Dynamic NAT on Juniper SRX

Dynamic NAT (Network Address Translation) is used to automatically map an internal private IP address to a public IP address from a pool of public IPs. Unlike Static NAT, where a single internal IP is always mapped to a specific external IP, Dynamic NAT dynamically assigns one of the available public IP addresses from a pool whenever an internal host needs to communicate with the outside world.

In Juniper SRX devices, Dynamic NAT is configured using the security nat source command. Typically, Dynamic NAT is used for outbound traffic, where multiple internal clients share a limited number of public IP addresses.

Steps to Configure Dynamic NAT on Juniper SRX:

1. Access the SRX Device:

Log in to your SRX device through SSH, console, or J-Web interface.

2. Define the Address Pool (Public IP Pool):

You need to create a pool of public IP addresses that will be used for the dynamic translation. For example, if you have three public IPs (203.0.113.10, 203.0.113.11, and 203.0.113.12), you will create an address pool that includes these IPs.

set security nat source pool my-nat-pool address 203.0.113.10/32
set security nat source pool my-nat-pool address 203.0.113.11/32
set security nat source pool my-nat-pool address 203.0.113.12/32

Here:

• my-nat-pool: The name of the NAT pool.
• 203.0.113.10/32, 203.0.113.11/32, 203.0.113.12/32: The public IPs in the pool. /32 indicates a single IP address.

3. Define the NAT Rule (Source NAT):

Now, create the Dynamic NAT rule to translate the internal IPs to the public IPs in the pool. This rule will allow all internal clients to share the public IP pool when accessing external resources.

set security nat source rule-set my-nat-rule-set from trust to untrust rule my-nat-rule match source-address 192.168.1.0/24
set security nat source rule-set my-nat-rule-set from trust to untrust rule my-nat-rule then source-nat pool my-nat-pool

Here:

• my-nat-rule-set: The name of the NAT rule set.
• trust: The name of the internal network (zone).
• untrust: The name of the external network (zone, typically the internet).
• my-nat-rule: The name of the specific NAT rule.
• 192.168.1.0/24: The internal network (private IP range) that will be mapped to the public IP pool.
• my-nat-pool: The NAT pool you created earlier.

4. Configure Security Policies:

After setting up the NAT rule, you need to configure security policies to allow traffic between the trust (internal) and untrust (external) zones.

set security policies from-zone trust to-zone untrust policy allow-internet match source-address any destination-address any application any
set security policies from-zone trust to-zone untrust policy allow-internet then permit

This policy allows traffic from any source address in the trust zone to any destination in the untrust zone (the internet).

5. Commit the Configuration:

Once the configuration is complete, you must commit the changes to apply them to the SRX device.

commit

6. Verify the Configuration:

To verify that Dynamic NAT is working properly, you can check the NAT translation table and the source NAT rules.

• Check the Source NAT Configuration:

show security nat source rule-set

This command will show the configuration of the source NAT rule sets, including the pool of IPs used for dynamic NAT.

• Check Active NAT Translations:

show security nat source

This command displays the active source NAT translations, showing which internal IPs have been translated to which public IPs.