Juniper JN0-230 JNCIA Security Associate – Network Address Translation Part 2

  1. Configure Interface-based Source NAT

Welcome back. It’s now configuration time. Let’s look at a sourcenet configuration example, ado’s hatband we’ll begin with configuration, which is anion which i- intersourcenet.  sourcenet. Now here’s the conscenario thatcenariothat we ‘ruse. in to usage hade vices. wo devices. The original source IP addresses are 192–9216-8151. They16-8151they are both going to connect vide vice and device and try to reach a server sittDMZ zone, the DMZzone which has an IP 10ress 1 one dot. The dot 50 the hosts trust zonae trust zone and the server is zone. e DMZ zone. As they lea device, SRX device tip addresses IP addresses will be translated to the of the dress of interface, s interface which is ten one. Let’s get to the Juno’and seminal and see how we canthi’s. igurright,.

The first session was f168, destined5ford10ined to ten 1180, on port 80 or Juno’shttp The translated IP address is 101. And the session is destined to again total 10,150. And this is the second IP address, 192-1681 dot 51. That is also translated to 101, which is the IP address of the interface. It is also possible to look at the Nat statistics, and the command for that is Show Security Nat. And the keyword we are looking for is “resource usage question mark.” Excuse me. The command we are looking for is interface nat ports. Resource usage is the command that we’re going to use when we configure a pool-based Nat. But right now we have an interface-based Nat.

So the command is “show security Nat,” “interface Nat ports.” And we’ll press “Enter” here. And the output here shows the total number of ports available and the total number of ports allocated, which in this case is zero. And the possible reason for this is that the session has been terminated. As you can see here, the session has closed. Let’s initiate that session again so it’s connected. And if we go back over here and use the same command, we can see that one port has been allocated for the Nat translation. So that’s how we configure interface-based sources in Nat. The important piece here is to provide the right traffic direction information and packet matching information.

  1. Configure Pool-based Source NAT

Welcome back. Let’s now look at the second type of SourceNat configuration, which is a pool-based Nat configuration. Let’s begin by looking at the configuration scenario. So we have the same two hosts at, one dot 51, 921681 dot 51, and they’re trying to access a server at ten dot one dot, one dot 50, and this connection goes through an SRX firewall. This time, instead of using an interface-based source network, we’re going to use a pool-based source network. And the IP address pool that we’re going to configure is 10 1120 to 10 1130. Let’s get to the Juno’s terminal and see how we can configure this. All right, I’m here at the terminal of the SRX device. We’ll first navigate to Edit Security Nat and take a look at the existing Nat configuration. We’ll use the show command, and this is the configuration from the last lecture. This is an interface-based Source Nat configuration. As you can see, the action specified in the then statement is national sourcing.

Using Interface, we’re going to use the same configuration, and that’s only to save some time. We’ll use the same configuration but change the action to a pool-based NAT configuration. But before we do that we need to configure a pool of IP addresses. So let’s do         So We are currently under editing security. Nat. Let’s edit the Space question using the Edit command. Mark and the keyword we are looking for is Source question Mark This time, we’ll use the pool keyword, which allows us to define a source address pool. So edit the source pool, and we’ll provide a pool name. Let’s just call this “pool one.” Press Enter, and now we are in a specific configuration mode. I’ll clear my screen, and now we’ll use the Set command and the set space question mark. The first keyword here is the one we’re looking for: address set address. space question, Mark, and we’re going to provide an IP address range. 10 1120 slash 32 question marks is the first IP address in the range. And the keyword we are looking for is “two.” Notice we can press Enter here if we only want to add one IP address to the pool. But in this case, we are configuring a range.

So we’ll use the two keywords and specify the end of the range, which is 10 dot 1 dot 1130 slash 32. Press Enter, and let’s do a show. So we have the pool configured. Now we’re going to change the action on the NAT rule. To use this pool, we’ll go up, and let’s do a show here. We need to configure this rule set here. So we’ll type “Set rule, set ruleset name,” and the rule will be “R One.” So rule R one, and we’ll use the then keyword. Then the next command is “sourcenet,” and let’s put a question mark here. So this time instead of using the interface keyword, we’ll use the pool keyword question mark, and we’ll provide the pool name. Press Enter and let’s do a show. So here we have the pool configuration, and here we have the rule set configuration. The action is configured to pull and use the pool name. Everything looks good. Let’s go ahead and commit to the change. All right, committing has been completed. It’s now time to test the configuration. I’m going to hop over to my test machine, which is over here, and let’s try Telnet, the server IP address, which is 10 1150, port 80. Now, you don’t have to use the telnet command to test. You could just ping the IP address.

