Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Resolution Guide - ScreenOS - Configure NAT



Article ID: KB11909 KB Last Updated: 07 Dec 2017Version: 12.0

There are numerous NAT options in ScreenOS.  This guide provides links to configuration examples on Policy NAT-Src, Policy NAT-Dst, MIPs, VIPs, and DIPs.



  • Source Address Translation
  • Network Address Translation
  • Destination Address Translation
  • Port Address Translation
  • Port Forwarding
One of the following ScreenOS features will be recommended:
  • DIP (Dynamic IP)
  • NAT-Src
  • NAT-Dst
  • MIP (Mapped IP)
  • VIP (Virtual IP)

Which direction is your requirement for NAT?

Step 1.  OUTBOUND direction?

  • Clients on internal network to communicate in OUTBOUND direction with hosts/servers through the firewall  OR
  • Source Network Address Translation (NAT) and Source Port Address Translation (PAT)  OR
  • Source Network Address Port Translation (NAPT)
  • Policy NAT-Src or DIPs (Dynamic IPs)

Step 2.  INBOUND direction?
  • Clients on untrusted network to communicate in INBOUND direction with internal hosts through the firewall  OR
  • Port Forwarding or Destination NAT (Destination Port Translation) OR
  • Destination IP Address Translation OR
  • Destination IP and Destination Port Address Translation (PAT)
  • Policy NAT-Dst or VIPs (Virtual IPs)

Step 3.  Both INBOUND and OUTBOUND NAT from the same internal hosts (i.e. BIDIRECTIONAL NAT, MIPs)?
  • Clients on untrusted network to communicate in INBOUND direction with internal hosts through the firewall, AND those same internal hosts need to also establish different sessions in OUTBOUND direction.
  • MIPs (Mapped IPs)

Note: Important:  If your requirement is for INBOUND NAT to some hosts, and OUTBOUND NAT from other hosts, then do a combination of Step 1 and Step 2 above.  Address your OUTBOUND requirements with Step 1, and then address your INBOUND requirements with Step 2.   Step 3 is specifically for INBOUND and OUTBOUND NAT from the same internal hosts.
Modification History:
2017-11-29: Article reviewed for accuracy. No changes made. Article is correct and complete.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search