APPLICATION NOTE SRX J SRX J NAT Copyright 2014, Juniper Networks, Inc.
...1...1...1... 1... 1...1... 1...2 NAT...3 NAT...4 NAT...4 NAT...5 NAT...6 NAT...7....7 NAT....7 NAT...7 NAT....8 NAT....8 NAT...9 NAT NAT...10 NAT...10 NAT...10 NAT....11 NAT IP/...12 NAT...13 NAT...14 NAT...15....16... 17... 17 ii Copyright 2014, Juniper Networks, Inc.
1...1 2...2 3 NAT...5 4... 7 5...8 6...8 7...9 8 NAT...10 9...10 10...11 11... 12 12 NAT...14 13 NAT... 15 14 NAT... 15 Copyright 2014, Juniper Networks, Inc. iii
SRX Junos OS 9.2 NAT Network Address Translation NAT SRX J NAT SRX NAT NAT NAT NAT Junos OS 9.5 J SRX J2320 J2350 J4350 J6350 Junos OS 9.2 SRX Junos OS 9.5 J IP IP IP Junos OS NAT J NAT ScreenOS NAT SRX J J フォワーディングルックアップ Screens ルートゾーンポリシー NAT サービス ALG セッション いいえ Per Packet Policer Per Packet Filter セッションに一致する はい Screens TCP NAT サービス ALG Per Packet Filter Per Packet Shaper Junos OS のフローモジュール 1 Copyright 2014, Juniper Networks, Inc. 1
NAT NAT 1 1 NAT NAT NAT / NAT NAT NAT NAT NAT NAT IP NAT NAT NAT NAT フォワーディングルックアップ リバース Screens 静的宛先ルートゾーンポリシー静的 NAT NAT NAT ソース NAT サービス ALG セッション いいえ 一致 一致 Per Packet Policer Per Packet Filter セッションに一致するか? はい Screens TCP NAT サービス ALG Per Packet Filter Per Packet Shaper Junos OS のフローモジュール 2 NAT NAT NAT NAT 2 Copyright 2014, Juniper Networks, Inc.
NAT NAT NAT NAT / / Junos OS 9.3 1 8 NAT / / / NAT NAT NAT NAT NAT NAT NAT / Junos OS 9.3 NAT NAT [security nat] NAT source { address-persistent pool { pool-utilization-alarm { rule-set <rule-set name>{ from { interface <interface list>; zone <zone list>; routing-instace <routing-instance list>; to { interface <interface list>; zone <zone list>; routing-instace <routing-instance list>; rule <rule-name> { source-address <source address/prefix list>; destination-address <source address/prefix list>; then source-nat { inerface off pool <pool-name>; Copyright 2014, Juniper Networks, Inc. 3
NAT destination { pool { rule-set <rule-set name>{ from { interface <interface list>; zone <zone list>; routing-instace <routing-instance list>; rule <rule-name> { source-address <source address/prefix list>; destination-address <source address/prefix list>; destination-port <destination port>; then destination-nat { off pool <pool-name>; NAT static { rule-set <rule-set name>{ from { interface <interface list>; zone <zone list>; routing-instace <routing-instance list>; rule <rule-name> { destination-address <source address/prefix list>; then static-nat { prefix <address prefix>; routing-instance <instance-name>; NAT NAT NAT NAT NAT "no-translation" "no-port-translation" 4 Copyright 2014, Juniper Networks, Inc.
NAT 11 Junos OS Rule Set Lookup from interface to interface...rule-set N Matching Rule Set N Rule 1 Lookup by Precedence from routing-instance to routing-instance... Matching Rule Specifies NAT Action Rule Sets Ordered Lookup Rule M Rule 3 NAT NAT NAT IP IP 1 1 253 C 10 10 5 NAT 4 5 IP 1 NAT 5 8 NAT 1 Copyright 2014, Juniper Networks, Inc. 5
1 NAT IP IP 1 pool <pool name> { address <IP address>/32; pool <pool name> { 2 address <address-low> to <address-high> <network>/<netmask>; host-address-base <ip address> 3 4 pool <pool name> { address <address-low> to <address-high> <network>/<netmask>; port no-translation; pool <pool name> { address <address-low> to <address-high> <network>/<netmask>; NAT NAT 2 NAT 1 1 NAT 1. IP IP 1 2. 3. IP/ IP/ IP 11 NAT 2 2 NAT IP IP 1 pool <pool name> { address <IP address>/32; pool <pool name> { 2 address <address-low> to <address-high> <network>/<netmask>; IP/ pool <pool name> { IP/ address <IP address>/32; port <port number>; 6 Copyright 2014, Juniper Networks, Inc.