The reason I’m not using Ping is because when I ping the IP address, it generates a lot of log entries, which can look a bit cluttered. By using the telnet command, we are only generating one log entry. But you could use any other utility to perform a test, such as Ping or SSH. Let’s try the command telnet IP address and port number, press Enter, and notice that it is trying to connect but is unable to make that connection. We have configured it correctly, but it can still connect. Can you think of a reason why? The reason is actually very interesting. Let’s talk about it. All right, we are back to the configuration scenario. Now let’s understand what’s happening when the device is trying to make a connection. So this device, 109, 216815, is attempting to connect to the server at ten 1150. And when it does that, this is what the original packet looks like. The original source address is 109.2168.15, and the destination address is that of the server, which is 10.1150. Now, as it passes through the SRX device, the source address gets translated.

So when we look at the translated packet, this is what it looks like. The source address has now been changed to the first address from the pool, which is 10 1120. Now, this packet reaches the server, and when the server responds back, it is trying to respond back to this IP address, ten 120.Now, let’s step back for a minute and go back to the basics of network communication. We have a protocol called ARP, or Address Resolution Protocol, whose function is to map IP addresses to Mac addresses. An IP address is something that we configure on the device. While the Mac address is an address that belongs to the device itself, it is hard coded on the device, which is why sometimes it is also called the “real address of the device,” while the IP address is called the “logical address of the device.” Now, even though it looks like communication is happening between IP addresses, in reality, packets are exchanged between Mac addresses. So when this server responds back to port 120, it needs to know the Mac address associated with this IP address. So to do that, this server will send an ARP request, which is a broadcast request to all devices connected to the network. And basically, the server is saying, “Who is 101120?” So this is what the communication looks like. The host sends the packet, it goes through the SRX device, it hits the server, and when the server has to respond back, it needs to know the Mac address. As a result, it broadcasts an art broadcast on the network asking who is 10: 11: 20. Now, here’s where the problem begins.

There is no device or interface that has that IP address configured on it. It is an address that has been picked from the pool that we configured. So who is going to respond to that request? No one. And that’s the problem. Now, I’m going to show you a packet capture of what the art packet looks like. We have two devices here. The one on the left is 109 216815, and the one on the right is 109 216811. Now, don’t worry about the IP addresses here. The IP addresses have nothing to do with our example. The important thing to look at is what an ARP request looks like. When this device wants to communicate with this device, it needs to know its Mac address. So this device here sends the first packet, which you can see here. It is a broadcast packet. The protocol is ARP. And basically, what it is saying is, “Who has 192, 168?” One one.

If you know the answer, tell 192,168, 150, which is this device here. And since this packet is a broadcast packet, it goes to all devices connected to the network. Now, not every device is going to respond back. Only the device that has the IP address in question is going to respond back. And that’s the response packet. Line number two It responds specifically to the first device only. Notice it is no longer sending a broadcast like the first packet. It is specifically responding to only the first device only. The protocol is ARP. And this time it says 109.2168.11 is at this Mac address, which is its own Mac address. So now we know what’s causing the problem. If we can go back to the previous slide, which is here, when the server is asking the question, “Who is 101120?” No one’s responding because nobody owns that IP address. It’s an IP address from the pool. So we need to provide a configuration on the SRX device that will allow the SRX device to respond on behalf of that IP address. It’s not an IP address that is owned by the SRX device, but it will still be configured to respond to an ARP request for that IP address.

