Destination NAT is the translation of the destination IP address of a packet entering the Juniper Networks device. Destination NAT is used to redirect traffic destined to a virtual host (identified by the original destination IP address) to the real host (identified by the translated destination IP address). This is common when you want external IP address from the Untrust zone/Internet to a host behind the SRX Firewall, i.e. Trust or DMZ zone.
I
configured Source NAT in my previous post. This time I created a Destination NAT to permit FTP (TCP port 21) from host
192.168.1.100 (Windows 10) in the Untrust Zone to 172.16.1.100 (to be mapped to vSRX WAN
IP 192.168.1.150), which is in the Trust Zone.
Notice the FTP connection timed out since there's no Destination NAT configured yet in vSRX.
Go to Configure > NAT > Destination > either click Add (manual) or Launch Wizard.
I chose the Launch Wizard for a guided steps.
Notice the network diagram visualize the NAT type to be configured.
Select Destination NAT > click Start.
Notice there's no Destination NAT rules configured. Click Add.
Type a Rule Name: DEST_NAT_FTP > under Traffic Direction > select From: Zone (default).
Select untrust > click >> (double right arrows) to move untrust to the right column.
Under Matching Addresses and Ports > type Destination Address: 192.168.1.150 (ge-0/0/0.0 WAN IP address) > type Destination port: 21 (or you can specify a custom port) > click Next.
Under Rule Action > select NAT To: Address Range.
Click Edit (pencil icon).
Type Addresses: 172.16.1.100 (Windows 7 VM) > type Port: 21 > click Done.
Click Next.
Review the summary before Commit.
Click Commit to apply the changes.
Click Yes to exit.
Under Destination Rule Set > click Refresh (circle arrow). Notice the newly created Destination NAT rule is displayed.
Below is a typical packet flow being processed in a Juniper SRX Firewall.
You also need to add a Security policy to permit FTP traffic from the Untrust to Trust zone.
Go to Configure > Security > Security Policy > select From Zone: all > select To Zone: all.
Notice there's no Security Policy on the Policy Context: Untrust to Trust zone. Click Add.
Under Policy tab > type Policy Name: FTP_UNTRUST_TRUST > select Policy Action: permit.
Under Policy Context > select Zone (default) > select From Zone: untrust > To Zone: Destination Zone.
A Policy Context is the combination of From-Zone and To-Zone pair/direction.
It's best practice to put explicit Security Policy on top in order not to be overshadowed by other rules.
Under Source Address > select any-ipv4 > move to the Selected column to the right.
Under Destination Address > select: Add New Destination Address > type Address Name: WIN7-VM (Address Book entry) > type Address: 172.16.1.100 > click Add.
An Address Book is an alias for a host or range IP address and are components or building blocks, that are referenced in other configurations such as security policies, security zones, and NAT. This is similar to the Host or Service Objects in a Cisco ASA Firewall.
Under Destination Address > select the newly created Address Book entry: WIN7-VM > move to the Selected column on the right.
Skip Source Identity > under Applications > Search: ftp > select junos-ftp > move to the Selected column on the right.
Go to Logging tab > select: Log at Session Init Time.
Leave the default setting in the other tabs.
Click OK.
Notice
the new Security Policy rule created (bottom). You can filter or narrow down a
specific Policy Context by selecting the From Zone: untrust > To Zone: trust
> click Filter.
Click Commit > Commit.
I
was able to FTP from 192.168.1.100 (Windows 10) to 192.168.1.150, which is
the vSRX WAN IP address.
You can view the NAT Translation hits under Monitor > NAT > Destination NAT.
Below are some useful SRX CLI show commands.
root@vSRX-1> show security ?
Possible completions:
advance-policy-based-routing Show advance policy based routing information
alarms Show active security alarm information
alg Show ALG security services information
application-firewall Show security application firewall policies
application-tracking Show Application tracking information
dns-cache Show DNS cache of firewall policy
dynamic-address Security dynamic address name
dynamic-policies Show security firewall dynamic policies
firewall-authentication Show firewall authentication tables, information
flow Show flow information
forward-options Show forward-options status
gprs Show GPRS information
group-vpn Show Group VPN Security information
idp Show Intrusion Detection and Prevention information
ike Show Internet Key Exchange information
internal-security-association Show internal security association
ipsec Show IP Security information
keychain Show all protocols keychain
log Show auditable security log information
match-policies Show security match policies
monitoring Show security SPU monitoring information
nat Show Network Address Translation information
pki Show public-key infrastructure information
policies Show security firewall policies
resource-manager Show resource manager security services information
screen Show screen service information
shadow-policies Show security shadow policies
softwires Show softwire information
ssh Show SSH information
tcp-encap Show TCP encapsulation information
user-identification Show user-identification information
utm Show security utm information
zones Show security zone information
root@vSRX-1> show security nat ?
Possible completions:
destination Show destination NAT information
interface-nat-ports Show interface nat ports information
resource-usage Show NAT resource usage information
source Show source NAT information
static Show static NAT information
root@vSRX-1> show security nat destination ?
Possible completions:
pool Show destination NAT address-pool information
rule Show destination NAT rule-set information
rule-application Show destination NAT rule application information
summary Show destination NAT summary information
root@vSRX-1> show security nat destination pool ?
