JNCIE-SEC-11.a C7 NAT - Pps

Network Address Translation
2014 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Objectives
After successfully completing this content, you will be

able to:
Describe the implementation of NAT
Discuss source NAT, destination NAT, and static NAT
Describe the issues that arise when IPs overlap between
sites
Discuss verification commands and common issues related
to NAT
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2
Agenda: Network Address Translation
Implementation of NAT
Source NAT
Destination NAT
Static NAT
Overlapping IP Addresses
Verification Commands and Common Issues
NAT Overview
Source NAT
Destination NAT
Static NAT
Overlapping IPs between sites
Verification commands
Common Issues
NAT Guidelines
NAT is broken into a two-layer configuration

First layer is the rule-set, which matches on direction
Traffic direction
Routing-instance zone - interface
Second layer is the rule, which matches on the actual
packet information
Address (source destination)
Port
Static NAT takes precedence over source or
destination Nat
When rule-sets overlap the more specific one wins
NAT rules and policy are processed separately
Source NAT
Destination NAT
Static NAT
Source NAT: Processing
Processed after route and security policy lookup

NAT and security policy processed separately
Policy is written for pre-natted addresses
Source NAT Types
Source NATInterface
Source NATPool with PAT
Source NATPool with fixed port
Source NATAddress shifting
Source NAT: Interface
Configured under security nat source
[edit security nat source]
rule-set source_nat {
from zone trust;
to zone untrust;
rule source_nat_all {
match {
source-address 0.0.0.0/0;
}
then {
source-nat
interface;
}
}
}
Source NAT: Pool with PAT
pool source_nat_pool {
address {
115.102.126.119/32;
}
}
rule-set source_nat_from_pool {
from zone trust;
to zone untrust;
rule 1 {
match {
}
then {
source-nat {
pool {
source_nat_pool;
}
}
}
Source NAT: Pool Without PAT
pool source_nat_pool_range {
address {
115.102.126.1/32 to 115.102.126.254/32;
}
port no-translation;
}
rule-set source_nat_pool_no_pat {
from zone trust;
to zone untrust;
rule 1 {
match {
}
then {
source-nat {
pool {
source_nat_pool_range;
}
}
}
Source NAT: Overflow Pool
Useful in situations where you are turning off

port-translation but might not have enough addresses
to translate to

address {
115.102.126.1/32 to 115.102.126.254/32;
}
overflow-pool interface;
}
Source NAT: Pool Utilization Alarm
Can be notified if a pool hits a certain percentage of

usage by means of an SNMP trap

address {
115.102.126.1/32 to 115.102.126.254/32;
}
overflow-pool interface;
}
pool-utilization-alarm raise-threshold 80 clear-threshold 60
Source NAT: Address Shifting
pool address_shift {
address {
115.102.126.1/32 to 115.102.126.254/32;
}
host-address-base 10.0.0.6/32;
}
rule-set shift_address_pool {
from zone trust;
to zone untrust;
rule 1 {
match {
}
then {
source-nat {
pool {
address_shift;
}
}
}
Source NAT: Verification
Basic source NAT verification commands:
>show security flow session
>show security nat source rule <rule|all>
>show security nat source pool <pool|all>
>show security nat source summary
Source NAT: Persistent NAT
Used to allow reverse traffic allowed by a policy to

generate new traffic to the source
Three options:
any-remote-hosteither side can initiate
This option requires a security policy to be configured for return
traffic
target-host
Can send to reflexive address if internal connects first
target-host-port
Can send to reflexive address and port if internal connects first
Persistent NAT: Interface
interface {
port-overloading off;
}
rule-set source_persistant-NAT {
from zone trust;
to zone untrust;
rule persistent-return-traffic {
match {
destination-address 30.20.10.0/24
}
then {
source-nat {
interface {
persistent-nat {
permit target-host;
inactivity-timeout 1800;
}
}
}
Persistent NAT: Pool
pool voip-clients {
address {
10.0.0.6/32;
}
}
rule-set voip-pool-NAT {
from zone trust;
to zone untrust;
rule voip-persistent-NAT {
match {
destination-address 30.20.10.0/24
}
then {
source-nat {
pool {
source_nat_pool;
persistent-nat {
permit target-host;
inactivity-timeout 360;
}
Persistent NAT Verification
Policy options
>show security nat source persistent-nat-table <internal-ip|all>
>clear security nat source persistent-nat-table
Address-Persistent
Address-persistent
Different from persistent-nat
Global option configured under security NAT source
Ensures the same address is used for multiple concurrent
sessions
Source NAT
Destination NAT
Static NAT
Destination NAT Rules
Processed before route and policy lookup