This configuration is called “proxy ARP.” This allows the SRX device to respond to ARP requests on behalf of the IP addresses for which it is proxying. Without a proxy ARP, the neighbouring device will not know what Mac address is associated with the IP address. In our case, the server at 10:11:50 is unable to identify what Mac address is associated with The first address from the pool is 10 1120. Now let’s get back to the SRX device and see how we can configure this. All right, back over here to configure proxy ARP, we need to go one level up to edit the security net. In this case, we’ll use the setcommand: setspace question mark. The keyword we are looking for is “proxy ARP.” Set the proxy ARP question mark accordingly. And the keyword is “interface question mark.” And here we need to provide the interface that is supposed to respond to ARP requests. Now, if you’re not sure which interface is supposed to respond, it is very easy to find out. We’ll use the Show route command. It’s an operational mode command. So we’ll prefix that with run, runshow route, and the destination IP address. In our case, the IP of the server is 10:1150. And here we can see that this destination is reachable via this interface. F is two.

So that’s where we need to configure proxy ARP because that’s the interface that will receive the ARP request. So let’s configure this. The proxy configuration for the female ARP interface is incomplete. So let’s do a question mug. And here we need to provide the addresses for which we need to configure proxy ARP. So address and the original IP addresses that were configured in the pool, which can be seen by scrolling up over here, Those are the addresses for which we need a proxy ARP. We’ll type that quickly. Ten 1120, 32, 210, 1130, 32. Let’s do a show. So now we have the pool configuration. We’ve changed the action to pool-based Nat, and we have a proxy Nat configuration. Let’s commit. All right, committing has been completed. Let’s now go back to the test machine and try the same command again. Telenet server, IP address, port number Press Enter and we are connected. Let’s also try this on the second test machine. Telenet’s IP address and port number match, and we are connected. Now let’s go back to the SRX device and perform some verification. All right, back over here. The first command we’re going to use is “run show log,” or “traffic log.” That’s the name of my log file. And we’ll only look at the last portion of the output. And here we have the output. So here’s the first connection: 192-1681 dot 50 That’s the original source port. That’s the destination IP address.

This has been translated to “ten” 1123, one of the addresses from the pool. And notice that the source port number has also been translated. The original port was 62554. The translated port is 19301. The second connection is here. 109, 216,151 were translated to 1000 and 124 as the next IP addresses. Notice that the source port has again been changed. The reason source ports have been translated is because, as you can see here, 42722 has been translated to 29091. The reason for this is that, by default, when you configure source-net portaddress translation, it is automatically enabled. There is a way to disable this. Let’s talk about it. Okay, so let’s talk about port address translation. By default, port address translation is automatically performed with sourcenet. and we saw that in the logs. The original source port was translated. This can be disabled, though, with the command port set to no translation. And this is applied at the pool level. So you’ll configure this when you’re configuring the pool.

However, if you choose to disable Pad, there is one thing you must remember. When Pad is disabled, the number of translations possible is limited to the number of IPS available in the pool. So if you have a pool of ten IP addresses, only ten translations are possible. Pat is a configuration that allows you to translate more IPS than what you have included in the source Nat pool. But when you have PAT disabled, when there are no more addresses available, translations will not occur, and packets will be dropped. Let’s see this live in action. All right, we’re back over here. Let’s clear the screen and let’s start with “Show.” Now we’re going to apply Portuguese translation at the pool level. So let’s use the Edit command to navigate into the pool. Edit the source pool and the pool name. And now we’ll use this command: setspace question mark. And the command we are looking for is “port set port question mark,” no translation. Press Enter. Let’s commit the changes. Commit has been completed.

Before we test the connection, let’s clear the log file. “run clear log” is the command, and the log file is called “traffic log.” So that’s done. Now let’s go back to the test machine, hit the apparel, and press Enter. We’re connected. Let’s also try this on the second machine. And we’re also connected here. Now let’s go back to the SRX device and take a look at the log file. Show the log file name. and we’ll look at the last output. Press Enter. So here we can see the two connections. The first one is for 109-216815. Notice the source port is 62556. And look at the translated packet here. It was translated to the first available IP address, 10 1120. And the source port has not changed. We have the same source port here. And on the translated packet The same applies for the second connection. The original source port was 42724.

