE1 rule RULE1-1 then source-nat interface
The configuration after completion of appropriate settings is as follows.
security {
nat {
source {
rule-set RULE1 {
from zone trust;
to zone untrust;
rule RULE1-1 {
match {
source-address 192.168.2.11/32;
}
then {
source-nat {
interface;
}
}
}
}
}
}
}
Operation check result
When you communicate from the virtual server (192.168.2.11) to 192.168.3.13 in the verification configuration diagram, you can see that it has been converted to 192.168.3.102 on vSRX-02, so the source IP address (192.168.2.11) is NAPT was confirmed.
Communication result from virtual server (192.168.2.11) to virtual server (192.168.3.13)
vRouter-02:~$ ping 192.168.3.13 count 5
PING 192.168.3.13 (192.168.3.13) 56(84) bytes of data.
64 bytes from 192.168.3.13: icmp_seq=1 ttl=63 time=3.59 ms
64 bytes from 192.168.3.13: icmp_seq=2 ttl=63 time=1.13 ms
64 bytes from 192.168.3.13: icmp_seq=3 ttl=63 time=0.807 ms
64 bytes from 192.168.3.13: icmp_seq=4 ttl=63 time=1.21 ms
64 bytes from 192.168.3.13: icmp_seq=5 ttl=63 time=1.33 ms
--- 192.168.3.13 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4003ms
rtt min/avg/max/mdev = 0.807/1.619/3.598/1.004 ms
vRouter-02:~$
Result of NAPT status verification with vSRX-02
user01@vSRX-02> show security flow session
Session ID: 1443, Policy name: default-permit/5, Timeout: 1798, Valid
In: 192.168.2.11/33578 --> 192.168.3.13/22;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 119, Bytes: 9067,
Out: 192.168.3.13/22 --> 192.168.3.102/17879;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 101, Bytes: 15447,
Total sessions: 1
user01@vSRX-02>
NAPT of a destination IP address and port number¶
Make NAPT settings for conversion into the specified IP address and port number, in terms of communications addressed to a specific destination IP address and port number.
Presumed case for sample setting
I want to convert the communication from 192.168.3.13 destined to 192.168.3.102 to TCP:2222 to the communication destined to TCP:22 to 192.168.1.11
To execute NAPT for packets which come from an untrust zone
Setting flow in a presumed case
Command to be entered with CLI
user01@vSRX-02# set security nat destination pool POOL2 address 192.168.1.11/32 port 22
user01@vSRX-02# set security nat destination rule-set RULE1 from zone untrust
user01@vSRX-02# set security nat destination rule-set RULE1 rule RULE1-1 match destination-address 192.168.3.102/32
user01@vSRX-02# set security nat destination rule-set RULE1 rule RULE1-1 match destination-port 2222
user01@vSRX-02# set security nat destination rule-set RULE1 rule RULE1-1 then destination-nat pool POOL2
The configuration after completion of appropriate settings is as follows.
security {
nat {
destination {
pool POOL2 {
address 192.168.1.11/32 port 22;
}
rule-set RULE1 {
from zone untrust;
rule RULE1-1 {
match {
destination-address 192.168.3.102/32;
destination-port {
2222;
}
}
then {
destination-nat {
pool {
POOL2;
}
}
}
}
}
}
}
}
Operation check result
The communication from the virtual server (192.168.3.13) in the verification configuration diagram to vSRX-02 (192.168.3.102) port 2222 is NAPTed, and SSH communication to 192.168.1.11 port 22 is successful. It was confirmed that the NAPT of the IP address and port number was working.
Communication result from virtual server (192.168.3.13) to virtual server (192.168.1.11)
user01@vRouter-03:~$ ssh user01@192.168.3.102 port 2222
Welcome to Brocade Vyatta Network OS
user01@192.168.3.102's password:
Welcome to Brocade Vyatta Network OS
Version: 5.2R4
Description: Brocade Vyatta Network OS 5600 5.2R4 Standard
Last login: Mon Sep 18 15:49:53 2017 from 192.168.3.13
user01@vRouter-01:~$
Result of NAPT operation verification with vSRX-02
user01@vSRX-02> show security flow session
Session ID: 459, Policy name: POL1/6, Timeout: 1800, Valid
In: 192.168.3.13/37106 --> 192.168.3.102/2222;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 201, Bytes: 13403,
Out: 192.168.2.11/22 --> 192.168.3.13/37106;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 179, Bytes: 27191,
Total sessions: 2
user01@vSRX-02>
Jointly setting NAPT for a destination and NAPT for a source IP address¶
Presumed case for sample setting
I want to use 192.168.2.12 as the destination for communication from 192.168.3.13 to TCP port 2222 with destination 192.168.3.102
I want make a communication from 192.168.3.13 to TCP port 22 of destination 192.168.3.102 to be addressed to 192.168.1.11.
