Setting up ‘Static NAT’ is the process of taking one of your ‘spare’ public IP addresses, and permanently mapping that public IP to a private IP address on your network.
In the example above I want to give my web sever which has an internal IP address of 192.168.1.10/24, the public IP address of 1.1.1.5/24. So if someone out on the Internet wants to view my website, they can browse to http://1.1.1.5 (or a URL that I’ve pointed to 1.1.1.5 like http://www.mywebsite.com). Then that traffic will be NATTED, on the firewall for me.
Solution
1. Create a rule-set from the ‘untrust’ zone. Then add a rule to that rule-set, that has a destination of 1.1.1.5/32, and finally set it to NAT that traffic to 192.168.1.10/32.
[box]login: root
Password: *******
— JUNOS 12.1X44-D30.4 built 2014-01-11 03:56:31 UTC
[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST from zone untrust
[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST rule NAT-RULE-1 match destination-address 1.1.1.5/32
[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST rule NAT-RULE-1 then static-nat prefix 192.168.1.10/32
[/box]
2. Set the firewall to proxy-arp (advertise your pubic IP address with is MAC address), then add the web server to the global address book.
Note: ge-0/0/0.0 is the physical address you are advertising the new IP address from, on firewalls in a failover cluster you would use the Reth address i.e. reth0.0
[edit]
root@FW-02# set security address-book global address WEB-SERVER 192.168.1.10/32
[/box]
3. Allow traffic OUT from the web server. Here I’m letting out all ports, if you wanted just web traffic then use the keyword junos-http (TCP Port 80 (http)).
[box]
[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match source-address WEB-SERVER
[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match destination-address any
[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match application any
[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT then permit
[/box]
4. Then allow traffic IN to the web server, (here I’m locking it down to just http).
[box] [edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match source-address any
[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match destination-address WEB-SERVER
[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match application junos-http
[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN then permit
Juniper Allowing Traffic To Custom Ports And Applications
1. Although Juniper have a lot of built in ‘applications’ you can allow, what if you want to create your own? Below I’ll create a custom application for Remote Desktop Protocol (TCP port 3389).
[box] [edit]
root@FW-A# set applications application APP-RDP protocol tcp
[edit]
root@FW-A# set applications application APP-RDP destination-port 3389
[/box]
2. You could now use this application in your security policies e.g.
While trying to deploy Solarwinds to monitor a Juniper SRX failover cluster, we were having no joy connecting to the management interface of the secondary/standby firewall. The management (fxp0) interface on the primary (node0) firewall we could get to OK.
]
After jumping on the secondary firewall (via the console connection) we observed the following;
error: the routing subsystem is not running
Solution
As you can see (above) I couldn’t get the routing services started. And I soon found out, this is quite normal, the primary (active) firewall maintains the routing instance, the secondary firewall does not.
Well that fine but what about out Solarwinds box, what happens if the secondary firewall goes down? No one would know, and we also can’t take daily backups of its config.
To fix this problem you need to use the ‘backup-router’ command. This lets the appliance maintain some routes in the event that it is not hosting the live routing instance.
1. I’ll connect to to the primary firewall from this console session on the secondary firewall with the following command;
[box]request routing-engine login node0[/box]
2. Now I can add the backup-router routes, but assign them to the secondary (node1) firewall. Note: Where 192.168.100.1 is the next hop.
[box]
To get traffic back to the Solarwinds Management Server
set groups node1 system backup-router 192.168.100.1 destination 10.1.20.10/32
To get traffic back to the Cisco ACS Appliance
set groups node1 system backup-router 192.168.100.1 destination 10.1.20.10/32
[/box]
3. Don’t forget if the firewalls failover you will have the same problem (but the opposite way round), so I need the same to the primary node as well.
[box]
To get traffic back to the Solarwinds Management Server
set groups node0 system backup-router 192.168.100.1 destination 10.1.20.10/32
To get traffic back to the Cisco ACS Appliance
set groups node0 system backup-router 192.168.100.1 destination 10.1.20.10/32
[/box]
3. Save the config with a ‘commit’ command.
Related Articles, References, Credits, or External Links
If you have a server or host that you want to be publicly addressable and only have one public IP address then port forwarding is what you require.