NAT and policy processed separately
Policy is written for post-natted addresses
Directional; can only use the from statement
Virtual router
Zone
Interface
Destination address might require proxy-arp
Destination NAT: Without PAT
[edit security nat destination]
pool destination_nat_pool {
address 10.0.0.6/32;
}
rule-set one_address_no_PAT {
from zone untrust;
rule to_web_server {
match {
destination-address 70.20.10.1/32;
}
then {
destination-nat {
pool
destination_nat_pool;
}
}
}
Destination NAT: With PAT
[edit security nat destination]
pool destination_nat_pool {
address 10.0.0.6/32 port 8080;
}
rule-set one_address_no_PAT {
from zone untrust;
rule to_web_server {
match {
destination-port 80
}
then {
destination-nat {
pool
destination_nat_pool;
}
}
}
Proxy ARP
Used when translated addresses are not configured

on the interface
Usually needed when using pools
Allows port to respond as if addresses existed
[edit security nat]

proxy-arp {
interface ge-0/0/3.0 {
address {
100.1.0.10/32 to 100.1.0.20/32;
}
}
}
Destination NAT Verification
Basic destination NAT verification
>show security flow session
>show security nat destination pool <pool-name|all>
>show security nat destination rule <rule-name|all>
Source NAT
Destination NAT
Static NAT
Static NAT Rules
Processed before or after route and policy lookup

NAT and security policy processed separately
Policy is written for post-nat addresses
Directional; must include from statement
Virtual router
Zone
Interface
Destination address might require proxy-arp
Static NAT
[edit security nat static]
rule-set static_nat {
from zone untrust;
rule two_way_nat {
match {
}
then {
static-nat prefix 10.0.0.6/32;
}
}
}
Source NAT
Destination NAT
Static NAT
Overlapping Address Space
Need both source NAT and destination NAT

This can be accomplished in two ways
Static NAT on both devices that have the overlapping
address space
This is easier to configure if traffic needs to be initiated in either
direction
Perform source and/or destination translation on both
devices that have the overlapping address space
This is useful if traffic only needs to be initiated in one direction
Source NAT
Destination NAT
Static NAT
NAT Verification Commands
Common show commands
>show security nat source pool
>show security nat source rule
>show security nat destination pool
>show security nat destination rule
>show security nat static rule
>show security nat proxy-arp
Traceoptions
#set security nat traceoptions flag .
#set security flow traceoptions flag basic-datapath
Common Issues
Packet processing sequence

Understanding where NAT is inspected
Destination NAT occurs prior to route and policy lookup
Source NAT occurs after route and policy lookup
Static NAT always takes precedence over any type of NAT
If no session is building, check pools to determine
whether you are getting translation hits
If no session is building, check proxy-arp
Needing compound match criteria
Can add multiple rule-set match criteria if matching multiple
routing-instances, zones, or interfaces
Summary
In this content, we:

Described the implementation of NAT
Discussed source NAT, destination NAT, and static NAT
Described the issues that arise when IPs overlap between
sites
Discussed verification commands and common issues
related to NAT
Network Address Translation Lab
Implement source, destination, and static NAT.

Verify your NAT deployment.
Worldwide Education Services

JNCIE-SEC-11.a C7 NAT - Pps

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

JNCIE-SEC-11.a C7 NAT - Pps

Загружено:

Авторское право:

Доступные форматы

Network Address Translation

After successfully completing this content, you will be

NAT is broken into a two-layer configuration

Processed after route and security policy lookup

Useful in situations where you are turning off

[edit security nat source]

Can be notified if a pool hits a certain percentage of

[edit security nat source]

Basic source NAT verification commands:

>show security flow session

>show security nat source rule <rule|all>

>show security nat source pool <pool|all>

>show security nat source summary

Used to allow reverse traffic allowed by a policy to

>show security nat source persistent-nat-table <internal-ip|all>

>clear security nat source persistent-nat-table

Processed before route and policy lookup

Used when translated addresses are not configured

[edit security nat]

Basic destination NAT verification

>show security flow session

>show security nat destination pool <pool-name|all>

>show security nat destination rule <rule-name|all>

Processed before or after route and policy lookup

Need both source NAT and destination NAT

Packet processing sequence

In this content, we:

Implement source, destination, and static NAT.

Вам также может понравиться