{"id":450,"date":"2016-09-11T22:49:48","date_gmt":"2016-09-11T15:49:48","guid":{"rendered":"https:\/\/www.routecloud.net\/blog\/?p=450"},"modified":"2016-09-11T22:54:01","modified_gmt":"2016-09-11T15:54:01","slug":"junos-security-dual-nat-design-juniper-srx","status":"publish","type":"post","link":"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/","title":{"rendered":"[Junos Security] Dual NAT Design Juniper SRX"},"content":{"rendered":"

I made this and this is a note for me as an engineer \ud83d\ude42 #ea.. If you want to really understand about this post, take your time to understand some of my previous posting in this blog, start from basic is here<\/a>, if you ready understand, now you can check other post about\u00a0\u00a0source nat<\/a>\u00a0and destination nat<\/a>.<\/p>\n

Oke done and you’re\u00a0ready going to the next part \ud83d\ude42<\/p>\n

Baik, jika anda sudah mengerti maka anda boleh melanjutkan mengikuti tulisan ini, sekali lagi tulisan ini sbetulnya gabungan dari beberapa tulisan sebelumnya, yaitu tentang source nat, destination nat, ataupun static nat. Tulisan ini juga mengikuti kebutuhan di real network design and security, khususnya menggunakan firewall srx. atau anda yang baru ingin mamahami terkait hal ini, mungkin ini akan menjadi pertimbangan anda untuk selanjutnya. Mari kita lihat gambar berikut sapaya lebih clear hehe<\/p>\n

\"nat<\/a><\/p>\n

<\/p>\n

Quick description<\/strong>: Jadi company RouteCloud Head Office memiliki mitra or partner. Jadi partner mereka ingin menghubungkan network mereka dengan network (service) routecloud. Mereka tidak menginginkan untuk share network, karena dengan alasan security, capacity, best practice atau yang lainnya. Jadi solusinya disini dengan menggunakan NAT salah satunya. Jadi nat dsini ada dua sisi inside dan outside di masing-masing firewall atau bahasa mudahnya di NAT dua kali.<\/p>\n

Contoh design diatas, tidak terlalu rumit dan pusing untuk diperhatikan. Disarankan anda hanya perlu fokus ke dua firewall yakni FW Cloud-A dan Cloud-B. In this case,\u00a0Kedua cloud atau perusahaan tersebut, mareka hanya mengenal ip point-to-pint nya sama segmen nat antara firewall mereka. Mereka juga tidak mengetahui segmen nat untuk internal network mereka. Jika digambarkan lagi seperti inilah sederhananya.
\n\"sample-logical-topology\"<\/a><\/p>\n

Oke semoga anda mendapat gambaran yang cukup baik terkait apa yang ingin kita lakukan. Mari kita lihat detail step konfigurasi yang dilakukan:<\/p>\n

Konfigurasi awal di sisi Partner:<\/strong><\/p>\n

Router-B<\/p>\n

set interfaces em0 unit 0 description \"LAN Partner\"\r\nset interfaces em0 unit 0 family inet address 192.168.10.254\/24\r\nset interfaces em1 unit 0 description \"P2P FW CLoud-B\"\r\nset interfaces em1 unit 0 family inet address 192.168.1.2\/30\r\n<\/pre>\n
set routing-options static route 192.168.20.0\/24 next-hop 192.168.1.1<\/pre>\n
Diatas adalah static route ke arah ip pool internal Partner.<\/p>\n
FW-CloudB<\/p>\n
Berikut adalah config awal di \u00a0firewall partner, config ini perlu supaya topology yang diinginkan terbentuk.<\/p>\n
set interfaces ge-0\/0\/0 unit 0 family inet address 192.168.1.1\/30\r\nset interfaces ge-0\/0\/0 unit 0 family inet address 192.168.20.254\/24\r\nset interfaces ge-0\/0\/1 vlan-tagging\r\nset interfaces ge-0\/0\/1 unit 10 description \"P2P TO ROUTECLOUD Head Office\"\r\nset interfaces ge-0\/0\/1 unit 10 vlan-id 10\r\nset interfaces ge-0\/0\/1 unit 10 family inet address 172.16.10.2\/30\r\nset interfaces ge-0\/0\/1 unit 10 family inet address 192.168.30.254\/24\r\n<\/pre>\n
