Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All
     

    Related Documentation

     

    Creating NAT Rules

    NAT processing centers on the evaluation of NAT rule sets and rules. A rule set determines the overall direction of the traffic to be processed. Once a rule set that matches the traffic has been found, each rule in the rule set is evaluated in order for a match. NAT rules can match on the following packet information:

    • Source and destination address

    • Source port (for source and static NAT only)

    • Destination port

    The first rule in the rule set that matches the traffic is used. If a packet matches a rule in a rule set during session establishment, traffic is processed according to the action specified by that rule.

    When you create a new NAT policy, click on the NAT policy name to configure the rules. You can configure the following types of NAT rules:

    • Source

    • Static

    • Destination

    Depending on the type of rule you have chosen, some fields in the rule will not be applicable. In addition to defining rules between zones and interfaces, you can define NAT rules with virtual routers defined on the device. These rules can be successfully published and updated on the device.

    Configuring NAT Rule Settings

    To configure a NAT rule:

    1. Select Configure > NAT Policies > Policies.
    2. Click the NAT policy name.

      The Rules page appears.

    3. Add a rule by clicking Create. Select the type of rule you want to add (source, static, or destination).
    4. Complete the configuration according to the guidelines provided in Table 1.
    5. Click Save.

    A new NAT rule is configured for a NAT policy.

    Table 1: NAT Rules Settings

    Setting

    Guideline

    Seq.

    Displays the sequence number assigned to the NAT rule.

    Name

    Select the name of the NAT policy that you want to add a rule to.

    NAT Type

    Select the type of NAT rule:

    • Source

    • Static

    • Destination

    Source Ingress

    Click the Source Ingress field to configure the ingress type.

    • Ingress Type—Select an ingress type: zone, interface, or routing instance.

    • From the appropriate selector, select the zones, interfaces, or routing instance that you want to associate the rule to, from the Available column.

      For the Routing Instance option, you can select one or more of the available virtual routers on the device. For the group NAT policy, you will see a consolidated list of all virtual routers on all devices that the policy is assigned to.

    • Click OK.

    Source Address

    Click the Source Address field to assign the source address for the policy, from the Available list.

    Source Port

    Click the Source Port field to configure the source port for the policy.

    • Enter a maximum of eight ports and port ranges separated by commas.

    • Select the required port set from the Available list.

      Create a source port inline by clicking Add New Source Port.

    Protocol

    Select the protocol from the Available list to permit or deny traffic.

    Destination Egress

    Click the Destination Egress field to configure the egress type.

    • Select an egress type: zone, interface, or routing instance.

    • From the appropriate selector, select the zones, interfaces, or routing instance that you want to associate the rule to, from the Available column.

    • Click OK.

    Destination Address

    Click the Destination Address field to assign the destination address for the policy, from the Available list. Create a destination address inline by clicking Add New Destination Address.

    Destination Port

    Click the Destination Port field to configure the destination port for the policy.

    • Enter a maximum of eight ports and port ranges separated by commas. Devices running Junos OS Release 12.1X47 and later support multiple ports and ranges, in the same way as Source ports.

    • Select the required port set from the Available list.

      Create a destination port inline by clicking Add New Source Port.

    Service

    Select the service to permit or deny for the source and destination type NAT rules. This is supported for devices running Junos OS Release 12.1X47.

    • Select Service—Select one of the following options:

      • None—No translation is required.

      • Interface—Enable interface NAT with or without port overloading.

        • Persistent—Enable the check box to ensure that all requests from the same internal transport address are mapped to the same reflexive transport address.

        • Persistent NAT type—Configure persistent NAT mappings.

          • Permit any remote host—All requests from a specific internal IP address and port are mapped to the same reflexive transport address. (The reflexive transport address is the public IP address and port created by the NAT device closest to the STUN server.) Any external host can send a packet to the internal host by sending the packet to the reflexive transport address.

          • Permit target host—All requests from a specific internal IP address and port are mapped to the same reflexive transport address. An external host can send a packet to an internal host by sending the packet to the reflexive transport address. The internal host must have previously sent a packet to the external host’s IP address.

          • Permit target host port—All requests from a specific internal IP address and port are mapped to the same reflexive transport address. An external host can send a packet to an internal host by sending the packet to the reflexive transport address. The internal host must have previously sent a packet to the external host’s IP address and port.

        • Inactivity timeout—The amount of time, in seconds, that the persistent NAT binding remains in the Juniper Networks device’s memory when all the sessions of the binding entry are gone. When the configured timeout is reached, the binding is removed from memory.

          The range is 60 through 7200 seconds.

        • Maximum session number—The maximum number of sessions with which a persistent NAT binding can be associated. For example, if the max-session-number of the persistent NAT rule is 65,536, then a 65,537th session cannot be established if that session uses the persistent NAT binding created from the persistent NAT rule.

          The range is 8 through 65,536. The default is 30 sessions.

    Translated Packet Destination

    Click Translated Packet Destination.

    Select the appropriate destination address. This option is available only for the destination NAT rule.

    Description

    Enter a description for the NAT rule; maximum length is 4096 characters.

     

    Related Documentation

     

    Modified: 2016-04-04

    Previous Page Next Page