Saturday, May 1, 2021

Juniper Networks SRX Firewall Destination NAT

Destination NAT is the translation of the destination IP address of a packet entering the Juniper Networks device. Destination NAT is used to redirect traffic destined to a virtual host (identified by the original destination IP address) to the real host (identified by the translated destination IP address). This is common when you want external IP address from the Untrust zone/Internet to a host behind the SRX Firewall, i.e. Trust or DMZ zone.

I configured Source NAT in my previous post. This time I created a Destination NAT to permit FTP (TCP port 21) from host 192.168.1.100 (Windows 10) in the Untrust Zone to 172.16.1.100 (to be mapped to vSRX WAN IP 192.168.1.150), which is in the Trust Zone.

Notice the FTP connection timed out since there's no Destination NAT configured yet in vSRX.

Go to Configure > NAT > Destination > either click Add (manual) or Launch Wizard

I chose the Launch Wizard for a guided steps.

Notice the network diagram visualize the NAT type to be configured.

 

Select Destination NAT > click Start. 

 

Notice there's no Destination NAT rules configured. Click Add.

Type a Rule Name: DEST_NAT_FTP > under Traffic Direction > select From: Zone (default).

Select untrust > click >> (double right arrows) to move untrust to the right column.

 

Under Matching Addresses and Ports > type Destination Address: 192.168.1.150 (ge-0/0/0.0 WAN IP address) > type Destination port: 21 (or you can specify a custom port) > click Next.

 

Under Rule Action > select NAT To: Address Range.

Click Edit (pencil icon).

Type Addresses: 172.16.1.100 (Windows 7 VM) > type Port: 21 > click Done.

Click Next.

Review the summary before Commit.

Click Commit to apply the changes.

Click Yes to exit.

Under Destination Rule Set > click Refresh (circle arrow). Notice the newly created Destination NAT rule is displayed.

Below is a typical packet flow being processed in a Juniper SRX Firewall.

You also need to add a Security policy to permit FTP traffic from the Untrust to Trust zone.

 

Go to Configure > Security > Security Policy > select From Zone: all > select To Zone: all.

 

Notice there's no Security Policy on the Policy Context: Untrust to Trust zone. Click Add.

 

Under Policy tab > type Policy Name: FTP_UNTRUST_TRUST > select Policy Action: permit.

Under Policy Context > select Zone (default) > select From Zone: untrust > To Zone: Destination Zone.

 

A Policy Context is the combination of From-Zone and To-Zone pair/direction.

 

It's best practice to put explicit Security Policy on top in order not to be overshadowed by other rules.

 

Under Source Address > select any-ipv4 > move to the Selected column to the right.

 

Under Destination Address > select: Add New Destination Address > type Address Name: WIN7-VM (Address Book entry) > type Address: 172.16.1.100 > click Add.

 

An Address Book is an alias for a host or range IP address and are components or building blocks, that are referenced in other configurations such as security policies, security zones, and NAT. This is similar to the Host or Service Objects in a Cisco ASA Firewall.

 

Under Destination Address > select the newly created Address Book entry: WIN7-VM > move to the Selected column on the right.

 

Skip Source Identity > under Applications > Search: ftp > select junos-ftp > move to the Selected column on the right.


Go to Logging tab > select: Log at Session Init Time.

Leave the default setting in the other tabs.


Click OK.

Notice the new Security Policy rule created (bottom). You can filter or narrow down a specific Policy Context by selecting the From Zone: untrust > To Zone: trust > click Filter.


Click Commit > Commit.

I was able to FTP from 192.168.1.100 (Windows 10) to 192.168.1.150, which is the vSRX WAN IP address.



You can view the NAT Translation hits under Monitor > NAT > Destination NAT.


Below are some useful SRX CLI show commands.

 

root@vSRX-1> show security ?

Possible completions:

  advance-policy-based-routing  Show advance policy based routing information

  alarms               Show active security alarm information

  alg                  Show ALG security services information

  application-firewall  Show security application firewall policies

  application-tracking  Show Application tracking information

  dns-cache            Show DNS cache of firewall policy

  dynamic-address      Security dynamic address name

  dynamic-policies     Show security firewall dynamic policies

  firewall-authentication  Show firewall authentication tables, information

  flow                 Show flow information

  forward-options      Show forward-options status

  gprs                 Show GPRS information

  group-vpn            Show Group VPN Security information

  idp                  Show Intrusion Detection and Prevention information

  ike                  Show Internet Key Exchange information

  internal-security-association  Show internal security association

  ipsec                Show IP Security information

  keychain             Show all protocols keychain

  log                  Show auditable security log information

  match-policies       Show security match policies

  monitoring           Show security SPU monitoring information

  nat                  Show Network Address Translation information

  pki                  Show public-key infrastructure information

  policies             Show security firewall policies

  resource-manager     Show resource manager security services information

  screen               Show screen service information

  shadow-policies      Show security shadow policies

  softwires            Show softwire information

  ssh                  Show SSH information

  tcp-encap            Show TCP encapsulation information

  user-identification  Show user-identification information

  utm                  Show security utm information

  zones                Show security zone information

root@vSRX-1> show security nat ?

Possible completions:

  destination          Show destination NAT information

  interface-nat-ports  Show interface nat ports information

  resource-usage       Show NAT resource usage information

  source               Show source NAT information

  static               Show static NAT information

root@vSRX-1> show security nat destination ?

Possible completions:

  pool                 Show destination NAT address-pool information

  rule                 Show destination NAT rule-set information

  rule-application     Show destination NAT rule application information

  summary              Show destination NAT summary information

root@vSRX-1> show security nat destination pool ?

Possible completions:

  <pool-name>          Destination address pool name

  DEST_NAT_FTP        

  all                  Display all destination NAT address-pool information

 

root@vSRX-1> show security nat destination pool DEST_NAT_FTP

Pool name       : DEST_NAT_FTP

Pool id         : 1

Total address   : 1

Translation hits: 6

Address range                        Port

   172.16.1.100 - 172.16.1.100         21

 

 

root@vSRX-1> show security nat destination rule ?              

Possible completions:

  <rule-name>          Destination NAT rule name

  all                  Display all destination NAT rule-sets information

 

root@vSRX-1> show security nat destination rule all                

Total destination-nat rules: 1

Total referenced IPv4/IPv6 ip-prefixes: 1/0

Destination NAT rule: DEST_NAT_FTP           Rule-set: DEST_NAT_FTP

  Rule-Id                    : 1

  Rule position              : 1

  From zone                  : untrust

    Destination addresses    : 192.168.1.150   - 192.168.1.150

    Destination port         : 21              - 21

  Action                     : DEST_NAT_FTP

  Translation hits           : 6

    Successful sessions      : 3

    Failed sessions          : 3

  Number of sessions         : 1

 

 

root@vSRX-1> show security nat destination summary    

Total pools: 1

Pool name            Address                           Routing        Port  Total

                     Range                             Instance             Address

DEST_NAT_FTP         172.16.1.100   - 172.16.1.100                    21    1  

 

Total rules: 1

Rule name            Rule set       From                               Action

DEST_NAT_FTP         DEST_NAT_FTP   untrust                            DEST_NAT_FTP

 

 

You can view the NAT session table using the show security flow session command and narrow down the output being displayed, i.e. using a source prefix.

 

Notice an FTP ALG (Application Layer Gateway) is used to statefully monitor and permit FTP traffic. This is similar to Cisco ASA Firewall Application Layer inspection engine.

 

root@vSRX-1> show security flow session ?            

Possible completions:

  <[Enter]>            Execute this command

  advanced-anti-malware  Show advanced-anti-malware sessions

  application          Application protocol name

  application-firewall  Show application-firewall sessions

  application-firewall-rule-set  Show application-firewall session by rule-set

  application-traffic-control  Show application-traffic-control sessions

  application-traffic-control-rule-set  Show application-traffic-control session by rule-set

  brief                Show brief output (default)

  conn-tag             Session connection tag (0..4294967295)

  destination-port     Destination port (1..65535)

  destination-prefix   Destination IP prefix or address

  dynamic-application  Dynamic application name

  dynamic-application-group  Dynamic application group name

  encrypted            Show encrypted traffic

  extensive            Show detailed output

  family               Protocol family

  idp                  IDP sessions

  interface            Name of incoming or outgoing interface

  nat                  Sessions with network address translation

  policy-id            Policy id value (1..4294967295)

  protocol             IP protocol number

  resource-manager     Sessions with resource manager

  security-intelligence  Show security-intelligence sessions

  session-identifier   Show session with specified session identifier

  source-port          Source port (1..65535)

  source-prefix        Source IP prefix or address

  summary              Show output summary

  tunnel               Tunnel sessions

  |                    Pipe through a command

 

root@vSRX-1> show security flow session source-prefix 192.168.1.100   

Session ID: 12947, Policy name: self-traffic-policy/1, Timeout: 1798, Valid

  In: 192.168.1.100/56317 --> 192.168.1.150/22;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1974, Bytes: 172602,

