Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to configure one-to-one, bi-directional NAT (MIPs and other NAT combinations)

0

0

Article ID: KB11911 KB Last Updated: 18 Dec 2017Version: 4.0
Summary:
Follow the steps in this article to determine how to configure one-to-one NAT for outgoing and incoming sessions.    
Solution:
Use the following steps to assist with configuring one-to-one, bidirectional NAT.


 

Step 1.  Is your requirement for one or more of the following:

- Clients on public/external network need to communicate INBOUND direction with internal host/server(s), and that same internal host/server needs to communicate in OUTBOUND direction?
- Configure a one-to-one mapping from a public IP address to an internal host/server, OR configure a one-to-one mapping from a subnet of public IP addresses to a subnet of internal hosts?


Step 2.   Are the internal hosts/servers (that are being accessed from the public) also running VoIP applications, e.g. H.323, SIP, MGCP?
ScreenOS Concepts & Examples Guide - Volume 6 - Voice-over-IP
KB9093 - Why are incoming SIP calls not working
Important:  Use Policy-based NAT vs Interface-based NAT for VoIP traffic.
  • No   - Continue with Step 3
  • Yes - Refer to the two resources above.
Step 3   Do you want to configure communication to individual internal host(s) or an entire subnet of hosts?
  • Individual host(s) - Continue with Step 4
  • Subnet of hosts - Go to Step_8

Step 4.   Do you have a public IP address available (other than the Untrust or External IP adddress of the firewall)?   
  • Yes - Continue with Step 5
Step 5   Is the firewall running ScreenOS 6.1 or greater?

Step 6   Is the firewall's public interface in the zone named 'Untrust'?

Step 7   Is the IP address of firewall's public interface in the same subnet as the Server Public IP address?  For example, in Figure 1, Server Public IP (1.1.1.2) belongs to the same network segment as the Untrust IP (1.1.1.1).
[End of flow from step 7]

Step 8   [From Step 3] Do you have enough public (or external) IP addresses to translate each internal IP address to a public IP (or external IP) address?
 
Modification History:
2017-12-08: Article reviewed for accuracy. Added missing figure . Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search