Juniper Networks - SRX Getting Started - Configure NAT (Network Address Translation)

This article identifies resources for configuring, verifying and troubleshooting Network Address Translation (NAT) on SRX Series devices.

For other topics, go to the SRX Getting Started main page.

Configure NAT: Source NAT, Destination NAT, and Static NAT.

This section contains the following:

Configuration
Technical_Documentation
Verification
Troubleshooting

Configuration

In addition to the technical documentation, the following three technote documents have NAT configuration examples:

TN8 - Configuring Next-Generation NAT
TN81 - Junos NAT Configuration Examples
TN25 - Configuring NAT for ScreenOS Users (includes DIP, VIP, and MIP translations)

TIPS:

An understanding of the NAT rule-set evaluation priority is important for configuring NAT. If a packet matches multiple rule-sets, the most specific match takes precedence. The order of precedence is as follows (first destination, then source):

Interface

Zone

Routing-Instance

Although, the title of TN25 refers to ScreenOS users, the examples in the technote are benefical to non-ScreenOS users too.

Technical Documentation

JUNOS Security Configuration Guide

PDF - See Chapter 42, Network Address Translation (page 1199)
HTML - Network Address Translation

Verification

The following commands are helpful for verifying and troubleshooting NAT:

show security nat source summary show security nat source rule show security nat source pool show security nat destination summary show security nat destination pool show security nat destination rule show security nat static rule show security flow session

HTML - Verifying Network Address Translation

Troubleshooting

KB21922 - Resolution Guides and Articles - SRX - NAT

KB16252 - Troubleshooting NAT in SRX series

Configuration

Choose Country

North America

Europe

Asia Pacific

Knowledge Center Search

Configuration

Technical Documentation

Verification

Troubleshooting

ASK THE KB