Persistent NAT Configuration Overview

To configure persistent NAT, specify the following with the source NAT rule action (for either a source NAT pool or an egress interface):

• The type of persistent NAT—One of the following: any remote host, target host, or target host port (see Understanding Persistent NAT).
• (Optional) Inactivity timeout—Time, in seconds, that the persistent NAT binding remains in the device’s memory when all the sessions of the binding entry are gone. When the configured timeout is reached, the binding is removed from memory. The default value is 5 minutes. Configure a value from 60 through 7200 seconds.

  When all sessions of a persistent NAT binding are gone, the binding remains in a query state in the SRX Series device’s memory for the specified inactivity timeout period. The query binding is automatically removed from memory when the inactivity timeout period expires (the default is 5 minutes). You can explicitly remove all or specific persistent NAT query bindings with the clear security nat source persistent-nat-table command.

• (Optional) Maximum session number—Maximum number of sessions with which a persistent NAT binding can be associated. The default is 30 sessions. Configure a value from 8 through 100.

For interface NAT, you need to explicitly disable port overloading with the port-overloading off option at the [edit security nat source] hierarchy level.

Finally, there are two predefined services that you can use in security policies to permit or deny STUN and persistent NAT traffic:

• junos-stun—STUN protocol traffic
• junos-persistent-nat—Persistent NAT traffic

For the any remote host persistent NAT type, the direction of the security policy is from external to internal. For target host or target host port persistent NAT types, the direction of the security policy is from internal to external.

Related Topics

• Example: Configuring Persistent NAT with Source NAT Address Pool
• Example: Configuring Persistent NAT with Interface NAT