Uploaded byDoloranDoloran
11 views

DNAT firewalls y redes de datos netw.pdf

This document outlines the concepts and configurations related to destination Network Address Translation (D-NAT), including key topics like public vs private IP addresses, types of NAT, and processing order. It covers various configurations for D-NAT scenarios, including single IP translation, subnet translation, and Port Address Translation (PAT), and emphasizes the application of D-NAT policies in Junos. Troubleshooting guidelines for D-NAT are also provided to ensure correct configurations and functionality.

Embed presentation

Download to read offline
ALEXANDRU MINZAT D-NAT FIREWALLS
DESTINATION NAT FIREWALLS 1. PUBLIC IP VS PRIVATE IP 2. WHAT IS NAT? 3. TYPES OF NAT 4. NAT PROCESSING ORDER 5. HOW DOES DESTINATION NAT WITH A SINGLE IP TRANSLATION WORK? 6. CONFIGURING D-NAT WITH WITH SINGLE IP TRANSLATION 7. HOW DOES D-NAT WITH SUBNET TRANSLATION WORK? 8. CONFIGURING D-NAT WITH SUBNET TRANSLATION 8. HOW DOES D-NAT WITH PORT TRANSLATION WORK? 10. CONFIGURING D-NAT WITH PORT TRANSLATION
NAT PUBLIC VS PRIVATE IP PRIVATE IP PUBLIC IP CANNOT BE ROUTED OVER INTERNET CAN BE ROUTED OVER INTERNET UNIQUE IN A SIGNLE NETWORK, CAN BE REUSED IN OTHER NETWORKS UNIQUE IPS AN ISP CAN ASSIGN A SINGLE IP ADDRESS TO MULTIPLE CUSTOMERS Class A - 10.0.0.0 to 10.255.255.255 Class B - 172.16.0.0 to 172.31.255.255 Class C - 192.168.0.0 to 192.168.255.255 Class A - 1.0.0.0 to 9.255.255.255 11.0.0.0 - 126.255.255.255 Class B - 128.0.0.0 to 172.15.255.255 172.32.0.0 to 191.255.255.255 Class C - 192.0.0.0 - 192.167.255.255 192.169.0.0 to 223.255.255.255
NAT WHAT IS NAT? • NETWORK ADDRESS TRANSLATION • USED TO TRANSLATE A PUBLIC IP INTO A PRIVATE IP, THUS FACILITATING ROUTING FROM INTERNET INTO A PRIVATE NETWORK OR VICE-VERSA • CAN BIND A SINGLE IP TO MULTIPLE IPS BY USING DIFFERENT PORT NUMBERS • CAN MODIFY ONLY SOURCE ADDRESS OF A PACKET • OR ONLY THE DESTINATION ADDRESS OF A PACKET
NAT TYPES OF NAT • EACH TYPE OF NAT CAN BE IMPLEMENTED IN MULTIPLE WAYS • DESTINATION NAT - TRANSLATING DESTINATION ADDRESS OF A PACKET • SOURCE NAT - TRANSLATING SOURCE IP ADDRESS OF A PACKET • STATIC NAT - TRANSLATING AN IP ADDRESS
NAT NAT PROCESSING ORDER STATIC NAT ROUTE LOOKUP DESTINATION NAT REVERSE STATIC NAT SOURCE NAT POLICY LOOKUP PERMIT NO NO YES
D-NAT D-NAT WITH SINGLE IP TRANSLATION INSIDE OUTSIDE INT 1: 192.168.1.1/24 INT 2: 12.13.14.1/24 SOURCE DESTINATION 12.13.14.2 33.33.33.2 SOURCE DESTINATION 12.13.14.2 192.168.1.2 D-NAT IS ALLOWING THE DESTINATION IP ADDRESS OF THE PACKET TO BE TRANSLATED INTO ANOTHER IP IN JUNOS DESTINATION NAT IS APPLIED AS A POLICY D-NAT WILL WORK ONLY FOR INCOMING TRAFFIC DESTINATION NAT WILL: - TRANSLATE THE DESTINATION IP OF THE INCOMING PACKET WITH THE CONFIGURED IP IF SOURCE INTERFACE IS: INT 2 IF DESTINATION IP IS 33.33.33.2 THEN USE NEW DESTINATION IP 192.168.1.2 SOURCE DESTINATION 192.168.1.2 12.13.14.2 SOURCE DESTINATION 33.33.33.2 12.13.14.2
