Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

When to Use Interface-Based NAT and When to Use Policy-Based NAT



Article ID: KB4106 KB Last Updated: 07 Jun 2010Version: 5.0

When to Use Interface-Based NAT and When to Use Policy-Based NAT




note:This article applies to ScreenOS 4.0.0 and above.

  • Interface-based NAT can be enabled when the default trust and untrust zones are used. All traffic from the trust zone interface, bound for the untrust zone interface, will have the source IP address changed to the untrust zone interface IP.

    Interface-based NAT will only take effect on NetScreen-25, 50, 204, and 208 devices if interface ethernet1 and ethernet2 are set to NAT mode. In this scenario, traffic sourced from behind ethernet1 will be translated to the untrust zone interface IP. The same is true for traffic sourced from behind ethernet2.

    Interface-based NAT only works if interface ethernet1 is bound to the trust zone, ethernet2 is bound to the DMZ zone, and ethernet3 is bound to the untrust zone. If these interfaces are bound to any other zones, only Policy-based NAT can be used.
  • Policy-based NAT is used when you want to NAT from an interface that is not bound to the trust zone.

    Policy-based NAT is useful when you need the flexibility of changing the zone to which each interface is bound. For example, if you bind ethernet1 to a custom zone called Internet, you would need to specify Policy-based NAT from the Internet zone to the untrust zone.

    Another reason to use Policy-based NAT is if you have NetBIOS applications that need to go from trust to DMZ. You can specify the ethernet1 interface to Route mode, which allows traffic to be routed from trust to DMZ. You then specify Policy-based NAT for any traffic going from trust to untrust.


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search