Juniper JN0-230 JNCIA Security Associate – Network Address Translation

1. Introduction to NAT

All right, so now it’s time to shift gears. We are now going to talk about “net,” or network address translation. In this section, we’ll understand what “net” is, what the benefits of configuring “net” are, and what the different types of “net” are that can be configured on an SRX device. Let’s begin by understanding what inset, or network address translation, is. In simple words, “net” is a mechanism that allows you to translate the IP address of a device. And this includes both source and destination addresses. So we can translate the source address or the destination address of a device. And Nat can also be used to translate port numbers. Now, let’s talk about why we need Nat in the first place. What is the need for a mechanism like this? So, think about this. Let’s say you have a setup where you have four computers that need to communicate with the Internet. And let’s just imagine that “net” is not a configuration available to us. So in order for these devices to be able to get to the Internet, they will all need a public IP address because only public IP addresses can be routed on the Internet. So four devices will need four public IP addresses.

Now, let’s pause here for a second and talk about IPV 4. The total number of possible IPv4 addresses is two powers of 32. And that’s because the number of bits in an IPv4 address is 32. And every bit can be a zero or a one. So the total number of possible IPv4 addresses is two powers of 32. And the range of these addresses is from zero to 255,255,2525. Now, all these IP addresses are divided into five classes. So they are broken down into different ranges known as “classes.” We have classes ABC, D, and E. Now, out of these five classes of IP addresses, two are reserved, meaning these addresses cannot be assigned to hosts, and those are classes D and E. So you can’t use class D and class E addresses on the Internet. Class D ranges from 2240 to 239-25-2525, and class E ranges from 240 to 2552-552-5525. But these are not the only addresses that are reserved.

Let’s take a look at some other addresses that are also reserved. Number one, we have zero, zero, eight. So this ranges from 0 to 25. Then there’s 100, zero eight. And this is the first private IP address range. So these addresses cannot be used to route traffic over the Internet. Then we have 164, 0010. And then we have one hundred and twenty-seven, zero, zero-eight. That’s the loopback IP address range. And then we have 106, 92540, 00:16, one 7216, , slash 16. And apart from these, we also have some other IP address ranges that are reserved. So as you can see, leaving aside these reserved addresses that cannot be used on the Internet, we have a really small pool of IP addresses that we can call “public” IP addresses that can be used to route traffic over the Internet.

So the number of public IP addresses is limited. And we also know that the number of devices connecting to the Internet is increasing or growing every day. And this has been happening for quite some time now. So the people or engineers in charge of keeping the Internet running devised a concept known as “Network Address Translation,” in which instead of assigning public IP addresses to hosts, we can assign a private IP address. So all the hosts in your environment are running private IP addresses, and then we translate those private IP addresses to one or fewer public IP addresses before sending them to the Internet. The advantage of doing this is that every host that needs to connect to the Internet needs to have a public IP address. The main reason for net or NetworkAddress translation is to preserve IPV4 addresses. On the Juno’s device, we can configure three types of networks. The first is SourceNet. This is a many-to-one translation of source IP addresses, meaning we take many source IP addresses, which are usually private IP addresses, and translate them to one public IP address. The second type is destination net, and this is one of many translations of destination IP address. So we take one destination IP address and translate it to many destination IP addresses. And the third is fixed. This is a one-to-one translation of one IP address to another. In the upcoming lectures, we’ll understand what these different types of networks are and how to configure them.

2. Source NAT

Welcome back. Let’s now talk about the most commonly used Nat configuration technique, called a source network. Believe it or not, almost every network that you connect to has a configuration for sourcenet. Let’s talk about it.

So what is SourceNet? Well, sourcenet is a mechanism by which you can translate the source IP address of a packet. It is commonly used to translate multiple private IP addresses to one public IP address, which is a many-to-one translation. and this is commonly used in homes and offices. If you look at the device that you’re using now, most likely you’ll have a private IP address, something that begins with ten, 170, 216, or 192 168.That IP address is a private one and cannot be routed over the Internet. So that is translated to a public IP address as it leaves your router. So sourcenet is a mechanism that allows you to translate the source IP address of a packet. It’s important to keep in mind that SourceNet only allows outgoing connections. Let’s talk about this. So let’s say we have two devices. Their source IP addresses are shown on the screen as 10 12 and 10 one two. Now let’s say these devices connect through an SRX firewall and go to the Internet. Now, as they leave the SRX firewall, their source IP address is translated to a 201 one. This is an outgoing connection and is allowed by the SRX device. Now let’s say there is a host on the Internet that tries to initiate a reverse connection on that IP address, 200 dot one one. This connection will not be allowed. And that’s a characteristic of the Internet. It only allows connections in one direction, only outgoing connections.

Now let’s talk about the common uses for sourcenet. It can be used to translate a single IP address to another address. It can be used to translate a contiguous block of addresses into another block of addresses of the same or smaller size. It can also be used to translate a contiguous block of addresses into a single IP address. And it can also be used to translate a contiguous block of addresses to the address of the egress interface. Now let’s talk about the types of source-language translations. There are two types. Nat is the first interface-based source. Here the source addresses are translated to the address of the egress interface. Or, in other words, the source addresses are translated to the address of the outgoing interface. This is also referred to as an “interface network.” It uses a technique called port address translation. We’ll talk about that in just about a minute, and it does not require the configuration of an address pool.

