NAT setting

Operation Confirmed version: vSRX Version15.1X49-D105.1, vSRX Version19.2R1.8, vSRX Version20.4R2

For vSRX , NAT (network address conversion) setting can be made. Setting examples are provided in this section for the function for source IP address conversion with vSRX and the function for destination IP address conversion.

NAT conversion of a source IP address

Specify communications initiated from a specific source IP address and perform NAT conversion of the source IP address.

Presumed case for sample setting

  • To execute NAT for packets from a trust zone to an untrust zone

  • I want to convert the source IP address 192.168.2.11 to 192.168.3.200

vsrx_nat_fig1

Setting flow in a presumed case

1.Set the pool name for NAT conversion to POOL1 and setting 192.168.3.200 as the conversion address.
2.Set NAT for packets to be transmitted from a trust zone to an untrust zone.
3.Set the rule set to use for source NAT, as RULE and the rule as RULE1-1.
4.Set source IP address (192.168.2.0/24) to be converted.
5.Apply POOL1 to the rule as the source IP address resulted from conversion.

Note

For the "no-translation" command, setting is made to execute NAT without changing the port number. In the case where the port number is not changed, a pair of an IP address and port number cannot be used if having already been used. Therefore, prepare a sufficient number of NAT POOL addresses. If sufficient addresses cannot be prepared, refer to NAPT of the source IP address and consider an appropriate measure.
If conversion from a source IP address into an IP address not assigned to interface is performed in terms of the "proxy-arp" command, no replies are made and communications are not possible when ARP solution is requested by an opposite apparatus. To avoid it, setting is made to reply to an ARP request regarding an IP address not actually set.

Command to be entered with CLI

user01@vSRX-02# set security nat source pool POOL1 address 192.168.3.200/32
user01@vSRX-02# set security nat source pool POOL1 port no-translation
user01@vSRX-02# set security nat source rule-set RULE from zone trust
user01@vSRX-02# set security nat source rule-set RULE to zone untrust
user01@vSRX-02# set security nat source rule-set RULE rule RULE1-1 match source-address 192.168.2.0/24
user01@vSRX-02# set security nat source rule-set RULE rule RULE1-1 then source-nat pool POOL1
user01@vSRX-02# set security nat proxy-arp interface ge-0/0/2.0 address 192.168.3.200/32

The configuration after completion of appropriate settings is as follows.

security{
       nat {
           source {
               pool POOL1 {
                   address {
                       192.168.3.200/32;
                   }
                   port {
                       no-translation;
                   }
               }
               rule-set RULE {
                   from zone trust;
                   to zone untrust;
                   rule RULE1-1 {
                       match {
                           source-address 192.168.2.0/24;
                       }
                       then {
                           source-nat {
                               pool {
                                   POOL1;
                               }
                           }
                       }
                   }
               }
           }
           proxy-arp {
               interface ge-0/0/2.0 {
                   address {
                       192.168.3.200/32;
                   }
               }
           }
       }
}

Operation check result

When you communicate from the virtual server (192.168.2.11) to the virtual server (192.168.3.13) in the verification configuration diagram, you can see that it has been converted to 192.168.3.200 by vSRX-02, so the source IP address I was able to confirm that NAT for is working.

Communication confirmation result from virtual server (192.168.2.11) to virtual server (192.168.3.13)

user01@vRouter-02:~$ ping 192.168.3.13 count 5
PING 192.168.3.13 (192.168.3.13) 56(84) bytes of data.
64 bytes from 192.168.3.13: icmp_seq=1 ttl=63 time=3.97 ms
64 bytes from 192.168.3.13: icmp_seq=2 ttl=63 time=1.42 ms
64 bytes from 192.168.3.13: icmp_seq=3 ttl=63 time=1.25 ms
64 bytes from 192.168.3.13: icmp_seq=4 ttl=63 time=1.38 ms
64 bytes from 192.168.3.13: icmp_seq=5 ttl=63 time=1.25 ms

--- 192.168.3.13 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 1.250/1.856/3.971/1.060 ms

Result of NAT operation verification with vSRX

user01@vSRX-02> show security flow session
Session ID: 107, Policy name: default-permit/5, Timeout: 1786, Valid
  In: 192.168.2.11/33606 --> 192.168.3.13/22;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 33, Bytes: 4127,
  Out: 192.168.3.13/22 --> 192.168.3.200/33606;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 29, Bytes: 4979,
Total sessions: 1

NAT conversion of a destination IP Address

Perform NAT conversion of a destination IP address, in terms of communications to a specific IP address.