set security zones security-zone UNTRUST host-inbound-traffic system-services all\r\nset security zones security-zone UNTRUST host-inbound-traffic protocols all\r\nset security zones security-zone UNTRUST interfaces ge-0\/0\/1.10\r\nset security zones security-zone TRUST host-inbound-traffic system-services all\r\nset security zones security-zone TRUST host-inbound-traffic protocols all\r\nset security zones security-zone TRUST interfaces ge-0\/0\/0.0\r\n<\/pre>\n
static route di fw partner hanya perlu diset ke ip pool routecloud 10.30.30.0\/24 sama yang ke arah ip segmen lan partner itu sendiri, berikut detailnya.<\/p>\n
set routing-options static route 10.30.30.0\/24 next-hop 172.16.10.1\r\nset routing-options static route 192.168.10.0\/24 next-hop 192.168.1.2<\/pre>\n
Selanjutnya kita create rule policy, disni kita tidak fokus pada custom rule policy nya, maka dsini dibuat rule permit any saja.<\/p>\n
set security policies from-zone TRUST to-zone UNTRUST policy PermitAll match source-address any\r\nset security policies from-zone TRUST to-zone UNTRUST policy PermitAll match destination-address any\r\nset security policies from-zone TRUST to-zone UNTRUST policy PermitAll match application any\r\nset security policies from-zone TRUST to-zone UNTRUST policy PermitAll then permit\r\n<\/pre>\n
Konfigurasi awal disisi Route Cloud Head Office:<\/strong><\/p>\n
Router-A<\/p>\n
Config interface:<\/p>\n
set interfaces em0 unit 0 family inet address 10.10.10.254\/24\r\nset interfaces em1 vlan-tagging\r\nset interfaces em1 unit 1 vlan-id 1\r\nset interfaces em1 unit 1 family inet address 10.1.1.2\/30<\/pre>\n
Config routing, disni menggunakan config ospf standar.<\/p>\n
set protocols ospf area 0.0.0.0 interface em0.0\r\nset protocols ospf area 0.0.0.0 interface em1.1<\/pre>\n
Selanjutnya mari kita lihat config di firewall FW CloudA<\/p>\n
set interfaces ge-0\/0\/0 vlan-tagging\r\nset interfaces ge-0\/0\/0 unit 1 description \"P2P TO MX-80 DC\"\r\nset interfaces ge-0\/0\/0 unit 1 vlan-id 1\r\nset interfaces ge-0\/0\/0 unit 1 family inet address 10.1.1.1\/30\r\nset interfaces ge-0\/0\/0 unit 1 family inet address 10.20.20.254\/24\r\nset interfaces ge-0\/0\/1 vlan-tagging\r\nset interfaces ge-0\/0\/1 unit 10 description \"P2P TO PARTNER-A\"\r\nset interfaces ge-0\/0\/1 unit 10 vlan-id 10\r\nset interfaces ge-0\/0\/1 unit 10 family inet address 172.16.10.1\/30\r\nset interfaces ge-0\/0\/1 unit 10 family inet address 10.30.30.254\/24<\/pre>\n
root@FW.CloudA# show protocols | display set\r\nset protocols ospf area 0.0.0.0 interface ge-0\/0\/0.1\r\n<\/pre>\n
Diatas adalah config ospf, yang perlu di advertise ke ospf adalah interface yang ke arah network internal saja. Untuk network yang mengarah ke partner, disni menggunakan routing-instance or virtual routing forwarding (VRF). Jadi routing table nya di pisah antara internal network routecloud dengan route table yang mengarah ke \u00a0partner.<\/p>\n
root@FW.CloudA# show routing-instances PARTNER_A | display set\r\nset routing-instances PARTNER_A instance-type virtual-router\r\nset routing-instances PARTNER_A interface ge-0\/0\/1.10\r\nset routing-instances PARTNER_A routing-options interface-routes rib-group inet Outside_to_Inside\r\nset routing-instances PARTNER_A routing-options static route 192.168.30.0\/24 next-hop 172.16.10.2\r\n<\/pre>\n
sekarang buat rib group nya supaya route table Partner ke share juga di route table default inet.0, detail nya sbb:<\/p>\n
