HiddenOne

Static NAT is a function that is commonly used when you want to offer services on the Internet from a server that sits on a protected subnet that uses a private address scheme (RFC1918). In a previous article, I detailed the process of creating static NAT entries on a Fortigate 800 using the web interface. I will cover the same process, this time on a pair of Juniper SRX240H security gateways. The two gateways are configured as a cluster (HA); however this has a minimal effect on some of the commands that will be entered.

Unlike the process on the Fortigate, I will be configuring static NAT on the Juniper devices using the command line. There are several reasons for not using the Juniper web interface (Jweb) for configuring static NAT. First, I could not find a location on the Jweb interface to configure static NAT. Second, in my opinion, the Jweb interface is clumsy and slow. It might be good in certain situations, but for the majority of the work I do on all equipment is done using the command line.

Keep in mind that any static NAT rules that are created for an internal host will apply to both inbound and outbound traffic to and from that host. This means that any static NAT rules will also take precedence over your NAT overload rule. It’s a good idea to keep that in mind when troubleshooting.

Within Junos static NAT is achieved with a rule set that is made up of multiple rules. In this case I will create a rule set named MY-COMPANY-STATIC. Within that rule set there will be rules for the mail server (R-MAIL) and the web server (R-WEB). In reality you can split your rule sets and rules up any way you like.

First, drop into static NAT configuration mode using the command.

{primary:node0}
chris@SRX240H-01> configure
warning: Clustering enabled; using private edit
warning: uncommitted changes will be discarded on exit
Entering configuration mode

{primary:node0}[edit]
chris@SRX240H-01# edit security nat static

{primary:node0}[edit security nat static]
chris@SRX240H-01#

Next, create the rule set and define the zone in which the outside world (the Internet) exists. In this case the “untrust” zone is the Internet.

{primary:node0}[edit security nat static]
chris@SRX240H-01# set rule-set MY-COMPANY-STATIC from zone untrust

The configuration of the zone can be a source of confusion as some people take this to mean that the rules will only apply in one direction. Always keep in mind that static NAT rules apply to both inbound and outbound traffic.

The next two commands will create a rule for a particular destination. The first line of the rule defines the destination address that the rule should match in inbound traffic. Since the untrust zone is connected to the Internet, the destination address is set to the public IP address of the host (The mail server in this case).

{primary:node0}[edit security nat static]
chris@SRX240H-01# set rule-set MY-COMPANY-STATIC rule R-MAIL match destination-address 1.2.3.4/32

The second line of the rule defines the IP address that the destination should be translated to. In this case this is the private IP address of the server that resides in the trust zone of the SRX.

{primary:node0}[edit security nat static]
chris@SRX240H-01# set rule-set MY-COMPANY-STATIC rule R-MAIL then static-nat prefix 192.168.1.100/32

Both lines of the R-MAIL rule point to a specific host as is indicated by the 32-bit mask (/32).

Now you must configure proxy ARP for the IP addresses you will be translating. In this case we will be configuring proxy ARP for the public IP addresses that reside in the untrust zone.

To configure proxy ARP you have to be in the “edit security nat” section.

{primary:node0}[edit security nat static]
chris@SRX240H-01# up

{primary:node0}[edit security nat]
chris@SRX240H-01#

Now the set proxy-arp command is used. This command is fed the interface through on which you want to configure proxy ARP as well as the IP address for which proxy ARP will be performed.

{primary:node0}[edit security nat]
chris@SRX240H-01# set proxy-arp interface reth0.0 address 1.2.3.4

The interface reth0.0 is used because these configurations are being made on a pair of SRX240H’s that are in cluster mode. On a single SRX you would use an interface name such as ge-0/0/0.0.

At this point the static NAT configuration is complete. Most likely you will have to create firewall policies for inbound and outbound traffic from the host (if you have not already done so).