Presumed case for sample setting

  • To execute NAT for packets which come from an untrust zone

  • I want to make communication to 192.168.3.102 by NAT to 192.168.2.11.

vsrx_nat_fig2

Setting flow in a presumed case

1.NAT変換に利用するプール名を POOL1 に設定し変換アドレスとして 192.168.2.11 を設定
2.untrustゾーンからのパケットに対してNATを設定
3.宛先NATに利用するルールセットを RULE1 、ルールを RULE1-1 として設定
4.変換対象になる宛先IPアドレスを設定
5.変換後の宛先IPアドレスとして POOL1 を設定

Command to be entered with CLI

user01@vSRX-02# set security nat destination pool POOL1 address 192.168.2.11/32
user01@vSRX-02# set security nat destination rule-set RULE1 from zone untrust
user01@vSRX-02# set security nat destination rule-set RULE1 rule RULE1-1 match destination-address 192.168.3.102/32
user01@vSRX-02# set security nat destination rule-set RULE1 rule RULE1-1 then destination-nat pool POOL1

The configuration after completion of appropriate settings is as follows.

security {
        nat {
            destination {
                pool POOL1 {
                    address 192.168.2.11/32;
                }
                rule-set RULE1 {
                    from zone untrust;
                    rule RULE1-1 {
                        match {
                            destination-address 192.168.3.102/32;
                        }
                        then {
                            destination-nat {
                                pool {
                                    POOL1;
                                }
                            }
                        }
                    }
                }
            }
        }
}

Operation check result

Since the communication from the virtual server (192.168.3.13) to the vSRX-02 (192.168.3.102) in the verification configuration diagram is NAT and the communication to 192.168.2.11 is successful, NAT to the destination IP address works.

Communication result from virtual server (192.168.3.13) to vSRX-02 (192.168.3.102)

vRouter-03:~$ ssh user01@192.168.3.102
Welcome to Brocade Vyatta Network OS

user01@192.168.3.102's password:
Welcome to Brocade Vyatta Network OS
Version:      5.2R4
Description:  Brocade Vyatta Network OS 5600 5.2R4 Standard
Last login: Mon Sep 18 09:46:49 2017 from 192.168.2.102
user01@vRouter-02:~$

Result of NAT operation verification with vSRX-02

user01@vSRX-02> show security flow session
Session ID: 2026, Policy name: POL1/6, Timeout: 1800, Valid
  In: 192.168.3.13/56922 --> 192.168.3.102/22;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 118, Bytes: 9159,
  Out: 192.168.2.11/22 --> 192.168.3.13/56922;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 97, Bytes: 14543,
Total sessions: 1

user01@vSRX-02>

NAPT Conversion of a Source IP Address

Perform NAPT conversion of a source IP address, in terms of communications initiated from a specific source IP address.

Presumed case for sample setting

  • To execute NAPT for packets from a trust zone to an untrust zone

  • I want to convert the source IP address 192.168.2.11 to the IP address of the output interface

vsrx_nat_fig3

Setting flow in a presumed case

1.Set NAPT for communications from a trust zone to an untrust zone.
2.Set the NAPT rule set for conversion of a source IP address as RULE1, and the rule as RULE1-1.
3.NAPT対象の送信元IPアドレス(192.168.2.11/32)を設定
4.Set the IP address resulted from conversion as the address of output interface.