D-NAT D-NAT WITH SINGLE IP TRANSLATION D NAT: set security nat destination pool DNAT address 192.168.1.2/32 set security nat destination rule-set DNAT from interface ge-0/0/0.0 set security nat destination rule-set DNAT rule r1 match destination-address 33.33.33.2/32 set security nat destination rule-set DNAT rule r1 then destination-nat pool DNAT set security nat proxy-arp interface ge-0/0/0.0 address 33.33.33.2/32 set security address-book global address REAL_IP 192.168.1.2/32 TRAFFIC POLICY: set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN match source-address any set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN match destination-address REAL_IP set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN match application any set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN then permit ROUTE LOOKUP POLICY LOOKUP PERMIT A ROUTE FOR THE REAL IP SHOULD BE PRESENT A POLICY FOR THE REAL IP SHOULD BE PRESENT SOURCE DESTINATION 12.13.14.2 33.33.33.2 IF MATCH IF NO MATCH PERMIT DENY SOURCE DESTINATION 12.13.14.2 192.168.1.2 INCOMING TRAFFIC DNAT WILL TRANSLATE ONLY THE DESTINATION IP FOR THE INCOMING PACKET SINCE WE ARE USING A STATEFUL FIREWALL, IT WILL KNOW THAT THE RETURN TRAFFIC SHOULD BE ALLOWED - NO POLICY NEEDED FOR RETURN TRAFFIC OUTSIDE INSIDE ge-0/0/0 12.13.14.1 DESTINATION NAT SOURCE DESTINATION 192.168.1.2 12.13.14.2 SOURCE DESTINATION 33.33.33.2 12.13.14.2 RETURN TRAFFIC
D-NAT D-NAT WITH SUBNET TRANSLATION INSIDE OUTSIDE INT 1: 192.168.1.1/24 INT 2: 12.13.14.1/24 SOURCE DESTINATION 12.13.14.2 33.33.33.2 SOURCE DESTINATION 12.13.14.2 192.168.1.2 D-NAT IS ALLOWING THE DESTINATION IP ADDRESS OF THE PACKET TO BE TRANSLATED INTO ANOTHER IP, FROM A POOL OF IP ADDRESSES IN JUNOS DESTINATION NAT IS APPLIED AS A POLICY D-NAT WILL WORK ONLY FOR INCOMING TRAFFIC DESTINATION NAT WILL: - TRANSLATE THE DESTINATION IP OF THE INCOMING PACKET WITH THE CONFIGURED IP POOL - THE RETURNED PACKET WILL NOT BE CHANGED IF DESTINATION IP IS 33.33.33.2 THEN USE DESTINATION IP FROM POOL 192.168.1.0/24 SOURCE DESTINATION 192.168.1.2 12.13.14.2 SOURCE DESTINATION 33.33.33.2 12.13.14.2
D-NAT D-NAT WITH SUBNET TRANSLATION D NAT: set security nat destination pool DNAT address 192.168.1.0/24 set security nat destination rule-set DNAT from interface ge-0/0/0.0 set security nat destination rule-set DNAT rule r1 match destination-address 33.33.33.0/24 set security nat destination rule-set DNAT rule r1 then destination-nat pool DNAT set security nat proxy-arp interface ge-0/0/0.0 address 33.33.33.1/32 to 33.33.33.254/32 set security address-book global address REAL_IP 192.168.1.0/24 TRAFFIC POLICY: set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN match source-address any set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN match destination-address REAL_IP set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN match application any set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN then permit SOURCE DESTINATION 12.13.14.2 33.33.33.2 IF MATCH IF NO MATCH PERMIT DENY SOURCE DESTINATION 12.13.14.2 192.168.1.2 INCOMING TRAFFIC ROUTE LOOKUP POLICY LOOKUP PERMIT A ROUTE FOR THE REAL IP SHOULD BE PRESENT A POLICY FOR THE REAL IP SHOULD BE PRESENT DNAT WILL TRANSLATE ONLY THE DESTINATION IP FOR THE INCOMING PACKET SINCE WE ARE USING A STATEFUL FIREWALL, IT WILL KNOW THAT THE RETURN TRAFFIC SHOULD BE ALLOWED - NO POLICY NEEDED FOR RETURN TRAFFIC OUTSIDE INSIDE ge-0/0/0 12.13.14.1 DESTINATION NAT SOURCE DESTINATION 192.168.1.2 12.13.14.2 SOURCE DESTINATION 33.33.33.2 12.13.14.2 RETURN TRAFFIC
