[Junos Security] Menggunakan NAT Source untuk Terhubung ke Internet

Post Views: 5,053

Hi sobat blogger 🙂

Ini adalah tulisan kedua terkait NAT, tepatnya bagaimana mengkonfigurasi NAT source supaya private network anda terhubung ke internet. Pembahsan NAT source ini yang related dengan real network/case yang biasa terjadi. Oke langsung saja ane coba kasi gambar supaya anda lebih bisa memahami nya.

Jadi pada gambar diatas, misal anda memiliki private network 192.168.10.0/24 dengan gateway di srx 192.168.10.1, lalu anda memiliki koneksi ke ISP misal dengan segmen IP 200.250.100.0/29, dimana IP router ISP adalah ip terakhir dari ip tersebut 200.250.100.6/29. Interface out firewall srx adalah fe-0/0/0 dengan ip 200.250.100.1/29. Oke kira2 ada gambaran ya apa yang harus dilakukan untuk pertama kali nya, untuk detailnya mari kita ikuti step berikut:

Step 1: Konfigurasi IP address

set interfaces fe-0/0/0 unit 0 family inet address 200.250.100.1/30
set interfaces fe-0/0/1 unit 0 family inet address 192.168.10.1/24

1 2	set interfaces fe-0/0/0 unit 0 family inet address 200.250.100.1/30 set interfaces fe-0/0/1 unit 0 family inet address 192.168.10.1/24

Jika anda mendapati case bahwa ip address yang di dapat dari ISP adalah dynamic ip or ip dhcp, maka anda hanya perlu setting konfigurasi seperti berikut ini:

set interfaces fe-0/0/0 unit 0 family inet dhcp

1	set interfaces fe-0/0/0 unit 0 family inet dhcp

Step 2: Konfigurasi Zone

set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces fe-0/0/0.0

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces fe-0/0/1.0

set security zones security-zone untrust host-inbound-traffic system-services all

set security zones security-zone untrust host-inbound-traffic protocols all

set security zones security-zone untrust interfaces fe-0/0/0.0

set security zones security-zone trust host-inbound-traffic system-services all

set security zones security-zone trust host-inbound-traffic protocols all

set security zones security-zone trust interfaces fe-0/0/1.0

Disini ane tidak perlu menjelaskan terkait zone ya, karena sebulumnya sudah dibhas lebih detail pada tulisan sebelumnya, hehe. Oke jadi terkait case ini untuk interface fe-0/0/0.0 kita masukan ke dalam zone untrust, adapun interface fe-0/0/1.0 kita masukan ke dalam trust zone.

Step 3: Konfigurasi Policy

set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit

set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any

set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any

set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any

set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit

Dalam hal ini anda hanya perlu konfigurasi policy dari trust zone ke untrust zone. Karena sync traffic dari dalam keluar, jadi anda tidak perlu membuat rule 2-way.

Step 4: Konfigurasi NAT Source

set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface

set security nat source rule-set trust-to-untrust from zone trust

set security nat source rule-set trust-to-untrust to zone untrust

set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0

set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface

Konfigurasi diatas adalah konfigurasi interface-based source nat. Jadi traffic akan di translasi mengguankan egress interface address dengan destinasi nya adalah untrust zone atau ke internet. Jadi traffic nanti akan di translasi ke ip 200.250.100.1. Paham ya kira2 🙂

Oke coba kita lihat lebih detail terkait nat ini:

root@site16# set security nat ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> destination          Configure Destination NAT
> natv6v4              Configure NAT between IPv6 and IPv4 options
> proxy-arp            Configure Proxy ARP
> proxy-ndp            Configure Proxy NDP
> source               Configure Source NAT
> static               Configure Static NAT
> traceoptions         NAT trace options
[edit]

root@site16# set security nat ?

