Konfigurasi Source NAT dengan Metode Pool di Juniper Junos SRX

Kita sudah belajar mengkonfigurasi Source NAT dengan metode Engress Interface Address (Masquerade) di interface ge-0/0/1.0. Nah sekarang untuk interface ge-0/0/2.0, kita akan konfigurasi source nat dengan metode pool. Dengan begitu client PC2 dan R-client bisa ping ke arah Cisco-R2, perangkat lainnya.

Pertama, kita tentukan dulu pool range IP address yang akan dikenali Cisco-R1 misalnya 10.111.111.0/24. Selanjutnya di sisi Cisco-R1 buat routing static untuk 10.111.111.0/24 via 10.11.11.2. Hanya satu baris perintah saja, ndak usah banyak2. : )

Cisco-R1(config)#ip route 10.111.111.0 255.255.255.0 10.11.11.2

Konfigurasi di Junos SRX

Kita ping dulu deh dari PC2, biar keliatan perbedaan sebelum dan sesudah di-nat-kan. Nah, yang ini sebelum di-nat-kan.

Yup. Selanjutnya konfigurasi NAT.

root# top

root# edit security nat source

root# set pool POOL_IP_NAT address 10.111.111.1 to 10.111.111.254

root# top

root# edit security nat source rule-set loc2-to-net

root# set from zone loc2

root# set to zone net

root# set rule source-nat-rule2

root# edit rule source-nat-rule2

root# set match source-address 192.168.200.0/24

root# set match destination-address 0.0.0.0/0

root# set then source-nat pool POOL_IP_NAT

Setting policy.

root# top

root# edit from-zone loc2 to-zone net

root# set policy loc2-to-net match source-address any

root# set policy loc2-to-net match destination-address any

root# set policy loc2-to-net match application any

root# set policy loc2-to-net then permit

root# commit check

configuration check succeeds

root# commit

commit complete

Ping lagi dari PC2.

Nah,... keliatan kan perbedaannya.

Opsi NAT OFF

Di Junos ada opsi NAT OFF. Misalnya kita ingin suatu atau beberapa IP dalam network 192.168.200.0 (atau bisa juga IP tujuannya) tidak ingin di-nat-kan, maka kita gunakan opsi NAT OFF ini. Rule NAT-OFF harus diletakkan di baris atas, agar dibaca terlebih dahulu. Jadi, delete dulu rule yang sebelumnya ( rule source-nat-rule2 ).

root# top

root# edit security nat source rule-set loc2-to-net

root# delete rule source-nat-rule2

Selanjutnya, buat rule NAT-OFF.

root# set rule NAT-OFF

root# edit rule NAT-OFF

root# set match source-address 192.168.200.3/32

root# set match destination-address 10.33.33.1/32

root# set then source-nat off 

Rule NAT-OFF sudah dibuat, selanjutnya buat kembali rule source-nat-rule2.

root# top

root# edit security nat source rule-set loc2-to-net

root# set rule source-nat-rule2

root# set rule source-nat-rule2 match source-address 192.168.200.0/24

root# set rule source-nat-rule2 match destination-address 0.0.0.0/0

root# set rule source-nat-rule2 then source-nat pool POOL_IP_NAT

Jadi yang akan terkena rule NAT OFF, adalah source address 192.168.200.3, dan destination address (IP tujuan) 10.33.33.1. Selain daripada IP tersebut, akan terkena rules source nat. Mari kita test. Di R-Client sudah dikonfigurasi IP address 192.168.200.3.

Sip... Berhasil.

Noted

Untuk rule NAT-OFF, entah mengapa agak susah berhasil. Mungkin ada bugs dari GNS3 atau Junos-nya. Entahlah,.. Tapi ada sedikit trik. Untuk rule NAT-OFF dibuat dulu “set match destination address”-nya, lalu di-commit (apply). Lakukan test ping... jika berhasil. Lanjutkan dengan menambahkan “set match source-address”, dan di-commit (apply) lagi. Biasanya ini berhasil.

Tambahan

Ini tambahan teori yang bagus untuk dibaca-baca. Dapat dari situs tetangga sebelah... :)

The Juniper SRX offers 3 main types of NAT. These are source, destination and static.

1.      Source NAT

There are 2 main types of source NAT these are:

·         Interface NAT - Traffic is translated to the IP address of the egress interface.

·         Address pools - Traffic is translated to an IP address within a pool.

There are a number of features and options with source NAT. These are:

·         Address Persistence - This ensures that all PAT translations for a given host are translated through the same IP address.

·         Disable PAT - When Port Address Translation (PAT) is disabled each address from a pool can only be assigned to a single host. An overflow pool can be defined to use the egress interface address should the pool become depleted.

·         Overflow Pool Interface - This allows for addresses to be PAT/NAT`d using the egress interface address should the previous pool become exhausted.

·         Port Utilization - This provides the ability to alarm (including SNMP) at the point that the pool reaches a given threshold.

·         Address Shifting - This provides the ability to specifies the IP address where the original source IP address range begins. For for example allows you to map a 10.0.0.0/24 to 192.168.1.1/24 so that 10.0.0.1 would map to 192.168.1.1 and so on.

2.      Destination NAT

Destination NAT is the translation of the destination IP address (and optionally the destination port). Destination NAT is commonly used for port forwarding scenario's where multiple services are mapped (using a single) to many different servers .

Some common destination NAT "feature(s)" are:
Address Pools - This allows for a pool of destination addresses to be defined.

3.      Static NAT

Static NAT allows for the translation in both directions. This allows for the source IP address to be translation for traffic originating from the server whilst also provide destination NAT for traffic destined inbound to the server.

NAT Flow Process

Below shows the NAT process that traffic takes when transversing the SRX.

Based on the diagram above this raises 2 key requirements.

·         Destination IP translations - The security policy is written using the post translated address.

·         Source IP translations - The security policy is written using the pre translated address.

(https://www.fir3net.com/Firewalls/Juniper/juniper-srx-nat.html)