D-NAT D-NAT WITH PAT INSIDE OUTSIDE INT 1: 192.168.1.1/24 INT 2: 12.13.14.1/24 SOURCE DESTINATION D PORT 12.13.14.2 33.33.33.2 100 SOURCE DESTINATION D PORT 12.13.14.2 192.168.1.2 200 D-NAT IS ALLOWING THE DESTINATION IP ADDRESS AND PORT OF THE PACKET TO BE TRANSLATED INTO ANOTHER IP, AND PORT FROM A POOL OF IP ADDRESSES OR TO A SINGLE IP ADDRESS IN JUNOS DESTINATION NAT IS APPLIED AS A POLICY D-NAT WILL WORK ONLY FOR INCOMING TRAFFIC DESTINATION NAT WILL: - TRANSLATE THE DESTINATION IP OF THE INCOMING PACKET WITH THE CONFIGURED IP POOL OR WITH A SINGLE ADDRESS - THE RETURNED PACKET WILL NOT BE CHANGED IF DESTINATION IP IS 33.33.33.2 IF DESTINATION PORT IS: 100 THEN USE DESTINATION IP FROM POOL 192.168.1.0/24 THEN USE DESTINATION PORT: 200
D-NAT D-NAT WITH PAT D NAT: set security nat destination pool DNAT address 192.168.1.2/32 set security nat destination pool DNAT address port 200 set security nat destination rule-set DNAT from interface ge-0/0/0.0 set security nat destination rule-set DNAT rule r1 match destination-address 33.33.33.2/32 set security nat destination rule-set DNAT rule r1 match destination-port 100 set security nat destination rule-set DNAT rule r1 then destination-nat pool DNAT set security nat proxy-arp interface ge-0/0/0.0 address 33.33.33.2/32 set security address-book global address REAL_IP 192.168.1.2/32 SOURCE S PORT DESTINATION D PORT 12.13.14.2 5074 33.33.33.2 100 DNAT WILL TRANSLATE ONLY THE DESTINATION IP FOR THE INCOMING PACKET SINCE WE ARE USING A STATEFUL FIREWALL, IT WILL KNOW THAT THE RETURN TRAFFIC SHOULD BE ALLOWED - NO POLICY NEEDED FOR RETURN TRAFFIC TRAFFIC POLICY: set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN match source-address any set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN match destination-address REAL_IP set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN match application any set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN then permit IF MATCH IF NO MATCH PERMIT DENY INCOMING TRAFFIC ROUTE LOOKUP POLICY LOOKUP PERMIT A ROUTE FOR THE REAL IP SHOULD BE PRESENT A POLICY FOR THE REAL IP SHOULD BE PRESENT OUTSIDE INSIDE ge-0/0/0 12.13.14.1 DESTINATION NAT RETURN TRAFFIC SOURCE S PORT DESTINATION D PORT 12.13.14.2 5074 192.168.1.2 200 SOURCE S PORT DESTINATION D PORT 192.168.1.2 200 12.13.14.2 5074 SOURCE S PORT DESTINATION D PORT 33.33.33.2 100 12.13.14.2 5074
D-NAT TROUBLESHOOTING DESTINATION NAT ROUTE LOOKUP POLICY LOOKUP PERMIT A ROUTE FOR THE REAL IP SHOULD BE PRESENT A POLICY FOR THE REAL IP SHOULD BE PRESENT CONFIG CORRECTLY APPLIED ? NO YES YOU CAN VIEW THE STATISTICS: show security nat destination rule X YES FIX THE CONFIG THE ROUTE FOR THE NATED IP IS PRESENT ? NO ADD THE ROUTE IS THE POLICY PRESENT FOR THE NATED IP ? YES NO FIX OR ADD THE POLICY NAT IS WORKING ? NO
LETS JUMP TO THE LAB

More Related Content

PDF
Network Address Translation (NAT)
byJoud Khattab
 
PDF
NAT and firewall presentation - how setup a nice firewall
byCassiano Campes
 
PPTX
Basic ASA Configuration, NAT in ASA Firewall
byNetProtocol Xpert
 
PPTX
Nat
bylyndyv
 
PDF
NAT (network address translation) & PAT (port address translation)
byNetwax Lab
 
PPTX
Firewall basics
bySandeep Yadav
 
PPTX
Nat
byElshan86
 
PDF
NAT_Final
byPratik Bhide
 
Network Address Translation (NAT)
byJoud Khattab
 
NAT and firewall presentation - how setup a nice firewall
byCassiano Campes
 
Basic ASA Configuration, NAT in ASA Firewall
byNetProtocol Xpert
 
Nat
bylyndyv
 
NAT (network address translation) & PAT (port address translation)
byNetwax Lab
 
Firewall basics
bySandeep Yadav
 
Nat
byElshan86
 
NAT_Final
byPratik Bhide
 

Similar to DNAT firewalls y redes de datos netw.pdf

PPT
NAT Traversal
byDavide Carboni
 
PPT
Nat 03
byDavinder Chauhan
 
PPTX
Dynamic NAT
byNetProtocol Xpert
 
PPTX
Network address translation
byVarsha Honde
 
PDF
NAT Scneario
byMansour Naslcheraghi
 
PPT
network address translation and ip masquerading
byAngieloBecenia1
 
PDF
Chapter 5-Network Address Translation.pdf
byBuntha Chhay
 
PDF
DHCP, DNS, NAT.pdf multicasting computer netwrok
byareebakamran1010ar
 
PPT
CCNA Network Services
byDsunte Wilson
 
PDF
Nat cisco
bymoonmanik
 
PDF
Zdalna komunikacja sieciowa - zagadnienia sieciowe
byAgnieszka Kuba
 
PPT
Nad710 Network Address Translation
bytmavroidis
 
PPTX
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 9
byWaqas Ahmed Nawaz
 
PPTX
CCNA 2 Routing and Switching v5.0 Chapter 11
byNil Menon
 
PPTX
CCNA NAT (Network Address Translation)
byNetworkel
 
PPTX
Network address translations
byShahzad shareef
 
PDF
Module17 nat v2
byRatanang kabalano
 
PPTX
networkaddresstranslation-160909142440.pptx
byzmulani8
 
PPTX
network address translate
byahmedOday
 
PPTX
CCNA2 Verson6 Chapter9
byChaing Ravuth
 
NAT Traversal
byDavide Carboni
 
Nat 03
byDavinder Chauhan
 
Dynamic NAT
byNetProtocol Xpert
 
Network address translation
byVarsha Honde
 
NAT Scneario
byMansour Naslcheraghi
 
network address translation and ip masquerading
byAngieloBecenia1
 
Chapter 5-Network Address Translation.pdf
byBuntha Chhay
 
DHCP, DNS, NAT.pdf multicasting computer netwrok
byareebakamran1010ar
 
CCNA Network Services
byDsunte Wilson
 
Nat cisco
bymoonmanik
 