NAT NAT NAT NAT NAT NAT 1 1 NAT NAT TRUST ゾーン 元のソース 変換後のソース UNTRUST 200.0.0.0/26 インターネット 10.1.1.10 200.0.0.10 10.1.1.10 4 source { pool 200_0_0_10 { address { 200.0.0.10/32; rule-set one-to-one { from zone trust; to zone untrust; rule single-ip-nat { source-address 10.1.1.10/32; source-nat pool 200_0_0_10; Copyright 2014, Juniper Networks, Inc. 7
NAT TRUST ゾーン UNTRUST 200.0.0.0/26 インターネット 元のソース 10.1.1.10 to 10.1.1.20 変換後のソース 200.0.0.30 to 200.0.0.40 10.1.1.10 5 source { pool address-shifting { address { 200.0.0.30/32 to 200.0.0.40/32; host-address-base 10.1.1.10/32; rule-set address-shift { from zone trust; to zone untrust; rule net-10_1_1_0 { source-address ; source-nat pool address-shifting; host-address-base source-address [host-address-base, host-address-base+pool size] NAT TRUST ゾーン UNTRUST 200.0.0.0/26 インターネット 元のソース 変換後のソース 200.0.0.30 to 200.0.0.40 10.1.1.10 6 8 Copyright 2014, Juniper Networks, Inc.
source { pool many-no-port-translation { address { 200.0.0.30/32 to 200.0.0.40/32; port no-translation; rule-set address-shift { from zone trust; to zone untrust; rule net-10_1_1_0 { source-address ; source-nat pool many-no-port-translation; NAT TRUST ゾーン UNTRUST 200.0.0.0/26 インターネット 元のソース 変換後のソース 200.0.0.1 to 200.0.0.5 7 source { pool many-to-many { address { 200.0.0.30/32 to 200.0.0.40/32; rule-set address-shift { from zone trust; to zone untrust; rule net-10_1_1_0 { source-address ; source-nat pool many-to-many; Copyright 2014, Juniper Networks, Inc. 9
NAT NAT TRUST ゾーン 元のソース 変換後のソース UNTRUST 200.0.0.63/26 Interface IP (200.0.0.63) インターネット 8 NAT source { rule-set interface-nat { from zone trust; to zone untrust; rule net-10_1_1_0 { source-address ; source-nat interface; "source-nat interface" 2 1 1 NAT DHCP Dynamic Host Configuration Protocol PPP Point-to-Point Protocol NAT NAT TRUST ゾーン UNTRUST 200.0.0.63/26 ge-0/0/0.0 インターネット 元の宛先 IP 変換後の宛先 IP 200.0.0.11 10.1.1.11 9 10 Copyright 2014, Juniper Networks, Inc.
destination { pool server-1 { address 10.1.1.11/32; rule-set nat-example { from interface ge-0/0/0.0; rule single-address-nat { destination-address 200.0.0.11/32; destination-nat pool server-1; proxy-arp { interface ge-0/0/0.0 { address { 200.0.0.11/32; 200.0.0.11 Untrust ge-0/0/0.0 200.0.0.11 10.1.1.11 ARP Address Resolution Protocol proxy-arp NAT TRUST ゾーン UNTRUST 200.0.0.63/26 ge-0/0/0.0 インターネット 元の宛先 IP 変換後の宛先 IP 200.0.0.0/26 10.1.1.0/26 10 Copyright 2014, Juniper Networks, Inc. 11
destination { pool trust-net { address 10.1.1.0/26; rule-set nat-example { from interface ge-0/0/0.0; rule many-to-many-translation { destination-address 200.0.0.0/16; destination-nat pool trust-net; proxy-arp { interface ge-0/0/0.0 { address { 200.0.0.1/32 to 200.0.0.62/32; NAT ge-0/0/0.0 IP ARP NAT IP/ Web 10.1.1.200 元の宛先 IP 変換後の宛先 IP 200.0.0.63 200.0.0.63 ポート 80 10.1.1.100 ポート 80 TRUST ゾーン Web インターネット 200.0.0.63 ポート 8080 10.1.1.200 ポート 80 10.1.1.100 11 12 Copyright 2014, Juniper Networks, Inc.