[edit]\r\nroot@FW.CloudA# show routing-options\r\nrib-groups {\r\n    Outside_to_Inside {\r\n        import-rib [ PARTNER_A.inet.0 inet.0 ];\r\n    }\r\n}\r\n<\/pre>\n
Penasaran gimana jadinya? coba kita show route ya,<\/p>\n
root@FW.CloudA# run show route table PARTNER_A.inet.0\r\n\r\nPARTNER_A.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)\r\n+ = Active Route, - = Last Active, * = Both\r\n\r\n10.30.30.0\/24      *[Direct\/0] 04:20:26\r\n                    > via ge-0\/0\/1.10\r\n10.30.30.254\/32    *[Local\/0] 04:20:28\r\n                      Local via ge-0\/0\/1.10\r\n172.16.10.0\/30     *[Direct\/0] 04:20:26\r\n                    > via ge-0\/0\/1.10\r\n172.16.10.1\/32     *[Local\/0] 04:20:28\r\n                      Local via ge-0\/0\/1.10\r\n192.168.30.0\/24    *[Static\/5] 04:20:26\r\n                    > to 172.16.10.2 via ge-0\/0\/1.10\r\n<\/pre>\n
Adapun route table di internal network routecloud adalah:<\/p>\n
root@FW.CloudA# run show route table inet.0\r\n\r\ninet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)\r\n+ = Active Route, - = Last Active, * = Both\r\n\r\n10.1.1.0\/30        *[Direct\/0] 04:22:35\r\n                    > via ge-0\/0\/0.1\r\n10.1.1.1\/32        *[Local\/0] 04:22:37\r\n                      Local via ge-0\/0\/0.1\r\n10.10.10.0\/24      *[OSPF\/10] 04:22:25, metric 2\r\n                    > to 10.1.1.2 via ge-0\/0\/0.1\r\n10.20.20.0\/24      *[Direct\/0] 04:22:35\r\n                    > via ge-0\/0\/0.1\r\n10.20.20.254\/32    *[Local\/0] 04:22:37\r\n                      Local via ge-0\/0\/0.1\r\n10.30.30.0\/24      *[Direct\/0] 04:22:35\r\n                    > via ge-0\/0\/1.10\r\n10.30.30.254\/32    *[Local\/0] 04:22:35\r\n                      Local via ge-0\/0\/1.10\r\n172.16.10.0\/30     *[Direct\/0] 04:22:35\r\n                    > via ge-0\/0\/1.10\r\n172.16.10.1\/32     *[Local\/0] 04:22:35\r\n                      Local via ge-0\/0\/1.10\r\n224.0.0.5\/32       *[OSPF\/10] 04:22:51, metric 1\r\n                      MultiRecv\r\n<\/pre>\n
Selanjutnya tidak perlu ada lagi routing yang perlu anda buat dari routecloud ke partner atau sebaliknya, ingat semuanya dilakukan dengan nat hehehe…Jangan lupa create zone dan rule policy, buat testing set policy nya permit any saja.<\/p>\n
root@FW.CloudA# show security zones | display set\r\nset security zones security-zone OUTSIDE host-inbound-traffic system-services all\r\nset security zones security-zone OUTSIDE host-inbound-traffic protocols all\r\nset security zones security-zone OUTSIDE interfaces ge-0\/0\/1.10\r\nset security zones security-zone INSIDE host-inbound-traffic system-services all\r\nset security zones security-zone INSIDE host-inbound-traffic protocols all\r\nset security zones security-zone INSIDE interfaces ge-0\/0\/0.1\r\n\r\nroot@FW.CloudA# show security policies | display set\r\nset security policies from-zone INSIDE to-zone OUTSIDE policy PermitAll match source-address any\r\nset security policies from-zone INSIDE to-zone OUTSIDE policy PermitAll match destination-address any\r\nset security policies from-zone INSIDE to-zone OUTSIDE policy PermitAll match application any\r\nset security policies from-zone INSIDE to-zone OUTSIDE policy PermitAll then permit\r\nset security policies from-zone OUTSIDE to-zone INSIDE policy PermitAll match source-address any\r\nset security policies from-zone OUTSIDE to-zone INSIDE policy PermitAll match destination-address any\r\nset security policies from-zone OUTSIDE to-zone INSIDE policy PermitAll match application any\r\nset security policies from-zone OUTSIDE to-zone INSIDE policy PermitAll then permit\r\n<\/pre>\n
