
Sunday, April 26, 2015

Konfigurasi Source NAT dengan Metode Pool di Juniper Junos SRX

Network Simulasi Source NAT

Kita sudah belajar mengkonfigurasi Source NAT dengan metode Engress Interface Address (Masquerade) di interface ge-0/0/1.0. Nah sekarang untuk interface ge-0/0/2.0, kita akan konfigurasi source nat dengan metode pool. Dengan begitu client PC2 dan R-client bisa ping ke arah Cisco-R2, perangkat lainnya.
Pertama, kita tentukan dulu pool range IP address yang akan dikenali Cisco-R1 misalnya Selanjutnya di sisi Cisco-R1 buat routing static untuk via Hanya satu baris perintah saja, ndak usah banyak2. : )
Cisco-R1(config)#ip route

Konfigurasi di Junos SRX
Kita ping dulu deh dari PC2, biar keliatan perbedaan sebelum dan sesudah di-nat-kan. Nah, yang ini sebelum di-nat-kan.
Ping dari PC2 sebelum disetting nat

Yup. Selanjutnya konfigurasi NAT.
root# top
root# edit security nat source
root# set pool POOL_IP_NAT address to

root# top
root# edit security nat source rule-set loc2-to-net
root# set from zone loc2
root# set to zone net
root# set rule source-nat-rule2
root# edit rule source-nat-rule2
root# set match source-address
root# set match destination-address
root# set then source-nat pool POOL_IP_NAT

Setting policy.
root# top
root# edit from-zone loc2 to-zone net
root# set policy loc2-to-net match source-address any
root# set policy loc2-to-net match destination-address any
root# set policy loc2-to-net match application any
root# set policy loc2-to-net then permit
root# commit check
configuration check succeeds
root# commit
commit complete

Ping lagi dari PC2.
Ping dari PC2 setelah disetting nat

Nah,... keliatan kan perbedaannya.

Di Junos ada opsi NAT OFF. Misalnya kita ingin suatu atau beberapa IP dalam network (atau bisa juga IP tujuannya) tidak ingin di-nat-kan, maka kita gunakan opsi NAT OFF ini. Rule NAT-OFF harus diletakkan di baris atas, agar dibaca terlebih dahulu. Jadi, delete dulu rule yang sebelumnya ( rule source-nat-rule2 ).
root# top
root# edit security nat source rule-set loc2-to-net
root# delete rule source-nat-rule2

Selanjutnya, buat rule NAT-OFF.
root# set rule NAT-OFF
root# edit rule NAT-OFF
root# set match source-address
root# set match destination-address
root# set then source-nat off 

Rule NAT-OFF sudah dibuat, selanjutnya buat kembali rule source-nat-rule2.
root# top
root# edit security nat source rule-set loc2-to-net
root# set rule source-nat-rule2
root# set rule source-nat-rule2 match source-address
root# set rule source-nat-rule2 match destination-address
root# set rule source-nat-rule2 then source-nat pool POOL_IP_NAT

Jadi yang akan terkena rule NAT OFF, adalah source address, dan destination address (IP tujuan) Selain daripada IP tersebut, akan terkena rules source nat. Mari kita test. Di R-Client sudah dikonfigurasi IP address
Ping from R-Client (nat off option)

Sip... Berhasil.

Untuk rule NAT-OFF, entah mengapa agak susah berhasil. Mungkin ada bugs dari GNS3 atau Junos-nya. Entahlah,.. Tapi ada sedikit trik. Untuk rule NAT-OFF dibuat dulu “set match destination address”-nya, lalu di-commit (apply). Lakukan test ping... jika berhasil. Lanjutkan dengan menambahkan “set match source-address”, dan di-commit (apply) lagi. Biasanya ini berhasil.

Ini tambahan teori yang bagus untuk dibaca-baca. Dapat dari situs tetangga sebelah... :)
The Juniper SRX offers 3 main types of NAT. These are source, destination and static.
1.      Source NAT
There are 2 main types of source NAT these are:
·         Interface NAT - Traffic is translated to the IP address of the egress interface.
·         Address pools - Traffic is translated to an IP address within a pool.

There are a number of features and options with source NAT. These are:
·         Address Persistence - This ensures that all PAT translations for a given host are translated through the same IP address.
·         Disable PAT - When Port Address Translation (PAT) is disabled each address from a pool can only be assigned to a single host. An overflow pool can be defined to use the egress interface address should the pool become depleted.
·         Overflow Pool Interface - This allows for addresses to be PAT/NAT`d using the egress interface address should the previous pool become exhausted.
·         Port Utilization - This provides the ability to alarm (including SNMP) at the point that the pool reaches a given threshold.
·         Address Shifting - This provides the ability to specifies the IP address where the original source IP address range begins. For for example allows you to map a to so that would map to and so on.

2.      Destination NAT
Destination NAT is the translation of the destination IP address (and optionally the destination port). Destination NAT is commonly used for port forwarding scenario's where multiple services are mapped (using a single) to many different servers .

Some common destination NAT "feature(s)" are:
Address Pools - This allows for a pool of destination addresses to be defined.

3.      Static NAT
Static NAT allows for the translation in both directions. This allows for the source IP address to be translation for traffic originating from the server whilst also provide destination NAT for traffic destined inbound to the server.

NAT Flow Process
Below shows the NAT process that traffic takes when transversing the SRX.
NAT Flow Process

Based on the diagram above this raises 2 key requirements.
·         Destination IP translations - The security policy is written using the post translated address.
·         Source IP translations - The security policy is written using the pre translated address.