To perform NAT conversion of a destination, in terms of traffic which is input to interface (ge-0/0/2)
To perform NAPT conversion of packets whose source IP address is 192.168.3.0/24
To convert the source IP addresses of packets which are output from each interface (ge-0/0/0,ge-0/0/1) of trust zones, into interface addresses
Setting flow in a presumed case
NAPT setting regarding a source IP address
NAT setting regarding the combination of a destination IP address and port number
Command to be entered with CLI
NAPT setting regarding a source IP address
user01@vSRX-02# set security nat source rule-set SNAT_RULE from zone untrust
user01@vSRX-02# set security nat source rule-set SNAT_RULE to zone trust
user01@vSRX-02# set security nat source rule-set SNAT_RULE rule SNAT_RULE1 match source-address 192.168.3.0/24
user01@vSRX-02# set security nat source rule-set SNAT_RULE rule SNAT_RULE1 then source-nat interface
NAT setting regarding the combination of a destination IP address and port number
user01@vSRX-02# set security nat destination pool POOL1 address 192.168.1.11/32 port 22
user01@vSRX-02# set security nat destination pool POOL2 address 192.168.2.11/32 port 22
user01@vSRX-02# set security nat destination rule-set DNAT_RULE from zone untrust
user01@vSRX-02# set security nat destination rule-set DNAT_RULE rule DNAT_RULE1 match destination-address 192.168.3.102/32
user01@vSRX-02# set security nat destination rule-set DNAT_RULE rule DNAT_RULE1 match destination-port 22
user01@vSRX-02# set security nat destination rule-set DNAT_RULE rule DNAT_RULE1 then destination-nat pool POOL1
user01@vSRX-02# set security nat destination rule-set DNAT_RULE rule DNAT_RULE2 match destination-address 192.168.3.102/32
user01@vSRX-02# set security nat destination rule-set DNAT_RULE rule DNAT_RULE2 match destination-port 2222
user01@vSRX-02# set security nat destination rule-set DNAT_RULE rule DNAT_RULE2 then destination-nat pool POOL2
The configuration after completion of appropriate settings is as follows.
NAPT setting regarding a source IP address
security {
nat {
source {
rule-set SNAT_RULE {
from zone untrust;
to zone trust;
rule SNAT_RULE1 {
match {
source-address 192.168.3.0/24;
}
then {
source-nat {
interface;
}
}
}
}
}
}
}
NAT setting regarding the combination of a destination IP address and port number
security {
nat {
destination {
pool POOL1 {
address 192.168.1.11/32 port 22;
}
pool POOL2 {
address 192.168.2.11/32 port 22;
}
rule-set DNAT_RULE {
from zone untrust;
rule DNAT_RULE1 {
match {
destination-address 192.168.3.102/32;
destination-port {
22;
}
}
then {
destination-nat {
pool {
POOL1;
}
}
}
}
rule DNAT_RULE2 {
match {
destination-address 192.168.3.102/32;
destination-port {
2222;
}
}
then {
destination-nat {
pool {
POOL2;
}
}
}
}
}
}
}
}
Operation check result
SSH communication from the virtual server to 192.168.3.102:22 and 192.168.3.102:2222 was successful. Since it was confirmed that the virtual servers of 192.168.1.11 and 192.168.2.11 could be accessed, it was confirmed that NAPT combining the destination IP address and port number also works properly. Also, when you communicate, you can confirm that it is converted to 192.168.1.102 and 192.168.2.102 on vSRX-02, so you can confirm the NAPT function for the source IP address (192.168.3.0/24) ..
It can be confirmed that SSH communication from the virtual server (192.168.3.13) to 192.168.3.102:22 can be communicated to 192.168.1.11 and the connection source is 192.168.1.102.
user01@vRouter-03:~$ ssh user01@192.168.3.102 port 22
Welcome to Brocade Vyatta Network OS
user01@192.168.3.102's password:
Welcome to Brocade Vyatta Network OS
Version: 5.2R4
Description: Brocade Vyatta Network OS 5600 5.2R4 Standard
Last login: Tue Sep 19 07:12:12 2017 from 192.168.1.102
user01@vRouter-01:~$
It can be confirmed that SSH communication from the virtual server (192.168.3.13) to 192.168.3.102:2222 can be communicated to 192.168.2.11 and the connection source is 192.168.2.102.
user01@vRouter-03:~$ ssh user01@192.168.3.102 port 2222
Welcome to Brocade Vyatta Network OS
user01@192.168.3.102's password:
Welcome to Brocade Vyatta Network OS
Version: 5.2R4
Description: Brocade Vyatta Network OS 5600 5.2R4 Standard
Last login: Tue Sep 19 07:57:22 2017 from 192.168.2.102
user01@vRouter-02:~$
Result of NAPT status verification with vSRX-02
user01@vSRX-02> show security flow session
Session ID: 601, Policy name: POL1/6, Timeout: 1800, Valid
In: 192.168.3.13/57016 --> 192.168.3.102/22;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 2459, Bytes: 130963,
Out: 192.168.1.11/22 --> 192.168.1.102/27746;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 2439, Bytes: 369967,
Session ID: 602, Policy name: POL1/6, Timeout: 1800, Valid
In: 192.168.3.13/37124 --> 192.168.3.102/2222;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 2391, Bytes: 128003,
Out: 192.168.2.11/22 --> 192.168.2.102/26438;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 2368, Bytes: 358443,
Total sessions: 2