Command to be entered with CLI

user01@vSRX-02# set security nat source rule-set RULE1 from zone trust
user01@vSRX-02# set security nat source rule-set RULE1 to zone untrust
user01@vSRX-02# set security nat source rule-set RULE1 rule RULE1-1 match source-address 192.168.2.11/32
user01@vSRX-02# set security nat source rule-set RULE1 rule RULE1-1 then source-nat interface

The configuration after completion of appropriate settings is as follows.

security {
       nat {
           source {
               rule-set RULE1 {
                   from zone trust;
                   to zone untrust;
                   rule RULE1-1 {
                       match {
                           source-address 192.168.2.11/32;
                       }
                       then {
                           source-nat {
                               interface;
                           }
                       }
                   }
               }
           }
       }
}

Operation check result

When you communicate from the virtual server (192.168.2.11) to 192.168.3.13 in the verification configuration diagram, you can see that it has been converted to 192.168.3.102 on vSRX-02, so the source IP address (192.168.2.11) is NAPT was confirmed.

Communication result from virtual server (192.168.2.11) to virtual server (192.168.3.13)

vRouter-02:~$ ping 192.168.3.13 count 5
PING 192.168.3.13 (192.168.3.13) 56(84) bytes of data.
64 bytes from 192.168.3.13: icmp_seq=1 ttl=63 time=3.59 ms
64 bytes from 192.168.3.13: icmp_seq=2 ttl=63 time=1.13 ms
64 bytes from 192.168.3.13: icmp_seq=3 ttl=63 time=0.807 ms
64 bytes from 192.168.3.13: icmp_seq=4 ttl=63 time=1.21 ms
64 bytes from 192.168.3.13: icmp_seq=5 ttl=63 time=1.33 ms

--- 192.168.3.13 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4003ms
rtt min/avg/max/mdev = 0.807/1.619/3.598/1.004 ms
vRouter-02:~$

Result of NAPT status verification with vSRX-02

user01@vSRX-02> show security flow session
Session ID: 1443, Policy name: default-permit/5, Timeout: 1798, Valid
  In: 192.168.2.11/33578 --> 192.168.3.13/22;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 119, Bytes: 9067,
  Out: 192.168.3.13/22 --> 192.168.3.102/17879;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 101, Bytes: 15447,
Total sessions: 1

user01@vSRX-02>

NAPT of a destination IP address and port number

Make NAPT settings for conversion into the specified IP address and port number, in terms of communications addressed to a specific destination IP address and port number.

Presumed case for sample setting

  • I want to convert the communication from 192.168.3.13 destined to 192.168.3.102 to TCP:2222 to the communication destined to TCP:22 to 192.168.1.11

  • To execute NAPT for packets which come from an untrust zone

vsrx_nat_fig4

Setting flow in a presumed case

1.NAT変換で利用するプール名を POOL2 に設定し変換アドレスとして 192.168.1.11:22 を設定
2.Set the destination NAT rule set as RULE1.
3.untrustゾーンからのパケットに対してNAPTを設定
4.Set the NAPT rule for IP address (192.168.3.102) and port number 2222 which are address conversion targets as RULE1-1.
5.変換後の宛先IPアドレスとして POOL2 を設定

Command to be entered with CLI

user01@vSRX-02# set security nat destination pool POOL2 address 192.168.1.11/32 port 22
user01@vSRX-02# set security nat destination rule-set RULE1 from zone untrust
user01@vSRX-02# set security nat destination rule-set RULE1 rule RULE1-1 match destination-address 192.168.3.102/32
user01@vSRX-02# set security nat destination rule-set RULE1 rule RULE1-1 match destination-port 2222
user01@vSRX-02# set security nat destination rule-set RULE1 rule RULE1-1 then destination-nat pool POOL2

The configuration after completion of appropriate settings is as follows.

security {
       nat {
           destination {
             pool POOL2 {
                   address 192.168.1.11/32 port 22;
             }
             rule-set RULE1 {
                 from zone untrust;
                 rule RULE1-1 {
                       match {
                           destination-address 192.168.3.102/32;
                           destination-port {
                               2222;
                           }
                       }
                       then {
                           destination-nat {
                               pool {
                                   POOL2;
                               }
                           }
                       }
                   }
             }
           }
       }
}

Operation check result

The communication from the virtual server (192.168.3.13) in the verification configuration diagram to vSRX-02 (192.168.3.102) port 2222 is NAPTed, and SSH communication to 192.168.1.11 port 22 is successful. It was confirmed that the NAPT of the IP address and port number was working.