Oke anda sudah sampe tahap membentuk topology sesuai dengan gambar diatas, now this time to make it works \ud83d\ude00<\/p>\n
Jadi untuk menyelesaikan case ini, pihak routecloud dan partner perlu ada nya sharing alokasi ip saat ingin menghubungkan sebuah service, jangan sampe terjadi kesalahan alokasi atau maping nat. karena hal tersebut menyebabkan nat tidak akan berjalan sesuai plan hehe.<\/p>\n
\"map-nat\"<\/a><\/p>\n
Tabel diatas adalah bukanlah standar yang baku ya, hehe melainkan map berdasarkan gambaran yang akan kita buat. Jadi begini kira2: Jadi ini adalah flow nya dari Partner ke Routecloud, initial session oleh 192.168.10.1 untuk tujuan ke 10.10.10.1 ip real routecloud, oleh partner team mengalokasikan satu ip yaitu 192.168.20.1, maka session awal adalah 192.168.10.1—>192.168.20.1, selanjutnya partner juga melihat table routecloud bahwa untuk hit ke 10.10.10.1 maka dialokasikan ip nat luar nya adalah 10.30.30.1, sebelum diarah ke situ, FW Partner mentranslasikan ke IP NAT Outside, 192.168.30.1, maka session yang terbentuk adalah 192.168.30.1—>10.30.30.1. Selanjutnya session diterima oleh FW Routecloud, source yang ia terima adalah 192.168.30.1 menuju 10.30.30.1, nah dengan destination nat, akan di map ke NAT Inside 10.20.20.1, oleh si NAT Inside di map ke physical ip 10.10.10.1 dengan source 10.20.20.1. Jadi server 10.10.10.1 menerima initial session dari 10.20.20.1., mudahkan \ud83d\ude42 \ud83d\ude42<\/p>\n
Oke, based on table yang telah kita sepakati, maka config yang akan kita buat adalah sebagai berikut:<\/p>\n
FW Partner (FW.CloudB)<\/p>\n
NAT Destination:<\/p>\n
root@FW.CloudB# show security nat destination | display set\r\nset security nat destination pool 10_30_30_1 address 10.30.30.1\/32\r\nset security nat destination rule-set to-tsel from zone TRUST\r\nset security nat destination rule-set to-tsel rule 1a match source-address 192.168.10.1\/32\r\nset security nat destination rule-set to-tsel rule 1a match destination-address 192.168.20.1\/32\r\nset security nat destination rule-set to-tsel rule 1a then destination-nat pool 10_30_30_1<\/pre>\n
Note: baik nat source dan destination, list source-address hanya ada 8, jika lebih anda bisa membuat rule baru dengan ip destination yang sama.<\/p>\n
NAT Source:<\/p>\n
root@FW.CloudB# show security nat source | display set\r\nset security nat source pool 192_168_30_1 address 192.168.30.1\/32\r\nset security nat source rule-set nat_tsel from zone TRUST\r\nset security nat source rule-set nat_tsel to zone UNTRUST\r\nset security nat source rule-set nat_tsel rule 2a match source-address 192.168.10.1\/32\r\nset security nat source rule-set nat_tsel rule 2a match source-address 192.168.10.0\/24\r\nset security nat source rule-set nat_tsel rule 2a match destination-address 10.30.30.1\/32\r\nset security nat source rule-set nat_tsel rule 2a then source-nat pool 192_168_30_1\r\n<\/pre>\n
Coba anda perhatikan config nat dest dan nat source diatas, related kan dengan table dan flow penjelasannya sebebelumnya. Mari kita lihat config yang ada di FW RouteCloud (FW.CloudA)<\/p>\n
NAT Destination:<\/p>\n
root@FW.CloudA# show security nat destination | display set\r\nset security nat destination pool 10_10_10_1 routing-instance default\r\nset security nat destination pool 10_10_10_1 address 10.10.10.1\/32\r\nset security nat destination rule-set A from zone OUTSIDE\r\nset security nat destination rule-set A rule r1 match source-address 192.168.30.1\/32\r\nset security nat destination rule-set A rule r1 match destination-address 10.30.30.1\/32\r\nset security nat destination rule-set A rule r1 then destination-nat pool 10_10_10_1<\/pre>\n