  Out: 192.168.1.150/22 --> 192.168.1.100/56317;tcp, Conn Tag: 0x0, If: .local..0, Pkts: 1479, Bytes: 285235,

 

Session ID: 13259, Policy name: FTP_UNTRUST_TRUST/7, Timeout: 1790, Valid

Resource information : FTP ALG, 1, 0

  In: 192.168.1.100/56377 --> 192.168.1.150/21;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 19, Bytes: 954,

  Out: 172.16.1.100/21 --> 192.168.1.100/56377;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 15, Bytes: 999,

 

Session ID: 13282, Policy name: self-traffic-policy/1, Timeout: 1792, Valid

  In: 192.168.1.100/56382 --> 192.168.1.150/443;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 70, Bytes: 16713,

  Out: 192.168.1.150/443 --> 192.168.1.100/56382;tcp, Conn Tag: 0x0, If: .local..0, Pkts: 101, Bytes: 57099,

Total sessions: 3

 

 

Below is the complete vSRX configuration.

 

root@vSRX-1# show

## Last changed: 2021-02-23 19:33:08 SGT

version 15.1X49-D80.4;

system {

    host-name vSRX-1;

    root-authentication {

        encrypted-password "$5$h/gVhuqb$nH2lW4/iyVyXnAnvbBg8aLy2b1HZcpqhiTeH/lSFD./"; ## SECRET-DATA

    }

    services {

        ssh {

            root-login allow;

        }

        web-management {

            https {

                system-generated-certificate;

                interface ge-0/0/0.0;

            }

        }

    }

    syslog {

        user * {

            any emergency;

        }

        file messages {                

            any any;

            authorization info;

        }

        file interactive-commands {

            interactive-commands any;

        }

    }

    license {

        autoupdate {

            url https://ae1.juniper.net/junos/key_retrieval;

        }

    }

    ntp;

}

security {

    screen {

        ids-option untrust-screen {

            icmp {

                ping-death;

            }

            ip {

                source-route-option;

                tear-drop;             

            }

            tcp {

                syn-flood {

                    alarm-threshold 1024;

                    attack-threshold 200;

                    source-threshold 1024;

                    destination-threshold 2048;

                    queue-size 2000; ## Warning: 'queue-size' is deprecated

                    timeout 20;

                }

                land;

            }

        }

    }

    nat {

        source {

            rule-set SOURCE-NAT-TRUST {

                from zone trust;

                to zone untrust;

                rule SOURCE-NAT-TRUST {

                    match {

                        source-address 172.16.1.0/24;

                        destination-address 0.0.0.0/0;

                    }

                    then {

                        source-nat {

                            interface;

                        }

                    }

                }

            }

        }

        destination {

            pool DEST_NAT_FTP {

                address 172.16.1.100/32 port 21;

            }

            rule-set DEST_NAT_FTP {

                from zone untrust;

                rule DEST_NAT_FTP {

                    match {

                        destination-address 192.168.1.150/32;

                        destination-port {

                            21;

                        }

                    }

                    then {             

                        destination-nat {

                            pool {

                                DEST_NAT_FTP;

                            }

                        }

                    }

                }

            }

        }

    }

    policies {

        from-zone trust to-zone trust {

            policy default-permit {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }                              

        from-zone trust to-zone untrust {

            policy default-permit {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

            policy TRUST-UNTRUST {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

        from-zone untrust to-zone trust {

            policy FTP_UNTRUST_TRUST {

                match {

                    source-address any-ipv4;

                    destination-address WIN7-VM;

                    application junos-ftp;

                }

                then {

                    permit;

                    log {

                        session-init;

                    }

                }

            }

        }

    }

    zones {

        security-zone trust {

            tcp-rst;

            address-book {

                address WIN7-VM 172.16.1.100/32;

            }

            interfaces {

                ge-0/0/1.0 {           

                    host-inbound-traffic {

                        system-services {

                            ping;

                            ssh;

                        }

                    }

                }

            }

        }

        security-zone untrust {

            screen untrust-screen;

            interfaces {

                ge-0/0/0.0 {

                    host-inbound-traffic {

                        system-services {

                            ping;

                            ssh;

                            https;

                        }

                    }

                }

            }

        }                              

    }

}

interfaces {

    ge-0/0/0 {

        unit 0 {

            family inet {

                address 192.168.1.150/24;

            }

        }

    }

    ge-0/0/1 {

        unit 0 {

            family inet {

                address 172.16.1.1/24;

            }

        }

    }

    fxp0 {

        unit 0 {

            family inet;

        }

    }

}                                      

routing-options {

    static {

        route 0.0.0.0/0 next-hop 192.168.1.1;

    }

}

 

[edit]