Knowledge Search


×
 

[ScreenOS] What is Network Address Translation (NAT)?

  [KB4102] Show Article Properties


Summary:
This article provides information about Network Address Translation (NAT).
Symptoms:
Information about Network Address Translation (NAT).
Cause:

Solution:

When an interface is in theNAT mode, the Juniper device translates two components in the header of an IP packet that is bound for the Untrust zone - its source IP address and source port number. The Juniper device replaces the source IP address of the host that sent the packet with the IP address of the interface of the destination zone.

Additionally, it replaces the source port number with another random port number, which is generated by the Juniper device. When the reply packet arrives at the Juniper device, the device translates two components in the IP header of the incoming packet - the destination address and port number, which are re-translated to the original numbers. The packet is then forwarded to its destination. NAT adds a level of security, which is not provided in transparent mode; the addresses of hosts connected to an interface in NAT mode are never exposed to hosts in the Untrust zone.

NAT behavior is a little different, when Static NAT or Mapped IP (MIP), Virtual IP (VIP), and Dynamic IP (DIP) are used. An MIP maps one external IP address to one internal IP address and does not alter the port information. A VIP maps one external IP address and one external port to a multiple number of possible IP addresses and ports. It can also translate an external port to a different internal port. A DIP helps enable policy-based NAT, as well as NAT, before VPN encapsulation; in which overlapping private IP addresses exist in a VPN network.

NAT preserves the use of Internet-routable IP addresses. With only one public, Internet-routable IP address on the interface in the Untrust zone, the LAN in the Trust zone, or any other zone that uses NAT services, can have a vast number of hosts with private IP addresses.

There are three different address ranges that are reserved for private IP networks, as defined by IANA  and RFC 1597.

  • 10.0.0.0 to 10.255.255.255

  • 172.16.0.0 to 172.31.255.255

  • 192.168.0.0 to 192.168.255.255

For more information, along with configuration examples, refer to the Concepts & Examples - ScreenOS Reference Guide - Address Translation.

For configuring NAT on SSG/ISG/NS firewalls, refer to KB11909 - Resolution Guide - ScreenOS - Configure NAT.
Related Links: