How to configure destination NAT for the traffic reaching SRX firewall.
Configuring SRX to translate the destination IP (and optionally port number) of traffic hitting SRX based on specified criteria. Destination NAT is normally used to perform the following common actions:
1.Translate an IP address to another address, this usually allows devices on the Internet to access to a host in a private network.
2.Translate a contiguous block of addresses to another block of the same size, which could be used to allow access to a group of servers.
3.Translate a destination IP/port combination to another destination IP/port, which may be used to allow access to multiple services using the same IP address but different ports
Single address with no port translation:
Following configuration will translate the destination IP address from 100.0.0.1 to 10.1.10.5, when the traffic hits SRX on untrust interface.
pool A { address 10.1.10.5/32; } rule-set 1 { from zone untrust; rule 1A { match { destination-address 100.0.0.1/32; } then { destination-nat pool A; } } }
Destination NAT with contiguous address pool
Following configuration will translate complete 100.0.0.0/24 subnet to 10.1.10.0/24 when the traffic hits SRX on interface untrust with a destination in the block of 100.0.0.0/24 subnet.
pool A { address 10.1.10.0/24; } rule-set 1 { from zone untrust; rule 1A { match { destination-address 100.0.0.0/24; } then { destination-nat pool A; } } }
Destination NAT with port translation:
Following configuration will translate IP address 100.0.0.1 with port number 80 to 10.1.10.5, port number 8080 when the traffic hits SRX on untrust interface.
pool A { address 10.1.10.5/32 port 8080; } rule-set 1 { from zone untrust; rule 1A { match { destination-address 100.0.0.1/32; destination-port 80; } then { destination-nat pool A; } } }