Notel: ip pool 10_10_10_1 ada di VRF default inet.0 maka, jika kita menggunakan routing instance perlu kita referensikan juga.<\/p>\n
NAT Source:<\/p>\n
root@FW.CloudA# show security nat source | display set\r\nset security nat source pool 10_20_20_1 address 10.20.20.1\/32\r\nset security nat source rule-set A1 from zone OUTSIDE\r\nset security nat source rule-set A1 to zone INSIDE\r\nset security nat source rule-set A1 rule 1 match source-address 192.168.30.1\/32\r\nset security nat source rule-set A1 rule 1 match destination-address 10.10.10.1\/32\r\nset security nat source rule-set A1 rule 1 then source-nat pool 10_20_20_1\r\n<\/pre>\n
Jika anda sudah merasa yakin, silahkan coba test ping dari ip source yang telah di tentukan. dalam hal ini lakukanlah ping dari source ip 192.168.10.1 ke ip 192.168.20.1. Coba perhatikan dan pelajari session yang terbentuk berikut ini:<\/p>\n
FW Partner:<\/p>\n
root@FW.CloudB# run show security flow session\r\nSession ID: 6787, Policy name: PermitAll\/4, Timeout: 2, Valid\r\n  In: 192.168.10.1\/3889 --> 192.168.20.1\/3361;icmp, If: ge-0\/0\/0.0, Pkts: 1, Bytes: 84\r\n  Out: 10.30.30.1\/3361 --> 192.168.30.1\/19641;icmp, If: ge-0\/0\/1.10, Pkts: 1, Bytes: 84\r\n<\/pre>\n
Contoh detail session:<\/p>\n
root@FW.CloudB# run show security flow session extensive\r\nSession ID: 6965, Status: Normal\r\nFlag: 0x80000000\r\nPolicy name: PermitAll\/4\r\nSource NAT pool: 192_168_30_1\r\nDynamic application: junos:UNKNOWN,\r\nEncryption:  Unknown\r\nApplication traffic control rule-set: INVALID, Rule: INVALID\r\nMaximum timeout: 4, Current timeout: 2\r\nSession State: Valid\r\nStart time: 19316, Duration: 2\r\n   In: 192.168.10.1\/4049 --> 192.168.20.1\/3361;icmp,\r\n    Interface: ge-0\/0\/0.0,\r\n    Session token: 0x7, Flag: 0x21\r\n    Route: 0xb0010, Gateway: 192.168.1.2, Tunnel: 0\r\n    Port sequence: 0, FIN sequence: 0,\r\n    FIN state: 0,\r\n    Pkts: 1, Bytes: 84\r\n   Out: 10.30.30.1\/3361 --> 192.168.30.1\/17258;icmp,\r\n    Interface: ge-0\/0\/1.10,\r\n    Session token: 0x6, Flag: 0x20\r\n    Route: 0x90010, Gateway: 172.16.10.1, Tunnel: 0\r\n    Port sequence: 0, FIN sequence: 0,\r\n    FIN state: 0,\r\n    Pkts: 1, Bytes: 84\r\n<\/pre>\n
FW RouteCloud:<\/p>\n
[edit]\r\nroot@FW.CloudA# run show security flow session\r\nSession ID: 4673, Policy name: PermitAll\/5, Timeout: 2, Valid\r\n  In: 192.168.30.1\/31116 --> 10.30.30.1\/3361;icmp, If: ge-0\/0\/1.10, Pkts: 1, Bytes: 84\r\n  Out: 10.10.10.1\/3361 --> 10.20.20.1\/30417;icmp, If: ge-0\/0\/0.1, Pkts: 1, Bytes: 84<\/pre>\n
Mudah2an semakin mudah dipahami ya jika melihat flow session yang terbentuk diatas, dan\u00a0perlu lihat kedua firewall tersebut supaya lebih jelas \ud83d\ude42 dan berikut ini contoh session jika kita lakukan ssh.<\/p>\n
root@FW.CloudB# run show security flow session\r\nSession ID: 7390, Policy name: PermitAll\/4, Timeout: 1794, Valid\r\n  In: 192.168.10.1\/41899 --> 192.168.20.1\/22;tcp, If: ge-0\/0\/0.0, Pkts: 69, Bytes: 7399\r\n  Out: 10.30.30.1\/22 --> 192.168.30.1\/21299;tcp, If: ge-0\/0\/1.10, Pkts: 47, Bytes: 6663\r\nTotal sessions: 1\r\n\r\nroot@FW.CloudA# run show security flow session\r\nSession ID: 1, Policy name: self-traffic-policy\/1, Timeout: 60, Valid\r\n  In: 10.1.1.2\/1 --> 224.0.0.5\/1;ospf, If: ge-0\/0\/0.1, Pkts: 2231, Bytes: 178624\r\n  Out: 224.0.0.5\/1 --> 10.1.1.2\/1;ospf, If: .local..0, Pkts: 0, Bytes: 0\r\n\r\nSession ID: 5152, Policy name: PermitAll\/5, Timeout: 1792, Valid\r\n  In: 192.168.30.1\/21299 --> 10.30.30.1\/22;tcp, If: ge-0\/0\/1.10, Pkts: 69, Bytes: 7399\r\n  Out: 10.10.10.1\/22 --> 10.20.20.1\/29787;tcp, If: ge-0\/0\/0.1, Pkts: 47, Bytes: 6663\r\nTotal sessions: 2\r\n<\/pre>\n
