The main configuration tasks for source NAT are as follows:
Configure a source NAT address pool that aligns with your
network and security requirements (not needed for interface NAT).
Configure pool utilization alarms (optional)—Specify
thresholds for pool utilization.
Configure address persistent (optional)—Ensures
that the same IP address is assigned from the source NAT pool to a
host for multiple concurrent sessions.
Configure source NAT rules that align with your network
and security requirements.
Configure NAT proxy ARP entries for IP addresses in the
same subnet of the ingress interface.
Source NAT Pools
For source NAT address pools, specify the following:
Name of the source NAT address pool.
Up to eight address or address ranges.
Note:
Do not overlap NAT addresses for source NAT, destination NAT,
and static NAT within one routing instance.
Routing instance to which the pool belongs (the default
is the main inet.0 routing instance).
No port translation (optional)—By default, port
address translation is performed with source NAT. If you specify the port no-translation option, the number of hosts that the source
NAT pool can support is limited to the number of addresses in the
pool.
Overflow pool (optional)—Packets are dropped if
there are no addresses available in the designated source NAT pool.
To prevent that from happening when the port no-translation option is configured, you can specify an overflow pool. Once addresses
from the original source NAT pool are exhausted, IP addresses and
port numbers are allocated from the overflow pool. A user-defined
source NAT pool or an egress interface can be used as the overflow
pool. (When the overflow pool is used, the pool ID is returned with
the address.)
IP address shifting (optional)—A range of original
source IP addresses can be mapped to another range of IP addresses
by shifting the IP addresses. Specify the host-address-base option with the base address of the original source IP address range.
Pool Utilization Alarms
When the raise-threshold option is configured for source
NAT, an SNMP trap is triggered if the source NAT pool utilization
rises above this threshold. If the optional clear-threshold option is configured, an SNMP trap is triggered if the source NAT
pool utilization drops below this threshold. If clear-threshold is not configured it is set by default to 80 percent of the raise-threshold value.
Persistent Addresses
By default, port address translation is performed with source
NAT. However, an original source address may not be translated to
the same IP address for different traffic that originates from the
same host. The source NAT address-persistent option ensures
that the same IP address is assigned from the source NAT pool to a
specific host for multiple concurrent sessions.
Source NAT Rules
Source NAT rules specify two layers of match conditions:
Traffic direction—Allows you to specify combinations
of from interface, from zone, or from routing-instance and to interface, to zone, or to routing-instance. You cannot configure the same from and to contexts
for different rule sets.
Packet information—Can be source and destination
IP addresses or subnets.
If multiple source NAT rules overlap in the match conditions,
the most specific rule is chosen. For example, if rules A and B specify
the same source and destination IP addresses, but rule A specifies
traffic from zone 1 to zone 2 and rule B specifies traffic from zone
1 to interface ge-0/0/0, rule B is used to perform source
NAT. An interface match is considered to be more specific than a zone
match, which is more specific than a routing instance match. For more
information about rule set matching, see Understanding NAT Rule Sets and Rules.
The actions you can specify for a source NAT rule are:
off—Do not perform source NAT.
pool—Use the specified user-defined address pool
to perform source NAT.
interface—Use the egress interface’s IP address
to perform source NAT.
Source NAT rules are applied to traffic in the first packet
that is processed for the flow or in the fast path for the ALG. Source
NAT rules are processed after static NAT rules, destination NAT rules,
and reverse mapping of static NAT rules and after route and security
policy lookup.
