Hairpin NAT on juniper SRX firewall

Problem or Goal:

Hairpin NAT is a useful technique for accessing an internal server using a public IP. Since you are using a public IP to attempt to access a server in your network, the traffic will attempt to go out to the internet. In order to reach the server, the traffic will need to be redirected to the correct location.

If we just use Destination NAT, using the scenario outlined in the diagram below, the client sends a request to 155.100.1.1 and the SRX will use a Destination NAT rule to point it back into the network. If we don't do anything further, the server will reply directly to 10.0.0.15, and the client will drop the packet since it doesn't realize that 10.0.0.5 is the same server as 155.100.1.1.

Cause:

Solution:

In order to ensure that the flow occurs properly, both the source and destination IP addresses need to be modified so each device sees the traffic flowing to and from the correct locations. This allows the return traffic to return through the SRX, allowing the client to recieve the packets from the correct IP.

Configuration example:

set security nat source rule-set hairpin from zone default
set security nat source rule-set hairpin to zone default
set security nat source rule-set hairpin rule hairpin-source match source-address 10.0.0.0/24
set security nat source rule-set hairpin rule hairpin-source then source-nat interface

set security nat destination pool server address 10.0.0.5/32
set security nat destination rule-set hairpin from zone default
set security nat destination rule-set hairpin rule hairpin-destination match destination-address 155.100.1.1/32
set security nat destination rule-set hairpin rule hairpin-destination then destination-nat pool server



**Note: The above configuration is a simple way to set it up.  You can use Static NAT instead of Destination NAT, and the Source NAT can use an address pool instead of using the interface IP.

 

Source : http://kb.juniper.net/InfoCenter/index?page=content&id=KB24639&smlogin=true