Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] What is Network Address Translation (NAT)?

0

0

Article ID: KB4102 KB Last Updated: 24 Dec 2012Version: 6.0
Summary:
This article provides information about Network Address Translation (NAT).
Symptoms:
Information about Network Address Translation (NAT).
Cause:

Solution:

When an interface is in theNAT mode, the Juniper device translates two components in the header of an IP packet that is bound for the Untrust zone - its source IP address and source port number. The Juniper device replaces the source IP address of the host that sent the packet with the IP address of the interface of the destination zone.

Additionally, it replaces the source port number with another random port number, which is generated by the Juniper device. When the reply packet arrives at the Juniper device, the device translates two components in the IP header of the incoming packet - the destination address and port number, which are re-translated to the original numbers. The packet is then forwarded to its destination. NAT adds a level of security, which is not provided in transparent mode; the addresses of hosts connected to an interface in NAT mode are never exposed to hosts in the Untrust zone.

NAT behavior is a little different, when Static NAT or Mapped IP (MIP), Virtual IP (VIP), and Dynamic IP (DIP) are used. An MIP maps one external IP address to one internal IP address and does not alter the port information. A VIP maps one external IP address and one external port to a multiple number of possible IP addresses and ports. It can also translate an external port to a different internal port. A DIP helps enable policy-based NAT, as well as NAT, before VPN encapsulation; in which overlapping private IP addresses exist in a VPN network.

NAT preserves the use of Internet-routable IP addresses. With only one public, Internet-routable IP address on the interface in the Untrust zone, the LAN in the Trust zone, or any other zone that uses NAT services, can have a vast number of hosts with private IP addresses.

There are three different address ranges that are reserved for private IP networks, as defined by IANA  and RFC 1597.

  • 10.0.0.0 to 10.255.255.255

  • 172.16.0.0 to 172.31.255.255

  • 192.168.0.0 to 192.168.255.255

For more information, along with configuration examples, refer to the Concepts & Examples - ScreenOS Reference Guide - Address Translation.

For configuring NAT on SSG/ISG/NS firewalls, refer to KB11909 - Resolution Guide - ScreenOS - Configure NAT.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search