Sunday, April 26, 2015

Konfigurasi Source NAT dengan Metode Pool di Juniper Junos SRX

Network Simulasi Source NAT

Kita sudah belajar mengkonfigurasi Source NAT dengan metode Engress Interface Address (Masquerade) di interface ge-0/0/1.0. Nah sekarang untuk interface ge-0/0/2.0, kita akan konfigurasi source nat dengan metode pool. Dengan begitu client PC2 dan R-client bisa ping ke arah Cisco-R2, perangkat lainnya.
Pertama, kita tentukan dulu pool range IP address yang akan dikenali Cisco-R1 misalnya 10.111.111.0/24. Selanjutnya di sisi Cisco-R1 buat routing static untuk 10.111.111.0/24 via 10.11.11.2. Hanya satu baris perintah saja, ndak usah banyak2. : )
Cisco-R1(config)#ip route 10.111.111.0 255.255.255.0 10.11.11.2


Konfigurasi di Junos SRX
Kita ping dulu deh dari PC2, biar keliatan perbedaan sebelum dan sesudah di-nat-kan. Nah, yang ini sebelum di-nat-kan.
Ping dari PC2 sebelum disetting nat

Yup. Selanjutnya konfigurasi NAT.
root# top
root# edit security nat source
root# set pool POOL_IP_NAT address 10.111.111.1 to 10.111.111.254

root# top
root# edit security nat source rule-set loc2-to-net
root# set from zone loc2
root# set to zone net
root# set rule source-nat-rule2
root# edit rule source-nat-rule2
root# set match source-address 192.168.200.0/24
root# set match destination-address 0.0.0.0/0
root# set then source-nat pool POOL_IP_NAT

Setting policy.
root# top
root# edit from-zone loc2 to-zone net
root# set policy loc2-to-net match source-address any
root# set policy loc2-to-net match destination-address any
root# set policy loc2-to-net match application any
root# set policy loc2-to-net then permit
root# commit check
configuration check succeeds
root# commit
commit complete

Ping lagi dari PC2.
Ping dari PC2 setelah disetting nat

Nah,... keliatan kan perbedaannya.

Opsi NAT OFF
Di Junos ada opsi NAT OFF. Misalnya kita ingin suatu atau beberapa IP dalam network 192.168.200.0 (atau bisa juga IP tujuannya) tidak ingin di-nat-kan, maka kita gunakan opsi NAT OFF ini. Rule NAT-OFF harus diletakkan di baris atas, agar dibaca terlebih dahulu. Jadi, delete dulu rule yang sebelumnya ( rule source-nat-rule2 ).
root# top
root# edit security nat source rule-set loc2-to-net
root# delete rule source-nat-rule2

Selanjutnya, buat rule NAT-OFF.
root# set rule NAT-OFF
root# edit rule NAT-OFF
root# set match source-address 192.168.200.3/32
root# set match destination-address 10.33.33.1/32
root# set then source-nat off 

Rule NAT-OFF sudah dibuat, selanjutnya buat kembali rule source-nat-rule2.
root# top
root# edit security nat source rule-set loc2-to-net
root# set rule source-nat-rule2
root# set rule source-nat-rule2 match source-address 192.168.200.0/24
root# set rule source-nat-rule2 match destination-address 0.0.0.0/0
root# set rule source-nat-rule2 then source-nat pool POOL_IP_NAT

Jadi yang akan terkena rule NAT OFF, adalah source address 192.168.200.3, dan destination address (IP tujuan) 10.33.33.1. Selain daripada IP tersebut, akan terkena rules source nat. Mari kita test. Di R-Client sudah dikonfigurasi IP address 192.168.200.3.
Ping from R-Client (nat off option)

Sip... Berhasil.

Noted
Untuk rule NAT-OFF, entah mengapa agak susah berhasil. Mungkin ada bugs dari GNS3 atau Junos-nya. Entahlah,.. Tapi ada sedikit trik. Untuk rule NAT-OFF dibuat dulu “set match destination address”-nya, lalu di-commit (apply). Lakukan test ping... jika berhasil. Lanjutkan dengan menambahkan “set match source-address”, dan di-commit (apply) lagi. Biasanya ini berhasil.


Tambahan
Ini tambahan teori yang bagus untuk dibaca-baca. Dapat dari situs tetangga sebelah... :)
The Juniper SRX offers 3 main types of NAT. These are source, destination and static.
1.      Source NAT
There are 2 main types of source NAT these are:
·         Interface NAT - Traffic is translated to the IP address of the egress interface.
·         Address pools - Traffic is translated to an IP address within a pool.

There are a number of features and options with source NAT. These are:
·         Address Persistence - This ensures that all PAT translations for a given host are translated through the same IP address.
·         Disable PAT - When Port Address Translation (PAT) is disabled each address from a pool can only be assigned to a single host. An overflow pool can be defined to use the egress interface address should the pool become depleted.
·         Overflow Pool Interface - This allows for addresses to be PAT/NAT`d using the egress interface address should the previous pool become exhausted.
·         Port Utilization - This provides the ability to alarm (including SNMP) at the point that the pool reaches a given threshold.
·         Address Shifting - This provides the ability to specifies the IP address where the original source IP address range begins. For for example allows you to map a 10.0.0.0/24 to 192.168.1.1/24 so that 10.0.0.1 would map to 192.168.1.1 and so on.

2.      Destination NAT
Destination NAT is the translation of the destination IP address (and optionally the destination port). Destination NAT is commonly used for port forwarding scenario's where multiple services are mapped (using a single) to many different servers .

Some common destination NAT "feature(s)" are:
Address Pools - This allows for a pool of destination addresses to be defined.

3.      Static NAT
Static NAT allows for the translation in both directions. This allows for the source IP address to be translation for traffic originating from the server whilst also provide destination NAT for traffic destined inbound to the server.

NAT Flow Process
Below shows the NAT process that traffic takes when transversing the SRX.
NAT Flow Process

Based on the diagram above this raises 2 key requirements.
·         Destination IP translations - The security policy is written using the post translated address.
·         Source IP translations - The security policy is written using the pre translated address.
(https://www.fir3net.com/Firewalls/Juniper/juniper-srx-nat.html)                                                

1 comment:

  1. BlueHost is one of the best hosting provider for any hosting services you might require.

    ReplyDelete