Help Center User GuideGetting StartedFAQ
 
X
User Guide
Getting Started
FAQ
Contents  

NAT Policies Overview

Network Address Translation (NAT) is a form of network masquerading where you can hide devices or sites between zones or interfaces. A trusted zone is a segment of a network on which security measures are applied. It is usually assigned to the internal LAN. An example of an untrusted zone is the internet. NAT modifies the IP addresses of the packets moving between the trusted and untrusted zones.

Whenever a packet exits a NAT device (when traversing from the internal LAN to the external WAN), the device performs a translation on the packet’s IP address by rewriting it with an IP address that was specified for external use. After translation, the packet appears to have originated from the gateway rather than from the original device within the network. This process hides your internal IP addresses from the other networks and keeps your network secure.

Using NAT also enables you to use more internal IP addresses. As these IP addresses are hidden, there is no risk of conflict with an IP address from a different network. This helps you conserve IP addresses.

CSO supports three types of NAT:

CSO also supports persistent NAT where address translations are maintained in the database for a configurable amount of time after a session ends.

Table 126 shows the persistent NAT support for different source NAT and destination NAT addresses.

Table 126: Persistent NAT Support

Source NAT Address

Translated Address

Destination NAT

Address

Persistent NAT

IPv4

IPv6

IPv4

No

IPv4

IPv6

IPv6

No

IPv6

IPv4

IPv4

Yes

IPv6

IPv6

IPv6

No

Table 127 and Table 128 show the translated address pool selection for source NAT, destination NAT, and static NAT addresses.

Table 127: Translated Address Pool Selection for Source NAT

Source NAT Address

Destination Address

Pool Address

IPv4

IPv4

IPv4

IPv4

IPv6 - Subnet must be greater than 96

IPv6

IPv6

IPv4

IPv4

IPv6

IPv6

IPv6

Table 128: Translated Address Pool Selection for Destination NAT And Static NAT

Source NAT Address

Destination Address

Pool Address

IPv4

IPv4

IPv4 or IPv6

IPv4

IPv6 - Subnet must be greater than 96

IPv4 or IPv6

IPv6

IPv4

IPv4

IPv6

IPv6

IPv4 or IPv6

Note 

  • For source NAT, the proxy Neighbor Discovery Protocol (NDP) is available for NAT pool addresses. For destination NAT and static NAT, the proxy NDP is available for destination NAT addresses.

  • A NAT pool can have a single IPv6 subnet or multiple IPv6 hosts.

  • You cannot configure the overflow pool if the address type is IPv6.

  • NAT pools permit address entries of only one version type: IPv4 or IPv6.

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit