Static NAT on Juniper SRX

Static NAT (Network Address Translation) is a one-to-one mapping between a private IP address (internal) and a public IP address (external). This is often used for allowing external clients to access internal servers, such as web servers, email servers, or any other resources that need to be directly accessible from the internet.

On a Juniper SRX device, static NAT is configured using the security nat static command. This type of NAT allows inbound traffic to be directed to an internal host by mapping a public IP address to an internal private IP address.

Steps to Configure Static NAT on Juniper SRX:

Here's a step-by-step guide to configure Static NAT on a Juniper SRX device:

1. Access the SRX Device:

• Log in to the SRX device via SSH, console, or the J-Web interface.

2. Configure the Static NAT Rule:

You'll need to configure a static NAT rule that specifies:

• Source IP: The external/public IP address.
• Destination IP: The internal/private IP address.

Basic Configuration Command:

set security nat static rule-set <rule-set-name> from <zone-name> to <zone-name> rule <rule-name> match destination-address <public-ip>
set security nat static rule-set <rule-set-name> from <zone-name> to <zone-name> rule <rule-name> then destination-nat <public-ip> to <private-ip>

Where:

• <rule-set-name>: Name for the rule set (e.g., "static-nat").
• <zone-name>: The name of the security zones involved in the NAT translation.
• <rule-name>: The name of the specific rule.
• <public-ip>: The public IP address (external IP) that will be mapped to the private IP.
• <private-ip>: The internal IP address of the machine you want to make accessible.

Example:

Let's assume:

• Public IP: 203.0.113.10 (the external IP provided by the ISP).
• Private IP: 192.168.1.10 (the internal IP of the server you want to expose).
• Zone: We will assume untrust is the external zone and trust is the internal zone.

set security nat static rule-set static-nat from untrust to trust rule 1 match destination-address 203.0.113.10
set security nat static rule-set static-nat from untrust to trust rule 1 then destination-nat 203.0.113.10 to 192.168.1.10

In this example:

• Any traffic destined for 203.0.113.10 (public IP) will be forwarded to 192.168.1.10 (private IP) within the trust zone.
• The rule set is named static-nat, and the rule is 1.

3. Commit the Configuration:

After configuring the NAT rule, commit the changes to the device:

commit

4. (Optional) Configure Security Policies:

In addition to the static NAT rule, you must configure security policies to allow traffic to flow between the relevant zones (e.g., from the untrust zone to the trust zone).

Example to allow inbound traffic from the untrust zone to the trust zone for the mapped public IP:

set security policies from-zone untrust to-zone trust policy allow-web-app match source-address any destination-address 203.0.113.10 application any
set security policies from-zone untrust to-zone trust policy allow-web-app then permit

This policy:

• Allows traffic from any source to the public IP (203.0.113.10), for any application.
• The traffic is then permitted through the firewall.

You can adjust the source-address and application as needed to restrict access.

5. Verify the Configuration:

After applying the configuration, you can verify that the static NAT rule is working as expected using the following commands:

Check NAT Rules:

show security nat static

Check Traffic Flow:

To check if the NAT translation is working:

show security flow session | match 203.0.113.10

This will display any active sessions that are using the mapped public IP (203.0.113.10).