Tuesday, 28 June 2011

SRX Static NAT - One to One

Here is a simple example of a static one to one NAT. My goal is to access the host machine from the Internet on 15.243.192.104/32 via RDP (TCP 3389)

As RDP is still not a pre-defined application/service on Juniper devices so we have to configure it
root@host# set applications application RDP_TCP_3389 protocol tcp destination-port 3389

We now need to configure the Proxy-Arp address that we will be using for the forwards
root@host# set security nat proxy-arp interface fe-0/0/0 address 15.243.192.104/32

We now need to create the Static NAT policy Incoming_NAT01 and bind a rule to it Incoming_Rule1, which is where the translation occurs.
root@host# set security nat static rule-set Incoming_NAT01 from zone Untrust_Zone
root@host# set security nat static rule-set Incoming_NAT01 rule Incoming_Rule1 match destination-address 15.243.192.104/32
root@host# set security nat static rule-set Incoming_NAT01 rule Incoming_Rule1 then static-nat prefix 172.16.201.3 routing-instance Trust-VR

Before we create the policy we will need to define the end host
root@host# set security zones security-zone Trust_Zone address-book address LAB_HOST_01 172.16.201.3/32

Finally we create the Security Policy Incoming_POL01 that will actually let the traffic through the SRX, remembering as always to enable logging and counting
root@host# set security policies from-zone Untrust_Zone to-zone Trust_Zone policy Incoming_POL01 match source-address any destination-address LAB_HOST_01 application RDP_TCP_3389
root@host# set security policies from-zone Untrust_Zone to-zone Trust_Zone policy Incoming_POL01 then permit
root@host# set security policies from-zone Untrust_Zone to-zone Trust_Zone policy Incoming_POL01 then log session-init
root@host# set security policies from-zone Untrust_Zone to-zone Trust_Zone policy Incoming_POL01 then log session-close
root@host# set security policies from-zone Untrust_Zone to-zone Trust_Zone policy Incoming_POL01 then count

1 comment:

  1. Wow, what was juniper thinking when they wrote their NAT? They should at least have made it easier by putting together a good gui that makes it easier.

    ReplyDelete