How to access Internal Resources using the external Static
NAT address
Internal (trust) zone clients accessing Internal resources
using external interface (untrust) Static NAT address.
Topology
192.168.1.1 address is translated to 100.100.100.101/24
(Static NAT).
In this example, the Internal IP (192.168.1.2) will access the Internal webserver using the external IP address(100.100.100.101).
This is popularly used in scenarios where DNS resolves the webserver IP to its public IP.
In this example, the Internal IP (192.168.1.2) will access the Internal webserver using the external IP address(100.100.100.101).
This is popularly used in scenarios where DNS resolves the webserver IP to its public IP.
Solution:
Configuration Steps :
Configure
Static NAT for the Internal Web-server.
The Static NAT configured on the SRX for an internal Webserver should be mapped to both the directions (internal interface as well as external interface).
The Static NAT configured on the SRX for an internal Webserver should be mapped to both the directions (internal interface as well as external interface).
root@juniper#
show security
nat
{
static {
rule-set Staticnat {
from routing-instance default;
rule Internal_Webserver {
match {
destination-address
100.100.100.101/32;
}
then {
static-nat prefix
192.168.1.1/32;
}
}
}
}
}
Configure
Source NAT for the internal IP.
Source NAT should be configured on the device for packets with source as the internal IP and destination as the Internal webserver to any dummy IP that should not exist on internal network. The reason behind this that return packet should be routed via the firewall.
Source NAT should be configured on the device for packets with source as the internal IP and destination as the Internal webserver to any dummy IP that should not exist on internal network. The reason behind this that return packet should be routed via the firewall.
root@juniper#
show security
nat
{
source {
pool Dummypool {
address {
192.168.100.1/32;
}
}
rule-set Snat {
from zone trust;
to zone trust;
rule InternalNat {
match {
source-address
192.168.1.2/32;
destination-address
192.168.1.1/32;
}
then {
source-nat {
pool {
Dummypool;
}
}
}
}
}
}
}
Configure
Proxy ARP. (Optional)
If the Static NAT IP and firewall's external interface IP are in same subnet, enable Proxy ARP on external interface.
If the Static NAT IP and firewall's external interface IP are in same subnet, enable Proxy ARP on external interface.
root@juniper#
show security
nat
{
proxy-arp {
interface ge-0/0/1.0 {
address {
100.100.100.101/32;
}
}
}
}
No comments:
Post a Comment