Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Outbound direction] How to configure Source Network Address Translation (NAT-src) and source Port Address Translation (PAT)

0

0

Article ID: KB11901 KB Last Updated: 07 Jun 2010Version: 9.0
Summary:
The Juniper firewall has numerous configuration options for configuring Source Network Address Translation (NAT-src) and source Port Address Translation (PAT).  Follow the steps in this article to determine which option to use and how to configure it.

For other NAT options (Destination NAT and Bidirectional NAT), refer to KB11909 - [Start here] How to configure Network Address Translation (NAT) on ScreenOS.
Symptoms:

Solution:

Use the following steps to assist with configuring Source Network Address Translation (NAT-src) and source Port Address Translation (PAT). 

Step 1.  Is your requirement for one or more of the following:

-Clients on internal network communicating in an OUTBOUND direction to hosts/servers on the external side of the firewall
-Source IP Network Address Translation (NAT) and Source Port Address Translation (PAT)?
-Source NAT (Network Address Translation)?
-Source NAPT (Network Address Port Translation)?


Step 2.   Most applications and protocols used today on the Internet are compatible with PAT or NAPT. If you know that your clients do not support PAT or NAPT, jump to Step 7
  • Continue with Step 3
Step 3.   Which IP address on the Outgoing Interface do you want the clients to be translated to?
  • Untrust IP Address or Outgoing Interface IP Address - Continue with Step 4
  • Different IP Address than the Outgoing Interface IP Address - Jump to Step 9

Step 4.  Are the clients also running VoIP applications, e.g. H.323, SIP, MGCP?
  • No   - Continue with Step 5
  • Yes - Refer to the examples below.
ScreenOS Concepts & Examples Guide - Volume 6 - Voice-over-IP
KB9093 - Why are incoming SIP calls not working
Important:  Use Policy-based NAT vs Interface-based NAT for VoIP traffic.

Step 5.  Do you want to configure NAT on the firewall as Policy-based (recommended) or Interface-based?
  • Policy-based NAT (recommended) - One client, a work-group of clients, or all the clients have the same requirement - The following example can be used to configure your requirement:
    ScreenOS Concepts & Examples Guide - Volume 8 - Address Translation
    Chapter 2 - Source Network Address Translation
    “NAT-Src from the Egress Interface IP Address”
    Example: NAT-Src Without DIP
  • Interface-based NAT - All the clients in the zone connected to the interface have the same requirement
    Continue with Step 6.
Step 6.   Are the clients communicating From and To the following zones?
From Trust zone to Untrust zone   OR
From Trust zone to DMZ zone
[End of flow from Step 6]

Step 7.  [From Step 2]   Do you have enough public (or external) IP addresses to translate each client IP address to a public IP (or external IP) address?     
  • No - With PAT disabled, it is recommended to enough public IP addresses to map to each of the client IP addresses.  Otherwise, some clients will not be able to establish sessions through the firewall.   Get enough IP addresses to map each client IP address to an external IP address OR consider using PAT and restart at Step 2.

  • Yes - Continue with Step 8.
Step 8.  Do you need a one-to-one mapping of the internal IP addresses to a public (or external) IP address, i.e. do you want to ensure that an internal client IP address is always translated to the same external IP address?    
  • Yes - The following example can be used to configure this requirement.  'Address Shifting' ensures internal IP address are always translated to same external IP address.
    ScreenOS Concepts & Examples Guide - Volume 8 - Address Translation
    Chapter 2 - Source Network Address Translation
    “NAT-Src from a DIP Pool with Address Shifting”
    Example: NAT-Src with Address Shifting
  • No - The following example can be used to configure this requirement. The internal IP address will be translated to any available external IP address in the DIP pool.
    ScreenOS Concepts & Examples Guide - Volume 8 - Address Translation
    Chapter 2 - Source Network Address Translation
    “NAT-Src from a DIP Pool with PAT Disabled”
    Example: NAT-Src with PAT Disabled
[End of flow from Step 8]

Step 9.  [From Step 3]  Do you want the internal IP addresses to be translated to a pool of one external IP address or several external IP addresses? 
Step 10.  Do you need a one-to-one mapping of the internal IP addresses to a public (or external) IP address, i.e. do you want to ensure that an internal client IP address is always translated to the same external IP address?    
  • Yes - The following example can be used to configure your requirement.  'Address Shifting' ensures internal IP address are always translated to same external IP address.
    ScreenOS Concepts & Examples Guide - Volume 8 - Address Translation
    Chapter 2 - Source Network Address Translation
    “NAT-Src from a DIP Pool with Address Shifting”
    Example: NAT-Src with Address Shifting
    Note: PAT will not take place with 'Address shifting'.
  • No - Continue with Step 11.
Step 11.  Is it ok that clients be assigned different public IP addresses for different concurrent sessions?
  • Yes - The following example can be used to configure your requirement:  
ScreenOS Concepts & Examples Guide - Volume 8 - Address Translation
Chapter 2 - Source Network Address Translation
“NAT-Src from a DIP Pool with PAT Enabled”
Example: NAT-Src with PAT Enabled 
Note: 
This example is documented with a DIP pool size of 1 address, i.e. 1.1.1.30.
For your requirement, simply specify the DIP Pool range needed for your configuration, i.e 1.1.1.30-1.1.1.35.
  • No -  1.  Enter the command:   set dip sticky.  For more information, refer to KB6374.
             2.  Then the following example can be used to configure your requirement:  
    ScreenOS Concepts & Examples Guide - Volume 8 - Address Translation
    Chapter 2 - Source Network Address Translation
    “NAT-Src from a DIP Pool with PAT Enabled”
    Example: NAT-Src with PAT Enabled
    Note:  This example is documented with a DIP pool size of 1 address, i.e. 1.1.1.30.
    For your requirement, simply specify the DIP Pool range needed for your configuration, i.e 1.1.1.30-1.1.1.35.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search