The translated source port is 42724. So if you have a requirement like this where you don’t want the source port to be translated, we can use the keyword port no translation. However, keep this in mind when you disable port-address translation: the number of possible translations is limited to the number of IP addresses in that pool. In fact, let’s give this a try. Let’s reduce the number of IP addresses in the pool to just one with port address translation disabled, and we’ll try to initiate connections from two hosts. Only one host should be able to communicate; the other one should not be able to. Let’s give this a try. We are still in pool configuration mode. Let’s do a show here. The first thing we’re going to do is delete the existing address configuration. So delete the address, and we’ll set up a new configuration with only one address in it. As a result, set the address to 10 1120 32. Let’s do a show here. Make a note that we still have a disabled port. No translation. Let’s commit. Commit has been completed. Before we try the connection, let’s clear the log file. Run clear. log file name. Let’s go back to the test machine and try the connection. So the first machine has been successfully connected. Let’s go to the second machine and give this a try. And as you can see, the connection is failing. And the reason for that is that there’s only one IP address available in the pool, and we do not have PAT turned on. Now let’s verify this on the SRX device. Back over here. Let’s use the command show log, log file name, and we’ll look at the last portion of the output. We can only see one session over here, which confirms that only the first IP address was able to establish the session. I’m going to show you one more command that is very interesting. The command is “Run Show Security Net,” and the key words we are looking for are “resource usage,” “question mark,” “source pool,” and “pool name.” Now, before we execute this command, let’s go back to the test machine and make sure that the connection is still alive.

As you can see, the connection has closed. Let’s make sure that the connection is alive by trying the same command again. So this is a live connection. Let’s go back here and try this command. Show Security Nat resource Usage source run Poolpool Name: press Enter, and that’s going to show you the usage statistics for that pool. The pool’s name is Pool One. It has used one IP address; there are no other IP addresses available, and it’s reached 100% usage. I have one more thing to say about the overflow pool. Furthermore, Overflow Pool allows you to specify an additional pool of IP addresses to be used if the original pool is depleted. Okay, so back over here. When the addresses in the source NAT pool are exhausted, the overflow NAT pool is used. The overflow pool can be a user-defined source Natpool like the one we configured earlier, or we can also configure it to be the egress interface. Let’s go back to the SRX device and see how to configure this. All right, back over here to the SRX device. The Overflow Pool configuration is from within the pool that we’re configuring. So if we use the Set command here, “setspaceQuestion,” we have this keyword called Overflow Pool. Set an overflow pool. Question mark. And notice here that we can provide the name of a pool like the one that we configured earlier. Or we can configure this to be the Egress Interface, set the Overflow Pool Interface, and press Enter.

And if we do a show here, we can see that the pool has one IP address, that PAT is disabled, and that we have the overflow pool configured as the interface. The overflow pool can be used with the pad disabled. So that means if there are no more IP addresses available for the connection, it will use the overflow pool to make that connection happen. Let’s quickly commit and test this to commit the configuration. Commit completed. Let’s also clear the log file. Let’s log lock filename and come back here to try the connection. This is the first test machine. I’ll hit the apparel, so that’s connected. Now remember, Pat is disabled. So normally, the second machine should not be able to communicate. But now, since we have an overflow pool configured, it should be able to. Let’s give this a try. And this is connected as well. So if we go back to the SRX device and take a look at the log runshow log filename, we can see the differences in the translation. The first one is 190 to 168 or 150. That has been translated to the IP address available in the pool, which is 1120. Since we had Pat disabled, it has used the same source port as the translated port.

And since there were no more IP addresses available in the pool, the next device that came in for a connection request has taken the IP address of the Egress interface, which is 1011. Let’s perform a couple of more verifications. But before we do that, I want to make sure that the connection is alive. As you can see, it’s closed. Hit the apparel again; that’s connected. Hit the apparel that’s connected to the SRX device once more. Here. The command we’re going to use is run show SecurityNet Resource Usage Source Pool, and the pool name is noticehere. The pool is 100% utilized, and we’ll also take a look at the interface. Nat statistics run SecurityNat interface Nat ports press Enter, and here we can see that from the interface for Nat ports as well. One port has been allocated. All right, so that’s how you configure Pool based on Nat on the SRX device. Some key points to keep in mind By default, when you configure source Nat using a pool port address, translation is automatically enabled. If you do not want ports to be translated, you could disable Pat. But this means the pool size should be large enough to accommodate the required number of translations. If the pool size is not large enough, connections will be dropped. To address this problem, we could configure an overflow pool. The overflow pool takes effect when the original pool of addresses has been exhausted. And the most important thing to keep in mind when configuring pool-based sourcenet is to configure proxy ARP on the SRX device. Otherwise, the SRX device will not respond to ARP requests, and packets will be dropped.