Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] [Inbound direction] How to configure Destination Network Address Translation (NAT-Dst); includes Port Mapping/Port Forwarding



Article ID: KB11910 KB Last Updated: 18 Dec 2017Version: 7.0
The Juniper firewall has numerous configuration options for configuring Destination Network Address Translation. Follow the steps in this article to determine which option to use and how to configure it.
Use the following steps to assist with configuring Destination Network Address Translation (NAT-Dst), Destination Port Address Translation (PAT), port mapping, and port forwarding.


Step 1.  Is your requirement for one or more of the following:

- Clients on public/external network need to communicate in INBOUND direction with internal server/host(s) on the internal side of the firewall?
- Port Mapping?
- Port Forwarding?
- Destination NAT (Network Address Transalation)?
- Destination PAT (Port Address Translation)?

Step 2.  Are the internal servers/hosts (that are being accessed from the public) also running VoIP applications, e.g. H.323, SIP, MGCP?
  • No   - Continue with Step 3
  • Yes - Refer to the examples below.
ScreenOS Concepts & Examples Guide - Volume 6 - Voice-over-IP
KB9093 - Why are incoming SIP calls not working
Important:  Use Policy-based NAT vs Interface-based NAT for VoIP traffic.
Step 3.   Do you have one public IP address or a subnet of public IP addresses for mapping to your internal server(s)/host(s)?      
  • One public IP address - Continue with Step 4       (Note:  The one public IP address does not have to be the same as the public/external interface IP address.)
  • Subnet of public IP addresses - Go to Step_6 
Step 4.  Do you want external users to access one internal server or multiple internal servers from that public IP address?
Step 5.  Do you want to do 'Port Mapping' (i.e. translate the Destination IP address & Destination Port), OR do you want to only translate the Destination IP address and keep the Destination Port the same (fixed-port)?
[End of flow from Step 5]
Step 6.  [From Step 3]  Do you enough public (or external) IP address in the subnet to translate each internal IP address to a public IP (or external IP) address?      
Step 7.  Is the subnet of Public IP addresses on the same network as the Firewall's external/public interface?     
  • Yes  - The Server Public IP address block/range cannot include the firewall's Untrust interface IP address.  Choose a block/range that does not include the firewall's Untrust interface IP address.  Then consult the 'Many-to-Many Destination Translation' example below.
  • No  -  Consult the 'Many-to-Many Destination Translation' example in the following C&E Guide:
    ScreenOS Concepts & Examples Guide - Volume 8 - Address Translation
    Chapter 3 - Destination Network Address Translation
    “Nat-Dst--Many-to-Many Mapping”
    Example: Many-to-Many Destination Translation

    Notes specific to this example:
    - is the Server Public IP address block/range (named oda6 in the example)
    - is the Server Internal IP address block/range
    -The upstream router and hosts on the Untrust segment need a route for the Server Public IP address block/range ( pointing to the firewall's untrust IP
    set route gateway
    - This example does not perform destination port translation/port mapping; if your requirement is for destination port translation, then consult KB12652 instead.
Modification History:
2017-12-08: Article reviewed for accuracy. Minor changes made. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search