Source NAT off for SSH access to Junos OS security device

Quick tip if you run an SRX/J series router in an office or home environment and you are connecting to the devices external IP address for SSH access from within the internal LAN. Ok so you have some really simple NAT rules for your trusted network’s source NAT. ie.

set security nat source rule-set SRX_LAN-to-InternetCombined from zone SRX_LAN
set security nat source rule-set SRX_LAN-to-InternetCombined to zone InternetCombined
set security nat source rule-set SRX_LAN-to-InternetCombined rule Interface_NAT_1 match source-address 192.168.5.0/24
set security nat source rule-set SRX_LAN-to-InternetCombined rule Interface_NAT_1 match destination-address 0.0.0.0/0
set security nat source rule-set SRX_LAN-to-InternetCombined rule Interface_NAT_1 then source-nat interface

The issue I’ve come across with this setup, is when creating an SSH session from 192.168.5.x to the routers external IP address, my very generic and broad destination address rule catches this and turns on source NAT, essentially making my session look like (my external IP for this example is 1.1.1.1) 1.1.1.1 is trying to SSH to 1.1.1.1. This just gets all kinds of annoying and I don’t want to have to create policies or complicated flow based ways around this and also 1.1.1.1 isn’t inside my SRX_LAN zone if your following the from and to NAT statements. SO easiest way is a little bit of source nat off, which disables the NAT function, per term or rule that you specify. This makes my config look like this instead.

set security nat source rule-set SRX_LAN-to-InternetCombined from zone SRX_LAN
set security nat source rule-set SRX_LAN-to-InternetCombined to zone InternetCombined
set security nat source rule-set SRX_LAN-to-InternetCombined rule Interface_NAT_0 match source-address 192.168.5.0/24
set security nat source rule-set SRX_LAN-to-InternetCombined rule Interface_NAT_0 match destination-address 1.1.1.1/32
set security nat source rule-set SRX_LAN-to-InternetCombined rule Interface_NAT_0 match destination-port 22
set security nat source rule-set SRX_LAN-to-InternetCombined rule Interface_NAT_0 then source-nat off
set security nat source rule-set SRX_LAN-to-InternetCombined rule Interface_NAT_1 match source-address 192.168.5.0/24
set security nat source rule-set SRX_LAN-to-InternetCombined rule Interface_NAT_1 match destination-address 0.0.0.0/0
set security nat source rule-set SRX_LAN-to-InternetCombined rule Interface_NAT_1 then source-nat interface

Ive created a small rule inserted before rule Interface_NAT_1 that matches the LAN source of 192.168.5.0/24, dest port of 22 and turns source NAT off. Simple and easy for a home user. What actually got me doing this was I use a connection manager for devices I need to manage, this list would be upwards of more than 100 devices so I didn’t want to have duplicates of the same device just to access the internal or external interface depending on where I was located at the time. Having just the one with the external IP address is now all i need.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

WordPress spam blocked by CleanTalk.