Menarik hal diatas, itu contoh satu session di fw routecloud dan partner, jumalah paket dan besarnya paket sama besarnya baik paket in atau paket out.<\/p>\n
Oke cukup dulu sebagai contoh penggunaan dual nat di srx.<\/p>\n","protected":false},"excerpt":{"rendered":"
I made this and this is a note for me as an engineer \ud83d\ude42 #ea.. If you want to really understand about this post, take your time to understand some of my previous posting in this blog, start from basic is here, if you ready understand, now you can check other post about\u00a0\u00a0source nat\u00a0and destination […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[18],"tags":[39,40],"yoast_head":"\n[Junos Security] Dual NAT Design Juniper SRX - Routecloud Indonesia - Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"[Junos Security] Dual NAT Design Juniper SRX - Routecloud Indonesia - Blog\" \/>\n<meta property=\"og:description\" content=\"I made this and this is a note for me as an engineer \ud83d\ude42 #ea.. If you want to really understand about this post, take your time to understand some of my previous posting in this blog, start from basic is here, if you ready understand, now you can check other post about\u00a0\u00a0source nat\u00a0and destination […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/\" \/>\n<meta property=\"og:site_name\" content=\"Routecloud Indonesia - Blog\" \/>\n<meta property=\"article:published_time\" content=\"2016-09-11T15:49:48+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2016-09-11T15:54:01+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.routecloud.net\/blog\/wp-content\/uploads\/2016\/09\/Drawing1.png\" \/>\n<meta name=\"twitter:card\" content=\"summary\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"arisyi\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.routecloud.net\/blog\/#organization\",\"name\":\"Routecloud Indonesia\",\"url\":\"https:\/\/www.routecloud.net\/blog\/\",\"sameAs\":[],\"logo\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.routecloud.net\/blog\/#logo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.routecloud.net\/blog\/wp-content\/uploads\/2017\/03\/logo_routecloud_horz_2x_b.png\",\"contentUrl\":\"https:\/\/www.routecloud.net\/blog\/wp-content\/uploads\/2017\/03\/logo_routecloud_horz_2x_b.png\",\"width\":400,\"height\":80,\"caption\":\"Routecloud Indonesia\"},\"image\":{\"@id\":\"https:\/\/www.routecloud.net\/blog\/#logo\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.routecloud.net\/blog\/#website\",\"url\":\"https:\/\/www.routecloud.net\/blog\/\",\"name\":\"Routecloud Indonesia - Blog\",\"description\":\"Share Your Knowledge\",\"publisher\":{\"@id\":\"https:\/\/www.routecloud.net\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.routecloud.net\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.routecloud.net\/blog\/wp-content\/uploads\/2016\/09\/Drawing1.png\",\"contentUrl\":\"https:\/\/www.routecloud.net\/blog\/wp-content\/uploads\/2016\/09\/Drawing1.png\",\"width\":971,\"height\":417},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/#webpage\",\"url\":\"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/\",\"name\":\"[Junos Security] Dual NAT Design Juniper SRX - Routecloud Indonesia - Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.routecloud.net\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/#primaryimage\"},\"datePublished\":\"2016-09-11T15:49:48+00:00\",\"dateModified\":\"2016-09-11T15:54:01+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.routecloud.net\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"[Junos Security] Dual NAT Design Juniper SRX\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/#webpage\"},\"author\":{\"@id\":\"https:\/\/www.routecloud.net\/blog\/#\/schema\/person\/bababa304857e6ec9533ffe7b108ec8c\"},\"headline\":\"[Junos Security] Dual NAT Design Juniper SRX\",\"datePublished\":\"2016-09-11T15:49:48+00:00\",\"dateModified\":\"2016-09-11T15:54:01+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/#webpage\"},\"wordCount\":907,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\/\/www.routecloud.net\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.routecloud.net\/blog\/wp-content\/uploads\/2016\/09\/Drawing1.png\",\"keywords\":[\"nat\",\"srx\"],\"articleSection\":[\"Network and Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/#respond\"]}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.routecloud.net\/blog\/#\/schema\/person\/bababa304857e6ec9533ffe7b108ec8c\",\"name\":\"arisyi\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.routecloud.net\/blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ad901c240e8ac1273cd2e05801a73235?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ad901c240e8ac1273cd2e05801a73235?s=96&d=mm&r=g\",\"caption\":\"arisyi\"},\"sameAs\":[\"http:\/\/arisyi.net\"],\"url\":\"https:\/\/www.routecloud.net\/blog\/author\/arisyi\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"[Junos Security] Dual NAT Design Juniper SRX - Routecloud Indonesia - Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/","og_locale":"en_US","og_type":"article","og_title":"[Junos Security] Dual NAT Design Juniper SRX - Routecloud Indonesia - Blog","og_description":"I made this and this is a note for me as an engineer \ud83d\ude42 #ea.. If you want to really understand about this post, take your time to understand some of my previous posting in this blog, start from basic is here, if you ready understand, now you can check other post about\u00a0\u00a0source nat\u00a0and destination […]","og_url":"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/","og_site_name":"Routecloud Indonesia - Blog","article_published_time":"2016-09-11T15:49:48+00:00","article_modified_time":"2016-09-11T15:54:01+00:00","og_image":[{"url":"https:\/\/www.routecloud.net\/blog\/wp-content\/uploads\/2016\/09\/Drawing1.png"}],"twitter_card":"summary","twitter_misc":{"Written by":"arisyi","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Organization","@id":"https:\/\/www.routecloud.net\/blog\/#organization","name":"Routecloud Indonesia","url":"https:\/\/www.routecloud.net\/blog\/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https:\/\/www.routecloud.net\/blog\/#logo","inLanguage":"en-US","url":"https:\/\/www.routecloud.net\/blog\/wp-content\/uploads\/2017\/03\/logo_routecloud_horz_2x_b.png","contentUrl":"https:\/\/www.routecloud.net\/blog\/wp-content\/uploads\/2017\/03\/logo_routecloud_horz_2x_b.png","width":400,"height":80,"caption":"Routecloud Indonesia"},"image":{"@id":"https:\/\/www.routecloud.net\/blog\/#logo"}},{"@type":"WebSite","@id":"https:\/\/www.routecloud.net\/blog\/#website","url":"https:\/\/www.routecloud.net\/blog\/","name":"Routecloud Indonesia - Blog","description":"Share Your