You can configure any of the persistent NAT types with source NAT rules. The example in this section shows how to configure persistent NAT when source NAT is performed with a user-defined address pool.
Before You Begin |
|---|
For background information, read: |
The following example configures the target host persistent NAT type when source NAT is performed. In the following configuration, the source NAT address pool sp1 consists of the address 30.1.1.5/32. The source NAT rule set srs1 configures the following:
To configure the source NAT address pool:
To configure the source NAT rule set:
- user@host# set security nat source rule-set
srs1 from zone internal
- user@host# set security nat source rule-set
srs1 to zone external
- user@host# set security nat source rule-set
srs1 rule sr1 match source-address 40.1.1.0/24
- user@host# set security nat source rule-set
srs1 rule sr1 match destination-address 20.20.20.105/32
- user@host# set security nat source rule-set
srs1 rule sr1 then source-nat pool sp1
- user@host# set security nat source rule-set
srs1 rule sr1 then source-nat pool persistent-nat permit target-host
- user@host# set security nat source rule-set
srs1 rule sr1 then source-nat pool persistent-nat inactivity-timeout
180
For the target host persistent NAT type, configure a security policy to allow persistent NAT traffic from the internal network (internal zone) to the external network (external zone).
To configure a security policy to allow STUN traffic from internal SIP phones to an external STUN server:
- user@host# set security policies from-zone
internal to-zone external policy stun_traffic match source-address
internal_phones destination-address stun_server application junos-stun
- user@host# set security policies from-zone
internal to-zone external policy stun_traffic then permit
To configure a security policy to allow SIP proxy traffic from internal SIP phones to an external SIP proxy server:
- user@host# set security policies from-zone
internal to-zone external policy sip_proxy_traffic match source-address
internal_phones destination-address sip_proxy_server application junos-sip
- user@host# set security policies from-zone
internal to-zone external policy stun_proxy_traffic then permit
To configure a security policy to allow SIP traffic from internal to external SIP phones:
- user@host# set security policies from-zone
internal to-zone external policy sip_traffic match source-address
internal_phones destination-address external_phones application junos-persistent-nat
- user@host# set security policies from-zone
internal to-zone external policy sip_traffic then permit
