Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Configuration example using interface-based NAT

0

0

Article ID: KB4761 KB Last Updated: 25 May 2019Version: 10.0
Summary:

Configuring interface-based NAT or NAT Mode.

Symptoms:

What are the steps to configure interface-based NAT?


 
Solution:
To configure interface-based NAT, perform the following steps using the WebUI or CLI:

Note: This article assumes the chosen interface is already bound to a zone. For more information on how to bind an interface to a zone, go to Binding an Interface to a Zone.
 

WEBUI

Step one: Open the WebUI. For an example of how to access the WebUI, consult: KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI


Step two: From the ScreenOS options menu, click Network, and then click Interfaces.


Step three: From the Interface list, choose the Interface you wish to modify, and click Edit.

Note: For this example, we chose to edit the ethernet1 interface.

Image of step three


Step four: From Interface Mode, click to select NAT.

Image of step four

Step five: Click OK.

 

 
 


CLI

To configure an interface for NAT mode:

set interface <interface> nat

To configure an interface for ROUTE mode:

unset interface <interface> nat

 




Where does interfaced-based NAT work?

Interface based NAT only works from the Trust zone to the Untrust zone and DMZ to Untrust zone in the Trust-VR. Traffic from and to other zones will be routed.  The behavior for interface NAT with the Untrust-VR is different. If the destination zone is in the Untrust-VR, then NAT will take place from ANY zone.

Here is an example configuration in the Trust-VR:

e1 bound to Trust zone, NAT configured on e1

ns25-> get i e1
Interface ethernet1:
  number 4, if_info 800, if_index 0, mode nat
  link up, phy-link up/full-duplex
  vsys Root, zone Trust, vr trust-vr
  *ip 10.1.1.1/24   mac 0010.db15.1c44
  *manage ip 10.1.1.1, mac 0010.db15.1c44
  ping enabled, telnet enabled, SCS enabled, SNMP enabled
  web enabled, ident-reset disabled, SSL enabled
  webauth disabled, webauth-ip 0.0.0.0
  OSPF disabled BGP disabled
  DHCP-Relay disabled
  bandwidth: physical 100000kbps, configured 0kbps, current 0kbps
             total configured gbw 0kbps, total allocated gbw 0kbps

e2 bound to the DMZ zone, NAT configured on e2

ns25-> get i e2
Interface ethernet2:
  number 5, if_info 1000, if_index 0, mode nat
  link down, phy-link down
  vsys Root, zone DMZ, vr trust-vr
  *ip 172.16.20.1/24   mac 0010.db15.1c45
  *manage ip 172.16.20.1, mac 0010.db15.1c45
  ping enabled, telnet disabled, SCS disabled, SNMP disabled
  web disabled, ident-reset disabled, SSL disabled
  webauth disabled, webauth-ip 0.0.0.0
  OSPF disabled BGP disabled
  DHCP-Relay disabled
  bandwidth: physical 0kbps, configured 0kbps, current 0kbps
             total configured gbw 0kbps, total allocated gbw 0kbps

e3 bound to the Untrust zone

ns25-> get i e3
Interface ethernet3:
  number 6, if_info 1200, if_index 0, mode route
  link up, phy-link up/half-duplex
  vsys Root, zone Untrust, vr trust-vr
  dhcp disabled
  *ip 10.100.31.130/24   mac 0010.db15.1c46
  *manage ip 10.100.31.130, mac 0010.db15.1c46
  ping enabled, telnet enabled, SCS enabled, SNMP enabled
  web enabled, ident-reset disabled, SSL enabled
  webauth disabled, webauth-ip 0.0.0.0
  OSPF disabled BGP disabled
  DHCP-Relay disabled
  bandwidth: physical 100000kbps, configured 0kbps, current 0kbps
             total configured gbw 0kbps, total allocated gbw 0kbps

Traffic from e1 > e3 will be NAT'd and traffic from e1 > e2 will be NAT'd.

 


Note: NAT mode is also documented in the ScreenOS Concepts & Examples Guide - Volume 8 - Address Translation [PDF]:

Chapter 2 - Source Network Address Translation
“NAT-Src from the Egress Interface IP Address”
Example: NAT-Src Without DIP
Modification History:
2019-05-25: Minor, non-technical edit.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search