Shulou(Shulou.com)06/01 Report--

The address pool used by SRX uses addresses that are virtual in SRX, which is not a real physical existence. Then the reachability of this address must depend on a simple IP route lookup. SRX also supports configuring its own physical interface into Pool, as shown in figure 5-8.

Figure5-8. Source NAT with ProxyARP

In order to ensure the accessibility of these Pool, the Proxy ARP function enables. Because there is a routable IP network within the Pool (or the SRX device itself is unreachable), the key is to provide reachability at the Ethernet layer (layer 2), not at the IP layer.

The last-hop IP routing device must send an ARP request on the local Ethernet network to obtain the MAC address. The Proxy ARP function allows the SRX device to respond to these ARP requests on behalf of addresses within the Pool. In doing so, the SRX device provides its own MAC address as the IP layer where the packet is sent at the Ethernet layer destination to the pool address. Once the message is received, the SRX device continues to stream as normal.

Proxy ARP configuration

James@SRX5800-1 > edit

Enteringconfigurationmode

[edit]

James@SRX5800-slave edit security natsource

[editsecurity natsource]

James@SRX5800-matching set pool phyPool address 198.18.5.64lap 27

Create a new rule-set application this Pool:

[edit]

James@SRX5800-1#editrule-set Dept-B-to-Inet

Match the traffic from Dept-B zone:

[editsecurity nat source rule-setDept-B-to-Inet]

James@SRX5800-1#set from zone Dept-B

The purpose is to Inet zone:

[editsecuritynatsourcerule-setDept-B-to-Inet]

James@SRX5800-slave set to zone Inet

The following is configured at the rule level:

[editsecuritynatsourcerule-setDept-B-to-Inet]

James@SRX5800-slave editrulephypoolNAT

Match the traffic for the source address 10.2.0.0amp 16:

[editsecurity nat source rule-set Dept-B-to-Inet rulephypoolNAT]

James@SRX5800-matching set match source-address 10.2 Compact 16

Configure Action for source nat:

[editsecurity nat source rule-set Dept-B-to-Inet rulephypoolNAT]

James@SRX5800-1#set then source-nat phyPool

[editsecurity nat source rule-set Dept-B-to-Inet rulephypoolNAT]

James@SRX5800-1#up 3

Configure Proxy ARP for 198.18.5.64/27range in Inet zone ge-0/0/2.0 interface:

[editsecurity nat]

James@SRX5800-1#set proxy-arp interface ge-0/0/2.0 address198.18.5.64/27

[editsecuritynat]

James@SRX5800-1#show | compare

[editsecurity natsource] pool ipPool {...}

+ pool phyPool {

+ address {

+ 198.18.5.64Universe 27

+}

+}

[editsecurity natsource]

Rule-setDept-A-to-Inet {...}

+ rule-set Dept-B-to-Inet {

+ from zoneDept-B

+ to zoneweb-dmz

+ rule phypoolNAT {

+ match {

+ source-address198.18.11.0/24

+}

+ then {

+ source-nat {

+ pool {

+ phyPool

+}

+}

+}

+}

+}

[editsecuritynat]

+ proxy-arp {

+ interface ge-0/0/2.0 {

+ address {

+ 198.18.5.64Universe 27

+}

+}

+}

[edit securitynat]

James@SRX5800-1#commit and-quit

Configurationchecksucceeds commit complete

Exitingconfiguration mode

James@SRX5800-1 >

The 10.2.0.0amp 16 traffic from Dept-B zone to net zone will be translated as 198.18.5.64thumb 27, which is located in egress Inet zone network.

When an ARP request for 198.18.5.64 ARP 27 is received on the GE-0/0/2.0 interface, the device SRX will reply to it.

View the agent ARP:

You can see that a flow has been translated through the new rule-set:

James@SRX5800-1 > show security flow session

SessionID: 2336, Policy name: webdmz_mgt/8, Timeout:1796

In:10.2.1.15/49842-- > 198.18.200.1According to 80 investors TCP, If:ge-0/0/0.0

Out:198.18.200.1/80-- > 198.18.5.78swap 2615tertcp, If:ge-0/0/2.0

1sessionsdisplayed james@SRX5800-1 >

Here, the internal source IP address 10.2.1.15 is translated to 198.18.5.78 pool address (visible in the Out return direction), while the source port is translated from 49842 to 2615 (because it is not explicitly disabled). The corresponding logs for this traffic are:

James@SRX5800-1 > show logtraffic-log

Jan19 09:41:59 SRX210 RT_FLOW: RT_FLOW_SESSION_CREATE: sessioncreated10.2.1.15/49842- > 198.18.200.1Think 80 junoscopyright http198.18.5.78scarp 2615-> 198.18.200.1ame80

PhypoolNATNone 6 webdmz_mgt Dept-B web-dmz2336

James@SRX5800-1 >

This session initialization log entry shows the translation of internal source IP addresses and ports from 10.2.1.15 and 49842 to 198.18.5.78 and 2615 public addresses and ports, and it also shows matching NAT rules (phypoolNAT).

View the rule through the show command:

James@SRX5800-1 > show security nat source rule phypoolNAT

Source NAT rule:phypoolNAT Rule-set:Dept-B-to-InetRule-Id 2

Ruleposition 1

Fromzone: Dept-B

Tozone: Inet

Match

Sourceaddresses: 198.18.5.64-198.18.5.95 Action: phyPool

PersistentNATtype: N/AInactivitytimeout 0

Max sessionnumber 0

Translationhits 1

James@SRX5800-1 >

New address pool:

James@SRX5800-1 > showsecurity nat source pool all

Totalpools:1

Poolname: phyPool

Poolid 5

Routinginstance: default Host address base: 0.0.0.0

Port: [1024,63487]

Totaladdresses 32

Translationhits 1

Addre***ange SinglePorts TwinPorts 198.18.5.64-198.18.5.95 10

James@SRX5800-1 >

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.