Solution
Assumptions
1. You have a public IP on the outside of your Router.
2. You are performing NAT from your internal range of IP address to your External IP address.
To Make Sure
1. Run the following command:
[box]PetesRouter#show run | include ip nat inside[/box]
You should see a line like,
[box]ip nat inside source list 101 interface Dialer0 overload[/box]
2. That means NAT all traffic that access-list 101 applies to, to Dialer0 (this is an ADSL router and that’s it’s outside interface). To see what traffic is in access-list 101 is issue the following command:
[box]PetesRouter#show run | include access-list 101[/box]
You should see a line like,
[box]access-list 101 permit ip 10.10.0.0 0.0.255.255 any[/box]
3. This means permit (apply this ACL) to all traffic from 10.10.0.0/16 to anywhere. So its set to NAT all traffic from the inside network to the outside network.
4. Finally to see what IP is on your Dialer0 issue the following command:
[box]PetesRouter#show ip interface brief | exclude unassigned[/box]
You should see something like this
Now we know all traffic from 10.10.0.0/24 (All inside traffic) will be NAT translated to 123.123.123.123
Set up Port Forwarding
In this case Ill port forward TCP Port 443 (HTTPS) and TCP Port 25 (SMTP) to an internal Server (10.10.0.1).
1. First set up the static NAT translations.
[box]
PetesRouter#ip nat inside source static tcp 10.10.0.1 443 123.123.123.123 443 extendable
PetesRouter#ip nat inside source static tcp 10.10.0.1 25 123.123.123.123 extendableOR If you are running with a Public DHCP address
PetesRouter#ip nat inside source static tcp 10.10.0.1 443 interface Dialer0 443
PetesRouter#ip nat inside source static tcp 10.10.0.1 25 interface Dialer0 25
[/box]
2. Second stop that traffic being NATTED with everything else.
[box]
PetesRouter#access-list 101 deny tcp host 10.10.0.1 eq 443 any
PetesRouter#access-list 101 deny tcp host 10.10.0.1 eq 25 any
[/box]
3. Save the changes with “copy run start”, then press enter to access the default name of startup-config:
[box]
PetesRouter#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
PetesRouter#
[/box]
Setup port forwarding and restrict it to an IP or network
For things like HTTPS and SMTP you might want them accessible from anywhere but you might want to lock down access for something like RDP, (TCP port 3389) if that’s the case then you need to do the following.
1. Create a new ACL that allows traffic from you but denies it from everyone else (remember to put an allow a permit at the end).
[box]
PetesRouter#access-list 199 permit tcp host 234.234.234.234 host 123.123.123.123 eq 3389
PetesRouter#access-list 199 deny tcp any host 123.123.123.123 eq 3389
PetesRouter#access-list 199 permit ip any any
[/box]
Note: To allow a network substitute the first line for,
4. Finally apply the ACL you created inbound on the Dialer0 interface.
[box]
PetesRouter#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
PetesRouter(config)#interface Dialer0
PetesRouter(config-if)#ip access-group 199 in
PetesRouter(config-if)#exit
PetesRouter#
[/box]
5. Save the changes with “copy run start”, then press enter to access the default name of startup-config:
[box]
PetesRouter#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
PetesRouter#
[/box]
Related Articles, References, Credits, or External Links
I’ve spent years setting up VPN tunnels between firewalls. The only time I’ve ever dealt with GRE is for letting VPN client software though firewalls. GRE’s job is to ‘encapsulate’ other protocols and transport those protocols inside a virtual point to point link. Below is the topology, I’m going to use.
The tunnel will run form Router R1 to Router R3, once complete I should be able to ping Host2 from Host1.
Solution
Configure Router R1 for GRE
1. Create and configure a tunnel interface on the R1 Router. It will need an IP address, (here I’m using 10.0.0.1/30). Then you need to specify the source and destination of the GRE tunnel. Finally I’ve changed some MTU settings because typically MTU’s are set to 1500 and GRE adds an overhead, I’m dropping the MTU to 1400 and setting the maximum segment size to 1360.
[box]
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface Tunnel0
*Mar 1 00:01:27.747: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R1(config-if)#ip address 10.0.0.1 255.255.255.252
R1(config-if)#ip mtu 1400
R1(config-if)#ip tcp adjust-mss 1360
R1(config-if)#tunnel source 1.1.1.1
R1(config-if)#tunnel destination 2.2.2.1
R1(config-if)#exit
[/box]
2. Then we need to add a static route to the router’s routing table so it knows to use that tunnel for traffic destined for the 192.168.2.0/24 network.
