Wednesday, August 11, 2010

Vacation and one-to-one NAT on a Juniper Netscreen

Sorry - forgot to mention I was going on vacation. Mmmm. Sweet vacation.

Anyways, back to the nerdy salt mines.

There are a couple of ways to do address translation on a Juniper Netscreen firewall. The simplest is a "MIP", or Mapped IP. This creates a one-to-one NAT that can work in either direction, and no port translation is done. You define a MIP on a specific interface that handles the subnet the NAT is on (the ingress interface).

So if you're setting up a NAT where folks on the Untrust network can talk to a host on the Trust network using a NAT address in the Untrust zone, you'd set it up on the interface in the Untrust zone.

From the GUI, it's Network > Interfaces > Edit > MIP (List). From the CLI, assuming this is all in the "trust-vr" virtual router, the command looks like this:

set interface "ethernetX/X" mip {nat address} host {real internal address} netmask 255.255.255.255 vr "trust-vr"

eg, assuming my outside NAT address is 10.1.1.100 on interface 3/2 and my internal address is 172.168.1.100:

set interface "ethernet3/2" mip 10.1.1.100 host 192.168.1.100 netmask 255.255.255.255 vr "trust-vr"


When making policies via the GUI, the Untrust zone will include "MIP(10.1.1.100)", so you can just select that as destination and the firewall will do the right thing for inbound traffic. For outbound traffic, select the internal real address as the source, and the Netscreen will do the right thing and NAT the traffic as it leaves the outgoing interface.

No comments:

Post a Comment

Followers

About Me

My photo
Regis has worked as a network engineer since 1994 for small companies and for large companies.