Zdalna komunikacja sieciowa - zagadnienia sieciowe
byAgnieszka Kuba
 
Nad710 Network Address Translation
bytmavroidis
 
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 9
byWaqas Ahmed Nawaz
 
CCNA 2 Routing and Switching v5.0 Chapter 11
byNil Menon
 
CCNA NAT (Network Address Translation)
byNetworkel
 
Network address translations
byShahzad shareef
 
Module17 nat v2
byRatanang kabalano
 
networkaddresstranslation-160909142440.pptx
byzmulani8
 
network address translate
byahmedOday
 
CCNA2 Verson6 Chapter9
byChaing Ravuth
 

Recently uploaded

PDF
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
PDF
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
PDF
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
PDF
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
PPT
html-forms in web development-courseICT.
bymadz33
 
PPTX
Abhishek Jaiswal.ppt.pptx for you it is very useful for me and I am sharing w...
byabhishekjaiswal5th33
 
PDF
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
PPTX
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
PPT
Memory Organization In Assembly Language
byumairmuhammad0409
 
PPTX
CaseStudy-CloudMigration -For USE CASE -Customer Success Info -6-Aug-25.pptx
bywinlentech
 
PPTX
Types of Cryptograph Symmetric Ceaser cipher and also about Assymetric
byhamzaabdulqadeer11
 
PPTX
COĞRAFYA ödevi 70 sayfa güzeldir hayırlı olsun
bydtilter
 
PPT
Lecture_3 Network Securityeyeyggegeg.ppt
bysawsan202
 
PPTX
PRITHVI theater, A true artist. Newzfeaturez.pptx
bysc05digital
 
PPTX
Ideathon template.pptx it is a ideathon template
bykonav71133
 
PDF
Top 5 Snapchat Tracker Apps for Safe and Responsible Monitoring
byMichael Carter
 
PPTX
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
PDF
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
PDF
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
DOCX
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
html-forms in web development-courseICT.
bymadz33
 
Abhishek Jaiswal.ppt.pptx for you it is very useful for me and I am sharing w...
byabhishekjaiswal5th33
 
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
Memory Organization In Assembly Language
byumairmuhammad0409
 
CaseStudy-CloudMigration -For USE CASE -Customer Success Info -6-Aug-25.pptx
bywinlentech
 
Types of Cryptograph Symmetric Ceaser cipher and also about Assymetric
byhamzaabdulqadeer11
 