destination { pool server-1 { address 10.1.1.100/32 port 80; pool server-2 { address 10.1.1.200/32 port 80; rule-set nat-example { from interface ge-0/0/0.0; rule port-forwarding { destination-address 200.0.0.63/32; destination-port 80; destination-nat pool server-1; rule port-forwarding-2 { destination-address 200.0.0.63/32; destination-port 8080; destination-nat pool server-2; NAT 10 NAT NAT 10.1.1.0/26 static { rule-set nat-example { from interface ge-0/0/0.0; rule nat-trust-net { destination-address 200.0.0.0/26; static-nat prefix 10.1.1.0/26; proxy-arp { interface ge-0/0/0.0 { address { 200.0.0.1/32 to 200.0.0.62/32; Copyright 2014, Juniper Networks, Inc. 13
NAT Apps NetA ゾーン Apps 元のソース IP 変換後のソース IP 10.2.0.0/24 Web NetB ゾーン WAN Web 元の宛先 IP 変換後の宛先 IP 10.2.0.0/24 セッションの確立 12 NAT NetB NetA 10.2.0.0/24 NetB 10.1.1.1 NetA 10.1.1.5 10.1.1.1 10.2.0.5 10.2.0.0/24 10.2.0.0/24 10.2.0.0/24 source { pool intermediate-net { address { 10.2.0.0/24; port no-translation; rule-set nat-example { from zone NetB; to zone NetA; rule double-nat-source { source-address ; source-nat pool intermediate-net; destination { pool trust-net { address ; rule-set nat-example { from zone NetB; rule double-nat-dest { destination-address 10.2.0.0/24; destination-nat pool trust-net; 14 Copyright 2014, Juniper Networks, Inc.
NAT NAT はい 静的 NAT いいえ 宛先 NAT リバース静的 NAT いいえ ソース NAT パケットを許可 はい ルート / ゾーン検索 ポリシー検索 ルートがなければパケットをドロップ ポリシーごとにドロップ 13 NAT 13 NAT 2 NAT NAT NAT NAT NAT NAT IP インターネット Web TRUST ゾーン 60.1.1.1 200.1.1.1 10.1.1.1 宛先 NAT 14 NAT Copyright 2014, Juniper Networks, Inc. 15
Trust Web 10.1.1.1 NAT 60.1.1.1 10.1.1.1 10.1.1.1 10.1.1.1 200.1.1.1 NAT NAT from-zone untrust to-zone trust { policy reject-untranslated { source-address any; destination-address 10.1.1.1/32; application any; permit { destination-address { drop-untranslated; Junos OS NAT / / / "show security flow session" root@srx210-1> show security flow session Session ID:3729, Policy name: nat-example-security-policy/6, Timeout:2 In:10.1.0.13/52939 --> 207.17.137.229/80;tcp, If: fe-0/0/5.0 Out:207.17.137.229/80 --> 172.19.101.42/2132;tcp, If: ge-0/0/0.0 nat-example-security-policy "In" "Out" X Y X' to Y' "In" X->Y "Out" Y'->X' 207.17.137.228 80 / HTTP 10.1.0.13 TCP 10.1.0.13 52939 172.19.101.42 2132 NAT "show security nat source destination static rule all" NAT 16 Copyright 2014, Juniper Networks, Inc.
run show security nat source rule all Total rules:1 source NAT rule: net-10_1_1_0 Rule-set: interface-nat Rule-Id :1 From zone : trust To zone : untrust Match Source addresses : 10.1.1.0-10.1.1.255 Action : interface Translation hits :1112 "show security nat interface-nat-ports" NAT "show security nat source destination pool" show security nat source pool many-to-many Pool name : many-to-many Pool id :4 Routing instance : default Host address base :0.0.0.0 Port :[1024, 32255] Total addresses :11 Translation hits :0 SRX Junos OS 9.2 NAT NAT Junos OS 9.5 J http://www.juniper.net/jp/ Twitter Facebook 163-1445 3-20-2 45F 03-5333-7400 FAX 03-5333-7401 541-0041 1-1-27 URL http://www.juniper.net/jp/ Juniper Networks, Inc. 1194 North Mathilda Ave Sunnyvale, CA 94089 USA 888-JUNIPER (888-586-4737) 408-745-2000 FAX 408-745-2100 URL http://www.juniper.net Juniper Networks International B.V. Boeing Avenue 240 1119 PZ Schiphol-Rijk Amsterdam, The Netherlands 31-0-207-125-700 FAX 31-0-207-125-701 Copyright 2014, Juniper Networks, Inc. All rights reserved. Juniper Networks Junos QFabric Juniper Networks Juniper Networks, Inc. 3500151-002 JP Apr 2014 Copyright 2014, Juniper Networks, Inc. 17