Communication result from virtual server (192.168.3.13) to virtual server (192.168.1.11)

user01@vRouter-03:~$ ssh user01@192.168.3.102 port 2222
Welcome to Brocade Vyatta Network OS

user01@192.168.3.102's password:
Welcome to Brocade Vyatta Network OS
Version:      5.2R4
Description:  Brocade Vyatta Network OS 5600 5.2R4 Standard
Last login: Mon Sep 18 15:49:53 2017 from 192.168.3.13
user01@vRouter-01:~$

Result of NAPT operation verification with vSRX-02

user01@vSRX-02> show security flow session
Session ID: 459, Policy name: POL1/6, Timeout: 1800, Valid
  In: 192.168.3.13/37106 --> 192.168.3.102/2222;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 201, Bytes: 13403,
  Out: 192.168.2.11/22 --> 192.168.3.13/37106;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 179, Bytes: 27191,
Total sessions: 2

user01@vSRX-02>

Jointly setting NAPT for a destination and NAPT for a source IP address

Presumed case for sample setting

  • I want to use 192.168.2.12 as the destination for communication from 192.168.3.13 to TCP port 2222 with destination 192.168.3.102

  • I want make a communication from 192.168.3.13 to TCP port 22 of destination 192.168.3.102 to be addressed to 192.168.1.11.

  • To perform NAT conversion of a destination, in terms of traffic which is input to interface (ge-0/0/2)

  • To perform NAPT conversion of packets whose source IP address is 192.168.3.0/24

  • To convert the source IP addresses of packets which are output from each interface (ge-0/0/0,ge-0/0/1) of trust zones, into interface addresses

vsrx_nat_fig5

Setting flow in a presumed case

  • NAPT setting regarding a source IP address

1.Set NAPT for communications from an untrust zone to a trust zone.
2.送信元IPを変換するためのルールセット名を SNAT_RULE に設定
3.NAPT対象のIPアドレス(192.168.3.0/24)を SNAT_RULE1 に設定
4.変換後のIPアドレスを出力インターフェイスアドレスに変換
  • NAT setting regarding the combination of a destination IP address and port number

1.Set NAT for communications from an untrust zone to a trust zone.
2.NAT変換で使用するプール POOL1 に192.168.1.11 ポート22 を設定
3.NAT変換で使用するプール POOL2 に192.168.2.11 ポート22 を設定
4.アドレス変換対象であるIPアドレス(192.168.3.102)とポート22番あてのNATルールを DNAT_RULE1 で設定
5.変換後の宛先IPアドレスは、 POOL1 を使用
6.アドレス変換対象であるIPアドレス(192.168.3.102)とポート2222番あてのNATルールを DNAT_RULE2 で設定
7.変換後の宛先IPアドレスは、POOL2 を使用

Command to be entered with CLI

NAPT setting regarding a source IP address

user01@vSRX-02# set security nat source rule-set SNAT_RULE from zone untrust
user01@vSRX-02# set security nat source rule-set SNAT_RULE to zone trust
user01@vSRX-02# set security nat source rule-set SNAT_RULE rule SNAT_RULE1 match source-address 192.168.3.0/24
user01@vSRX-02# set security nat source rule-set SNAT_RULE rule SNAT_RULE1 then source-nat interface

NAT setting regarding the combination of a destination IP address and port number

user01@vSRX-02# set security nat destination pool POOL1 address 192.168.1.11/32 port 22
user01@vSRX-02# set security nat destination pool POOL2 address 192.168.2.11/32 port 22
user01@vSRX-02# set security nat destination rule-set DNAT_RULE from zone untrust
user01@vSRX-02# set security nat destination rule-set DNAT_RULE rule DNAT_RULE1 match destination-address 192.168.3.102/32
user01@vSRX-02# set security nat destination rule-set DNAT_RULE rule DNAT_RULE1 match destination-port 22
user01@vSRX-02# set security nat destination rule-set DNAT_RULE rule DNAT_RULE1 then destination-nat pool POOL1
user01@vSRX-02# set security nat destination rule-set DNAT_RULE rule DNAT_RULE2 match destination-address 192.168.3.102/32
user01@vSRX-02# set security nat destination rule-set DNAT_RULE rule DNAT_RULE2 match destination-port 2222
user01@vSRX-02# set security nat destination rule-set DNAT_RULE rule DNAT_RULE2 then destination-nat pool POOL2

The configuration after completion of appropriate settings is as follows.