COĞRAFYA ödevi 70 sayfa güzeldir hayırlı olsun
bydtilter
 
Lecture_3 Network Securityeyeyggegeg.ppt
bysawsan202
 
PRITHVI theater, A true artist. Newzfeaturez.pptx
bysc05digital
 
Ideathon template.pptx it is a ideathon template
bykonav71133
 
Top 5 Snapchat Tracker Apps for Safe and Responsible Monitoring
byMichael Carter
 
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 

DNAT firewalls y redes de datos netw.pdf

  • 1.
  • 2.
    DESTINATION NAT FIREWALLS 1. PUBLICIP VS PRIVATE IP 2. WHAT IS NAT? 3. TYPES OF NAT 4. NAT PROCESSING ORDER 5. HOW DOES DESTINATION NAT WITH A SINGLE IP TRANSLATION WORK? 6. CONFIGURING D-NAT WITH WITH SINGLE IP TRANSLATION 7. HOW DOES D-NAT WITH SUBNET TRANSLATION WORK? 8. CONFIGURING D-NAT WITH SUBNET TRANSLATION 8. HOW DOES D-NAT WITH PORT TRANSLATION WORK? 10. CONFIGURING D-NAT WITH PORT TRANSLATION
  • 3.
    NAT PUBLIC VS PRIVATEIP PRIVATE IP PUBLIC IP CANNOT BE ROUTED OVER INTERNET CAN BE ROUTED OVER INTERNET UNIQUE IN A SIGNLE NETWORK, CAN BE REUSED IN OTHER NETWORKS UNIQUE IPS AN ISP CAN ASSIGN A SINGLE IP ADDRESS TO MULTIPLE CUSTOMERS Class A - 10.0.0.0 to 10.255.255.255 Class B - 172.16.0.0 to 172.31.255.255 Class C - 192.168.0.0 to 192.168.255.255 Class A - 1.0.0.0 to 9.255.255.255 11.0.0.0 - 126.255.255.255 Class B - 128.0.0.0 to 172.15.255.255 172.32.0.0 to 191.255.255.255 Class C - 192.0.0.0 - 192.167.255.255 192.169.0.0 to 223.255.255.255
  • 4.
    NAT WHAT IS NAT? •NETWORK ADDRESS TRANSLATION • USED TO TRANSLATE A PUBLIC IP INTO A PRIVATE IP, THUS FACILITATING ROUTING FROM INTERNET INTO A PRIVATE NETWORK OR VICE-VERSA • CAN BIND A SINGLE IP TO MULTIPLE IPS BY USING DIFFERENT PORT NUMBERS • CAN MODIFY ONLY SOURCE ADDRESS OF A PACKET • OR ONLY THE DESTINATION ADDRESS OF A PACKET
  • 5.
    NAT TYPES OF NAT •EACH TYPE OF NAT CAN BE IMPLEMENTED IN MULTIPLE WAYS • DESTINATION NAT - TRANSLATING DESTINATION ADDRESS OF A PACKET • SOURCE NAT - TRANSLATING SOURCE IP ADDRESS OF A PACKET • STATIC NAT - TRANSLATING AN IP ADDRESS
  • 6.
    NAT NAT PROCESSING ORDER STATICNAT ROUTE LOOKUP DESTINATION NAT REVERSE STATIC NAT SOURCE NAT POLICY LOOKUP PERMIT NO NO YES
  • 7.
    D-NAT D-NAT WITH SINGLEIP TRANSLATION INSIDE OUTSIDE INT 1: 192.168.1.1/24 INT 2: 12.13.14.1/24 SOURCE DESTINATION 12.13.14.2 33.33.33.2 SOURCE DESTINATION 12.13.14.2 192.168.1.2 D-NAT IS ALLOWING THE DESTINATION IP ADDRESS OF THE PACKET TO BE TRANSLATED INTO ANOTHER IP IN JUNOS DESTINATION NAT IS APPLIED AS A POLICY D-NAT WILL WORK ONLY FOR INCOMING TRAFFIC DESTINATION NAT WILL: - TRANSLATE THE DESTINATION IP OF THE INCOMING PACKET WITH THE CONFIGURED IP IF SOURCE INTERFACE IS: INT 2 IF DESTINATION IP IS 33.33.33.2 THEN USE NEW DESTINATION IP 192.168.1.2 SOURCE DESTINATION 192.168.1.2 12.13.14.2 SOURCE DESTINATION 33.33.33.2 12.13.14.2
  • 8.