3. This is simply a mirror image, of the configuration you carried our on router R1.
[box]
R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#interface Tunnel0
*Mar 1 00:01:30.747: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R3(config-if)#ip address 10.0.0.1 255.255.255.252
R3(config-if)#ip mtu 1400
R3(config-if)#ip tcp adjust-mss 1360
R3(config-if)#tunnel source 2.2.2.1
R3(config-if)#tunnel destination 1.1.1.1
R3(config-if)#exit
R3(config)#ip route 192.168.1.0 255.255.255.0 Tunnel0
[/box]
Verify GRE Tunnel
4. Use the following command to check the status of the GRE tunnel.
[box]
R1# show interface tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.0.0.1/30
MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 1.1.1.1, destination 2.2.2.1
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
[/box]
5. Then make sure that traffic passes over the tunnel.
[box]
R1#ping 192.168.2.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/64/88 ms
R1#
[/box]
Securing the Tunnel with IPsec
6. Our traffic is now going where we want it to, and it’s encapsulated, but it’s still being ‘sent in clear’ if traffic is intercepted ‘in flight’ it can be read. So we need to secure that traffic by encrypting it. First Job is to create an ISAKMP policy that will establish ‘phase-1’ of our secure tunnel. I’m using AES, with Diffie Hellman group 2, and SHA hashing. Ive specified that I will be using a pre-shared-key so that’s been created with the last command, and is assigned to the IP of the ‘other end’ of the VPN tunnel.
[box]
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption aes
R1(config-isakmp)#group 2
R1(config-isakmp)#hash sha
R1(config-isakmp)#exit
R1(config)#crypto isakmp key 0 Sh@reds3cret address 2.2.2.1
[/box]
7. Phase 2 of our tunnel (IPsec) is encrypted and hashed with a ‘transform set’ again I’m using AES and SHA, then I create a profile that uses my transform set.
8. The last job is to apply the profile I created above, to our GRE tunnel interface.
[box]
R3(config)#interface tun0
R3(config-if)#tunnel mode ipsec ipv4
R3(config-if)#tunnel protection ipsec profile PF-PNL
*Mar 1 00:20:32.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R3(config-if)#
*Mar 1 00:20:33.175: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config-if)#
*Mar 1 00:20:33.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R3(config-if)#exit
R3(config)#
[/box]
9. Again configure router 3 as a mirror image.
[box]
R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#crypto isakmp policy 10
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption aes
R3(config-isakmp)#group 2
R3(config-isakmp)#hash sha
R3(config-isakmp)#exit
R3(config)#crypto isakmp key 0 Sh@reds3cret address 1.1.1.1
R3(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
R3(cfg-crypto-trans)#exit
R3(config)#crypto ipsec profile PF-PNL
R3(ipsec-profile)#set transform-set TFS-PNL
R3(ipsec-profile)#exit
R3(config)#interface tun0
R3(config-if)#tunnel mode ipsec ipv4
R3(config-if)#tunnel protection ipsec profile PF-PNL
R3(config-if)#
*Mar 1 00:25:32.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R3(config-if)#
*Mar 1 00:25:33.175: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config-if)#
*Mar 1 00:25:33.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R3(config-if)#exit
R3(config)#
[/box]
Cisco IOS Verify IPsec VPN Tunnel Is Up
Note: To bring up the tunnel simply send some traffic over it by pinging something on the other side of the tunnel. If you get a reply then the tunnel is up! But to check it status firstly make sure phase 1 has established.
[box]
R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
1.1.1.1 2.2.2.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R3#
[/box]
QM_IDLE means that phase 1 has established (in Quick Mode), and is in an idle state (this is what you want to see, if you see any other state message you may need to start debugging things).
Once you know phase 1 is established you need to check phase 2.
[box]
R3#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 2.2.2.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 2.2.2.1, remote crypto endpt.: 1.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x3AA3F6B0(983824048)
inbound esp sas:
spi: 0x5C5C5EF1(1549557489)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4559832/3506)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3AA3F6B0(983824048)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4559832/3506)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
[/box]
Related Articles, References, Credits, or External Links
NAT is the process of taking one or more IP adresses and tranlsating it/them into differnet IP addreses. You may require your router to translate all your internal IP addresses to your public (ISP allocated) IP address. To do that we use a process called NAT Overload.
Solution
1. Connect to the router, and got to enable mode, then global configuration mode.
[box]
PetesRouter#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
PetesRouter(config)#