NAPT setting regarding a source IP address

security {
        nat {
             source {
                 rule-set SNAT_RULE {
                     from zone untrust;
                     to zone trust;
                     rule SNAT_RULE1 {
                         match {
                             source-address 192.168.3.0/24;
                         }
                         then {
                             source-nat {
                                 interface;
                             }
                         }
                     }
                 }
             }
        }
}

NAT setting regarding the combination of a destination IP address and port number

security {
        nat {
            destination {
                pool POOL1 {
                    address 192.168.1.11/32 port 22;
                }
                pool POOL2 {
                    address 192.168.2.11/32 port 22;
                }
                rule-set DNAT_RULE {
                from zone untrust;
                    rule DNAT_RULE1 {
                        match {
                            destination-address 192.168.3.102/32;
                            destination-port {
                                22;
                            }
                        }
                        then {
                            destination-nat {
                                pool {
                                    POOL1;
                                }
                            }
                        }
                    }
                    rule DNAT_RULE2 {
                        match {
                            destination-address 192.168.3.102/32;
                            destination-port {
                                2222;
                            }
                        }
                        then {
                            destination-nat {
                                pool {
                                    POOL2;
                                }
                            }
                        }
                    }
                }
            }
        }
}

Operation check result

SSH communication from the virtual server to 192.168.3.102:22 and 192.168.3.102:2222 was successful. Since it was confirmed that the virtual servers of 192.168.1.11 and 192.168.2.11 could be accessed, it was confirmed that NAPT combining the destination IP address and port number also works properly. Also, when you communicate, you can confirm that it is converted to 192.168.1.102 and 192.168.2.102 on vSRX-02, so you can confirm the NAPT function for the source IP address (192.168.3.0/24) ..

It can be confirmed that SSH communication from the virtual server (192.168.3.13) to 192.168.3.102:22 can be communicated to 192.168.1.11 and the connection source is 192.168.1.102.

user01@vRouter-03:~$ ssh user01@192.168.3.102 port 22
Welcome to Brocade Vyatta Network OS

user01@192.168.3.102's password:
Welcome to Brocade Vyatta Network OS
Version:      5.2R4
Description:  Brocade Vyatta Network OS 5600 5.2R4 Standard
Last login: Tue Sep 19 07:12:12 2017 from 192.168.1.102
user01@vRouter-01:~$

It can be confirmed that SSH communication from the virtual server (192.168.3.13) to 192.168.3.102:2222 can be communicated to 192.168.2.11 and the connection source is 192.168.2.102.

user01@vRouter-03:~$ ssh user01@192.168.3.102 port 2222
Welcome to Brocade Vyatta Network OS

user01@192.168.3.102's password:
Welcome to Brocade Vyatta Network OS
Version:      5.2R4
Description:  Brocade Vyatta Network OS 5600 5.2R4 Standard
Last login: Tue Sep 19 07:57:22 2017 from 192.168.2.102
user01@vRouter-02:~$

Result of NAPT status verification with vSRX-02

user01@vSRX-02> show security flow session
Session ID: 601, Policy name: POL1/6, Timeout: 1800, Valid
  In: 192.168.3.13/57016 --> 192.168.3.102/22;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 2459, Bytes: 130963,
  Out: 192.168.1.11/22 --> 192.168.1.102/27746;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 2439, Bytes: 369967,

Session ID: 602, Policy name: POL1/6, Timeout: 1800, Valid
  In: 192.168.3.13/37124 --> 192.168.3.102/2222;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 2391, Bytes: 128003,
  Out: 192.168.2.11/22 --> 192.168.2.102/26438;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 2368, Bytes: 358443,
Total sessions: 2