Knowledge","publisher":{"@id":"https:\/\/www.routecloud.net\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.routecloud.net\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/#primaryimage","inLanguage":"en-US","url":"https:\/\/www.routecloud.net\/blog\/wp-content\/uploads\/2016\/09\/Drawing1.png","contentUrl":"https:\/\/www.routecloud.net\/blog\/wp-content\/uploads\/2016\/09\/Drawing1.png","width":971,"height":417},{"@type":"WebPage","@id":"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/#webpage","url":"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/","name":"[Junos Security] Dual NAT Design Juniper SRX - Routecloud Indonesia - Blog","isPartOf":{"@id":"https:\/\/www.routecloud.net\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/#primaryimage"},"datePublished":"2016-09-11T15:49:48+00:00","dateModified":"2016-09-11T15:54:01+00:00","breadcrumb":{"@id":"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.routecloud.net\/blog\/"},{"@type":"ListItem","position":2,"name":"[Junos Security] Dual NAT Design Juniper SRX"}]},{"@type":"Article","@id":"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/#article","isPartOf":{"@id":"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/#webpage"},"author":{"@id":"https:\/\/www.routecloud.net\/blog\/#\/schema\/person\/bababa304857e6ec9533ffe7b108ec8c"},"headline":"[Junos Security] Dual NAT Design Juniper SRX","datePublished":"2016-09-11T15:49:48+00:00","dateModified":"2016-09-11T15:54:01+00:00","mainEntityOfPage":{"@id":"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/#webpage"},"wordCount":907,"commentCount":1,"publisher":{"@id":"https:\/\/www.routecloud.net\/blog\/#organization"},"image":{"@id":"https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/#primaryimage"},"thumbnailUrl":"https:\/\/www.routecloud.net\/blog\/wp-content\/uploads\/2016\/09\/Drawing1.png","keywords":["nat","srx"],"articleSection":["Network and Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.routecloud.net\/blog\/junos-security-dual-nat-design-juniper-srx\/#respond"]}]},{"@type":"Person","@id":"https:\/\/www.routecloud.net\/blog\/#\/schema\/person\/bababa304857e6ec9533ffe7b108ec8c","name":"arisyi","image":{"@type":"ImageObject","@id":"https:\/\/www.routecloud.net\/blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/ad901c240e8ac1273cd2e05801a73235?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ad901c240e8ac1273cd2e05801a73235?s=96&d=mm&r=g","caption":"arisyi"},"sameAs":["http:\/\/arisyi.net"],"url":"https:\/\/www.routecloud.net\/blog\/author\/arisyi\/"}]}},"_links":{"self":[{"href":"https:\/\/www.routecloud.net\/blog\/wp-json\/wp\/v2\/posts\/450"}],"collection":[{"href":"https:\/\/www.routecloud.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.routecloud.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.routecloud.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.routecloud.net\/blog\/wp-json\/wp\/v2\/comments?post=450"}],"version-history":[{"count":8,"href":"https:\/\/www.routecloud.net\/blog\/wp-json\/wp\/v2\/posts\/450\/revisions"}],"predecessor-version":[{"id":476,"href":"https:\/\/www.routecloud.net\/blog\/wp-json\/wp\/v2\/posts\/450\/revisions\/476"}],"wp:attachment":[{"href":"https:\/\/www.routecloud.net\/blog\/wp-json\/wp\/v2\/media?parent=450"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.routecloud.net\/blog\/wp-json\/wp\/v2\/categories?post=450"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.routecloud.net\/blog\/wp-json\/wp\/v2\/tags?post=450"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}