When an interface is in NAT mode, your Juniper device translates two components in the header of an IP packet bound for the Untrust zone: its source IP address and source port number. The Juniper device replaces the source IP address of the host that sent the packet with the IP address of the interface of the destination zone. In addition, it replaces the source port number with another random port number generated by the Juniper device. When the reply packet arrives at the Juniper device, the device translates two components in the IP header of the incoming packet: the destination address and port number, which are translated back to the original numbers. The packet is then forwarded to its destination. NAT adds a level of security not provided in Transparent mode; the addresses of hosts connected to an interface in NAT mode are never exposed to hosts in the Untrust zone.

NAT behavior is a little different when you use Static NAT or Mapped IP (MIP), Virtual IP (VIP), and Dynamic IP (DIP). An MIP maps one external IP address to one internal IP address, and does not alter the port information. A VIP maps one external IP address, and one external port to a multiple number of possible IP addresses and ports. It can also translate an external port to a different internal port. A DIP helps enable policy-based NAT as well as NAT before VPN encapsulation where overlapping private IP addresses exist in a VPN network.

NAT preserves the use of Internet-routable IP addresses. With only one public, Internet-routable IP address on the interface in the Untrust zone, the LAN in the Trust zone, or any other zone using NAT services, can have a vast number of hosts with private IP addresses.

There are three different address ranges reserved for private IP networks as defined by the IANA http://www.iana.net and RFC1597.

• 10.0.0.0 to 10.255.255.255
• 172.16.0.0 to 172.31.255.255
• 192.168.0.0 to 192.168.255.255