    D-NAT D-NAT WITH SINGLEIP TRANSLATION D NAT: set security nat destination pool DNAT address 192.168.1.2/32 set security nat destination rule-set DNAT from interface ge-0/0/0.0 set security nat destination rule-set DNAT rule r1 match destination-address 33.33.33.2/32 set security nat destination rule-set DNAT rule r1 then destination-nat pool DNAT set security nat proxy-arp interface ge-0/0/0.0 address 33.33.33.2/32 set security address-book global address REAL_IP 192.168.1.2/32 TRAFFIC POLICY: set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN match source-address any set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN match destination-address REAL_IP set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN match application any set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN then permit ROUTE LOOKUP POLICY LOOKUP PERMIT A ROUTE FOR THE REAL IP SHOULD BE PRESENT A POLICY FOR THE REAL IP SHOULD BE PRESENT SOURCE DESTINATION 12.13.14.2 33.33.33.2 IF MATCH IF NO MATCH PERMIT DENY SOURCE DESTINATION 12.13.14.2 192.168.1.2 INCOMING TRAFFIC DNAT WILL TRANSLATE ONLY THE DESTINATION IP FOR THE INCOMING PACKET SINCE WE ARE USING A STATEFUL FIREWALL, IT WILL KNOW THAT THE RETURN TRAFFIC SHOULD BE ALLOWED - NO POLICY NEEDED FOR RETURN TRAFFIC OUTSIDE INSIDE ge-0/0/0 12.13.14.1 DESTINATION NAT SOURCE DESTINATION 192.168.1.2 12.13.14.2 SOURCE DESTINATION 33.33.33.2 12.13.14.2 RETURN TRAFFIC
  • 9.
    D-NAT D-NAT WITH SUBNETTRANSLATION INSIDE OUTSIDE INT 1: 192.168.1.1/24 INT 2: 12.13.14.1/24 SOURCE DESTINATION 12.13.14.2 33.33.33.2 SOURCE DESTINATION 12.13.14.2 192.168.1.2 D-NAT IS ALLOWING THE DESTINATION IP ADDRESS OF THE PACKET TO BE TRANSLATED INTO ANOTHER IP, FROM A POOL OF IP ADDRESSES IN JUNOS DESTINATION NAT IS APPLIED AS A POLICY D-NAT WILL WORK ONLY FOR INCOMING TRAFFIC DESTINATION NAT WILL: - TRANSLATE THE DESTINATION IP OF THE INCOMING PACKET WITH THE CONFIGURED IP POOL - THE RETURNED PACKET WILL NOT BE CHANGED IF DESTINATION IP IS 33.33.33.2 THEN USE DESTINATION IP FROM POOL 192.168.1.0/24 SOURCE DESTINATION 192.168.1.2 12.13.14.2 SOURCE DESTINATION 33.33.33.2 12.13.14.2
  • 10.
    D-NAT D-NAT WITH SUBNETTRANSLATION D NAT: set security nat destination pool DNAT address 192.168.1.0/24 set security nat destination rule-set DNAT from interface ge-0/0/0.0 set security nat destination rule-set DNAT rule r1 match destination-address 33.33.33.0/24 set security nat destination rule-set DNAT rule r1 then destination-nat pool DNAT set security nat proxy-arp interface ge-0/0/0.0 address 33.33.33.1/32 to 33.33.33.254/32 set security address-book global address REAL_IP 192.168.1.0/24 TRAFFIC POLICY: set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN match source-address any set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN match destination-address REAL_IP set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN match application any set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN then permit SOURCE DESTINATION 12.13.14.2 33.33.33.2 IF MATCH IF NO MATCH PERMIT DENY SOURCE DESTINATION 12.13.14.2 192.168.1.2 INCOMING TRAFFIC ROUTE LOOKUP POLICY LOOKUP PERMIT A ROUTE FOR THE REAL IP SHOULD BE PRESENT A POLICY FOR THE REAL IP SHOULD BE PRESENT DNAT WILL TRANSLATE ONLY THE DESTINATION IP FOR THE INCOMING PACKET SINCE WE ARE USING A STATEFUL FIREWALL, IT WILL KNOW THAT THE RETURN TRAFFIC SHOULD BE ALLOWED - NO POLICY NEEDED FOR RETURN TRAFFIC OUTSIDE INSIDE ge-0/0/0 12.13.14.1 DESTINATION NAT SOURCE DESTINATION 192.168.1.2 12.13.14.2 SOURCE DESTINATION 33.33.33.2 12.13.14.2 RETURN TRAFFIC