Now let’s talk about port address translation and what that means. So here we have the two machines, ten one and ten one two. They are sitting behind an SRX firewall, and as they leave the firewall, the source IP address will be translated to the IP address of the outgoing interface, which is 201 one. How is this possible? We have multiple source IP addresses, but we only have one IP address to translate to. And this is where we use a technique called “port address translation.” So let’s say the first device tries to send a packet to the Internet. So this is how the translation will work. The untranslated source address, or the original source address, is 10 1 1. And let’s say the original source port is 33221. The translated source address will be the address of the interface because we are performing interface NAT over here. So the translated address is 201, and it will also translate the source port. In this case, the translated source port is the same as the original source port, but it does not have to be that way. Now, let’s say the second device comes in and tries to send a packet to the Internet. So this time, the original source address is 10 1 2 Let’s say the original source port is 3322. The translator source address will remain the same, 201 one. But this time, we’ll use a different port number on that translated IP address. To make this connection work in this example, we’ve used sequential port numbers, but it does not have to be that way. The second connection could use a different port number that is not sequential, and the translated port does not have to be the same as the original source port. Now, let’s talk about the second type of source network. This is called a pool-based sourcenet. A pool is a set of IP addresses used for translation. Now, think of a situation.

Let’s say we have five iPad addresses that need to be translated. So we define a pool of addresses that has five addresses. So there are five addresses that need to be translated into a pool of five addresses. Now, this kind of equation is fine because we have the required number of iPad addresses that we want to translate to. But what happens if we have five addresses that we want to translate, but we only have three addresses in the pool, which means the number of IP addresses in the pool is less than the number of IP addresses that we need to translate? So if the size of the translated pool is smaller than the number of untranslated addresses, the total number of concurrent sessions is limited to the number of addresses available, or we have to use poor translation. So, going back to the example, if we had five IP addresses that needed to be translated and we only had three addresses in the pool, the first three addresses that came in with a connection request would be fulfilled, and the others would be dropped. Or, to fix this problem, we could enable port translation, in which case multiple port numbers on the same address will be used to fulfil the connection.

Let’s move on to configuring source nat. When you configure source Nat, you need to configure rules. In some regards, it is similar to a security policy configuration. We need to provide two pieces of information when we configure a source NAT rule. The first one is traffic direction. Where is the traffic coming from and where is it going towards?

We can specify where the traffic is coming from by specifying whether it is coming from an interface, a zone, or a routing instance. And to define where the traffic is going, we can define two interfaces, two zones, or two routing instances. That’s the first piece of information that we need to provide. The second is packet information. We need to tell the SRX device which packets need to be translated. And we can do this by providing source-and-destination IP address information, source-and-destination port numbers, or protocol or application information. Now, this is similar to what we did with security policies. So you need to provide the traffic direction information—where is the traffic coming from and where is it going—and which packets in that direction need to be applied with a Nat translation. Now let’s look at a configuration example. As a result, the Nat configuration occurs under the Edit Security Net Iraqi. And we’re using a Source NATS configuration in this Iraqi configuration.

We need to start with a rule set. In this case, we’ve named the rule set as Rs 1. The information you see here specifies the traffic direction from Zone Trust to Zone Untrust. So that’s your traffic direction. Next, we need to provide packet information, and that’s done by configuring a rule. So rule R1, and we are providing match conditions. We’ve specified a source address, which means all packets from this IP address range, and a destination address of 0. That means any traffic that’s coming from this IP address and going anywhere qualifies for the Nat translation. We then have the then-clause source, “Nathis,” the keyword, and in this case, we’re translating to a pool of IP addresses. So that’s a basic sourcenet configuration. But what happens if we have multiple overlapping rules? Let me give you an example. So here we have two identical configuration examples. The configuration on the left is called Ruleset R 1, and the configuration on the right is called Ruleset R 2. The zone trust is used in this configuration. Two zones are untrustworthy.

However, in this configuration, ruleset R two interfaces GE zero zero one ruleR one matches source address ten one 10 slash 24 and destination address zero slash zero. And make a note here: we have the exact same configuration, which means the packet information is the same in both cases. This rule here translates the IP addresses to a pool called Source pool One, and this one translates to another pool called Source pool Two. In this case, which rule will apply? They both have identical tacit information. In this case, the more specific configuration will take priority. Notice carefully that the traffic direction in this case is from zone trust to zone untrust. In this case, however, it is from-zone trust to the GE interface. An interface match is more specific than a zone match, and a zone match is more specific than a routing instance match. That means the configuration on the left is less specific compared to the configuration on the right.

So that means rule set Rs 2 will be applied to matching traffic. Now let’s talk about the actions that can be configured on a source Nat rule. There are three actions that we can configure. The first one is interface. As you might have guessed, it translates source IP addresses to the egress interface’s address. The second action is pooling. It converts addresses into a pool of addresses or a set of addresses. And the third action is off, in which case SourceNet will not be applied. The last thing we’re going to talk about here is where in the packet flow source Nat is applied. So here’s the ingress packet. The first thing that happens is a check for a matching session.

Now let’s say the packet does not match an existing session. In that case, screens are applied with static Nat, destination Nat is applied, route and zone lookups happen, security policy lookups happen, and then we have source net. And the reason for this is that sourcenet or source IP address translation does not affect the destination of the packet. As we’ll talk about in the upcoming lectures, static NAT and destination net can affect the destination of the packet. So they must be applied before any lookups are performed, but sourcenet or source translation has no effect on where the packet is destined. I hope you have a good understanding of what source is, why it is so important, and what the different types of source networks are. In the upcoming lectures, we’ll get onto a Juno terminal and perform a live configuration of the source network.