Sunday, 22 April 2018

Making Use of Multiple Public IP addresses - Static NAT - Juniper SRX

Here's a little blog post on an application for making use of multiple external public IP addresses. Seems simple now that I know but like with many things if you don't know it can be frustrating trying to find the answer, so if someone stumbles across this blog post and it helps them then it's done its job.

When you buy a business internet connection, in my case a VDSL broadband service, you have the options of a static IP address or perhaps multiple static IP addresses. The classic use for these static IP addresses would be "mapping" one of them to an internal IP address of a server / appliance without using port forwarding. Port forwarding is great, but you can't forward the same port to two different servers, so it's more tricky to have resiliency. Having additional public IP addresses gets around this problem.

So how do you actually do it? The principle is straightforward. You use Static NAT in your edge router / firewall so that when it receives traffic destined for a particular public IP address it forwards the traffic to a defined private IP address. I.E. all traffic destined for 1.2.3.4 is forwarded to 192.168.1.100. And this applies in reverse, traffic from 192.168.1.100 is translated to 1.2.3.4 when it hits the public internet.

The reason this was ever in question for me was that try as I might I couldn't get the ISP supplied router to do this. It's a Huawei HG633 and there is no option to configure Static NAT. There are weird things like multi-NAT, one to many NAT and other variants. Some of which sound like they should work, none of which I could get to work.

And then enter my new SRX110, which I am loving more and more as I use it.

A great page from Juniper detailing static NAT works and a configuration example and it's working in all of 20 minutes. I love the way the page gives all the information you need to process the feature and get it working: A description, a simple picture, a dump of all the command you need, and then a step by step showing what each section of the configuration does. Ace.
https://www.juniper.net/documentation/en_US/junos/topics/example/nat-security-static-single-address-translation-configuring.html

I've pasted the picture and quick commands below just in case Juniper does something silly like changing the URL. Obviously, all credit goes to Juniper for the below, this good work is not me I'm just reposting it for reference:
 Static NAT Single
Address Translation


Quick Configuration:

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set security nat static rule-set rs1 from zone untrust
set security nat static rule-set rs1 rule r1 match destination-address 203.0.113.200/32
set security nat static rule-set rs1 rule r1 then static-nat prefix 192.168.1.200/32
set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.200/32
set security address-book global address server-1 192.168.1.200/32
set security policies from-zone trust to-zone untrust policy permit-all match source-address server-1
set security policies from-zone trust to-zone untrust policy permit-all match destination-address any
set security policies from-zone trust to-zone untrust policy permit-all match application any
set security policies from-zone trust to-zone untrust policy permit-all then permit
set security policies from-zone untrust to-zone trust policy server-access match source-address any
set security policies from-zone untrust to-zone trust policy server-access match destination-address server-1
set security policies from-zone untrust to-zone trust policy server-access match application any
set security policies from-zone untrust to-zone trust policy server-access then permit

No comments:

Post a Comment