  • 11.
    D-NAT D-NAT WITH PAT INSIDEOUTSIDE INT 1: 192.168.1.1/24 INT 2: 12.13.14.1/24 SOURCE DESTINATION D PORT 12.13.14.2 33.33.33.2 100 SOURCE DESTINATION D PORT 12.13.14.2 192.168.1.2 200 D-NAT IS ALLOWING THE DESTINATION IP ADDRESS AND PORT OF THE PACKET TO BE TRANSLATED INTO ANOTHER IP, AND PORT FROM A POOL OF IP ADDRESSES OR TO A SINGLE IP ADDRESS IN JUNOS DESTINATION NAT IS APPLIED AS A POLICY D-NAT WILL WORK ONLY FOR INCOMING TRAFFIC DESTINATION NAT WILL: - TRANSLATE THE DESTINATION IP OF THE INCOMING PACKET WITH THE CONFIGURED IP POOL OR WITH A SINGLE ADDRESS - THE RETURNED PACKET WILL NOT BE CHANGED IF DESTINATION IP IS 33.33.33.2 IF DESTINATION PORT IS: 100 THEN USE DESTINATION IP FROM POOL 192.168.1.0/24 THEN USE DESTINATION PORT: 200
  • 12.
    D-NAT D-NAT WITH PAT DNAT: set security nat destination pool DNAT address 192.168.1.2/32 set security nat destination pool DNAT address port 200 set security nat destination rule-set DNAT from interface ge-0/0/0.0 set security nat destination rule-set DNAT rule r1 match destination-address 33.33.33.2/32 set security nat destination rule-set DNAT rule r1 match destination-port 100 set security nat destination rule-set DNAT rule r1 then destination-nat pool DNAT set security nat proxy-arp interface ge-0/0/0.0 address 33.33.33.2/32 set security address-book global address REAL_IP 192.168.1.2/32 SOURCE S PORT DESTINATION D PORT 12.13.14.2 5074 33.33.33.2 100 DNAT WILL TRANSLATE ONLY THE DESTINATION IP FOR THE INCOMING PACKET SINCE WE ARE USING A STATEFUL FIREWALL, IT WILL KNOW THAT THE RETURN TRAFFIC SHOULD BE ALLOWED - NO POLICY NEEDED FOR RETURN TRAFFIC TRAFFIC POLICY: set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN match source-address any set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN match destination-address REAL_IP set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN match application any set security policies from-zone OUTSIDE to-zone INSIDE policy OUT-to-IN then permit IF MATCH IF NO MATCH PERMIT DENY INCOMING TRAFFIC ROUTE LOOKUP POLICY LOOKUP PERMIT A ROUTE FOR THE REAL IP SHOULD BE PRESENT A POLICY FOR THE REAL IP SHOULD BE PRESENT OUTSIDE INSIDE ge-0/0/0 12.13.14.1 DESTINATION NAT RETURN TRAFFIC SOURCE S PORT DESTINATION D PORT 12.13.14.2 5074 192.168.1.2 200 SOURCE S PORT DESTINATION D PORT 192.168.1.2 200 12.13.14.2 5074 SOURCE S PORT DESTINATION D PORT 33.33.33.2 100 12.13.14.2 5074
  • 13.
    D-NAT TROUBLESHOOTING DESTINATION NAT ROUTE LOOKUP POLICYLOOKUP PERMIT A ROUTE FOR THE REAL IP SHOULD BE PRESENT A POLICY FOR THE REAL IP SHOULD BE PRESENT CONFIG CORRECTLY APPLIED ? NO YES YOU CAN VIEW THE STATISTICS: show security nat destination rule X YES FIX THE CONFIG THE ROUTE FOR THE NATED IP IS PRESENT ? NO ADD THE ROUTE IS THE POLICY PRESENT FOR THE NATED IP ? YES NO FIX OR ADD THE POLICY NAT IS WORKING ? NO
  • 14.
    LETS JUMP TOTHE LAB