Possible completions:

+ apply-groups Groups from which to inherit configuration data

+ apply-groups-except Don't inherit configuration data from these groups

> destination Configure Destination NAT

> natv6v4 Configure NAT between IPv6 and IPv4 options

> proxy-arp Configure Proxy ARP

> proxy-ndp Configure Proxy NDP

> source Configure Source NAT

> static Configure Static NAT

> traceoptions NAT trace options

[edit]

Untuk konfigurasi nat source itu under hirarki security nat, jika case anda bahwa anda ingin menggunakan ip pool maka yang harus anda create adalah proxy-arp nya sama pool nat nya, lebih lengkap nya seperti berikut:

set security nat proxy-arp interface fe-0/0/0.0 address 200.250.100.2 to 200.250.100.5

set security nat source pool 200_250_100_2 address 200.250.100.2/32

root@site16# set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat pool ?
Possible completions:
  <pool-name>          Name of Source NAT pool
  200_250_100_2
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> persistent-nat       Persistent NAT info
[edit]
root@site16# set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat pool 200_250_100_2

set security nat proxy-arp interface fe-0/0/0.0 address 200.250.100.2 to 200.250.100.5

set security nat source pool 200_250_100_2 address 200.250.100.2/32

root@site16# set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat pool ?

Possible completions:

<pool-name> Name of Source NAT pool

200_250_100_2

+ apply-groups Groups from which to inherit configuration data

+ apply-groups-except Don't inherit configuration data from these groups

> persistent-nat Persistent NAT info

[edit]

root@site16# set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat pool 200_250_100_2

Kapan anda perlu create proxy-arp? saat anda menggunakan ip pool dari ip network yang sama dari interface out anda. Jika anda beda ip address dari segmen p2p dengan ISP anda tidak perlu create proxy-arp. dari sisi firewall anda hanya perlu templen ip tersebut ke interface out anda, dan dari sisi ISP mereka harus create route supaya ip pool nat anda bisa di reach. oke cukup jelas. hehe.

Step 5: Konfigurasi Default route.

Anda juga perlu menambahkan default route seperti berikut:

set routing-options static route 0.0.0.0 next-hop 200.250.100.6

1	set routing-options static route 0.0.0.0 next-hop 200.250.100.6

Untuk case interface out nya mengguakan ip dhcp anda tidak perlu menambahkan static route seperti diatas, karena dia secara otomatis akan bertambah sendiri di tabel route nya seperti berikut:

user@srx> show route

inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Access-internal/12] 01:00:26
                    > to 192.168.171.1 via fe-0/0/0.0

<em>[output cut]</em>

user@srx> show route

inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Access-internal/12] 01:00:26

> to 192.168.171.1 via fe-0/0/0.0

<em>[output cut]</em>

Step 7: Verifikasi

Anda bisa melakukan verifikasi untuk memastikan konfigurasi anda benar, memonitor traffic dan nat.

user@srx> show configuration
user@srx>show security flow session
user@srx>ping ip_address
user@srx> show route
user@srx>show security nat source summary

user@srx> show configuration

user@srx>show security flow session

user@srx>ping ip_address

user@srx> show route

user@srx>show security nat source summary

Contoh flow sessin NAT source:

Session ID: 22, Policy name: trust-to-untrust/4, Timeout: 1796, Valid
  In: 192.168.10.2/49200 --> 92.51.156.86/5938;tcp, If: fe-0/0/1.0, Pkts: 2379, Bytes: 143417
  Out: 92.51.156.86/5938 --> 200.250.100.1/10539;tcp, If: fe-0/0/0.0, Pkts: 1598, Bytes: 102708

Session ID: 22, Policy name: trust-to-untrust/4, Timeout: 1796, Valid

In: 192.168.10.2/49200 --> 92.51.156.86/5938;tcp, If: fe-0/0/1.0, Pkts: 2379, Bytes: 143417

Out: 92.51.156.86/5938 --> 200.250.100.1/10539;tcp, If: fe-0/0/0.0, Pkts: 1598, Bytes: 102708

Oke cukup sampai disini ya sobat semua untuk pembahasan source NAT, next akan kita bahas static nat dan destination nat. Jika ada pertanyaan silahkan beri komentar dibawah.

Terima kash.

arisyi

arisyi.net

Tag Cloud

Posting Terbaru

Komentar