Possible completions:
<pool-name> Destination address pool name
DEST_NAT_FTP
all Display all destination NAT address-pool information
root@vSRX-1> show security nat destination pool DEST_NAT_FTP
Pool name : DEST_NAT_FTP
Pool id : 1
Total address : 1
Translation hits: 6
Address range Port
172.16.1.100 - 172.16.1.100 21
root@vSRX-1> show security nat destination rule ?
Possible completions:
<rule-name> Destination NAT rule name
all Display all destination NAT rule-sets information
root@vSRX-1> show security nat destination rule all
Total destination-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/0
Destination NAT rule: DEST_NAT_FTP Rule-set: DEST_NAT_FTP
Rule-Id : 1
Rule position : 1
From zone : untrust
Destination addresses : 192.168.1.150 - 192.168.1.150
Destination port : 21 - 21
Action : DEST_NAT_FTP
Translation hits : 6
Successful sessions : 3
Failed sessions : 3
Number of sessions : 1
root@vSRX-1> show security nat destination summary
Total pools: 1
Pool name Address Routing Port Total
Range Instance Address
DEST_NAT_FTP 172.16.1.100 - 172.16.1.100 21 1
Total rules: 1
Rule name Rule set From Action
DEST_NAT_FTP DEST_NAT_FTP untrust DEST_NAT_FTP
You can view
the NAT session table using the show security
flow session command and narrow down the output being displayed, i.e. using a source prefix.
Notice an FTP ALG (Application Layer Gateway) is used to statefully monitor and permit FTP traffic. This is similar to Cisco ASA Firewall Application Layer inspection engine.
root@vSRX-1> show security flow session ?
Possible completions:
<[Enter]> Execute this command
advanced-anti-malware Show advanced-anti-malware sessions
application Application protocol name
application-firewall Show application-firewall sessions
application-firewall-rule-set Show application-firewall session by rule-set
application-traffic-control Show application-traffic-control sessions
application-traffic-control-rule-set Show application-traffic-control session by rule-set
brief Show brief output (default)
conn-tag Session connection tag (0..4294967295)
destination-port Destination port (1..65535)
destination-prefix Destination IP prefix or address
dynamic-application Dynamic application name
dynamic-application-group Dynamic application group name
encrypted Show encrypted traffic
extensive Show detailed output
family Protocol family
idp IDP sessions
interface Name of incoming or outgoing interface
nat Sessions with network address translation
policy-id Policy id value (1..4294967295)
protocol IP protocol number
resource-manager Sessions with resource manager
security-intelligence Show security-intelligence sessions
session-identifier Show session with specified session identifier
source-port Source port (1..65535)
source-prefix Source IP prefix or address
summary Show output summary
tunnel Tunnel sessions
| Pipe through a command
root@vSRX-1> show security flow session source-prefix 192.168.1.100
Session ID: 12947, Policy name: self-traffic-policy/1, Timeout: 1798, Valid
In: 192.168.1.100/56317 --> 192.168.1.150/22;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1974, Bytes: 172602,
Out: 192.168.1.150/22 --> 192.168.1.100/56317;tcp, Conn Tag: 0x0, If: .local..0, Pkts: 1479, Bytes: 285235,
Session ID: 13259, Policy name: FTP_UNTRUST_TRUST/7, Timeout: 1790, Valid
Resource information : FTP ALG, 1, 0
In: 192.168.1.100/56377 --> 192.168.1.150/21;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 19, Bytes: 954,
Out: 172.16.1.100/21 --> 192.168.1.100/56377;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 15, Bytes: 999,
Session ID: 13282, Policy name: self-traffic-policy/1, Timeout: 1792, Valid
In: 192.168.1.100/56382 --> 192.168.1.150/443;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 70, Bytes: 16713,
Out: 192.168.1.150/443 --> 192.168.1.100/56382;tcp, Conn Tag: 0x0, If: .local..0, Pkts: 101, Bytes: 57099,
Total sessions: 3
Below is the complete vSRX configuration.
root@vSRX-1# show
## Last changed: 2021-02-23 19:33:08 SGT
version 15.1X49-D80.4;
system {
host-name vSRX-1;
root-authentication {
encrypted-password "$5$h/gVhuqb$nH2lW4/iyVyXnAnvbBg8aLy2b1HZcpqhiTeH/lSFD./"; ## SECRET-DATA
}
services {
ssh {
root-login allow;
}
web-management {
https {
system-generated-certificate;
interface ge-0/0/0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set SOURCE-NAT-TRUST {
from zone trust;
to zone untrust;
rule SOURCE-NAT-TRUST {
match {
source-address 172.16.1.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool DEST_NAT_FTP {
address 172.16.1.100/32 port 21;
}
rule-set DEST_NAT_FTP {
from zone untrust;
rule DEST_NAT_FTP {
match {
destination-address 192.168.1.150/32;
destination-port {
21;
}
}
then {
destination-nat {
pool {
DEST_NAT_FTP;
}
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy TRUST-UNTRUST {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy FTP_UNTRUST_TRUST {
match {
source-address any-ipv4;
destination-address WIN7-VM;
application junos-ftp;
}
then {
permit;
log {
session-init;
}
}
}
}
}
zones {
security-zone trust {
tcp-rst;
address-book {
address WIN7-VM 172.16.1.100/32;
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
https;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.1.150/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 172.16.1.1/24;
}
}
}
fxp0 {
unit 0 {
family inet;
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.1;
}
}
[edit]
