Help Center User GuideGetting StartedFAQRelease Notes
 
X
User Guide
Getting Started
FAQ
Release Notes
Contents  

Creating NAT Rules

NAT processing centers on the evaluation of NAT rule sets and rules. A rule set determines the overall direction of the traffic to be processed. Once a rule set that matches the traffic has been found, each rule in the rule set is evaluated in order for a match. NAT rules can match on the following packet information:

The first rule in the rule set that matches the traffic is used. If a packet matches a rule in a rule set during session establishment, traffic is processed according to the action specified by that rule.

When you create a new NAT policy, click on the NAT policy name to configure the rules. You can configure the following types of NAT rules:

Depending on the type of rule you have chosen, some fields in the rule will not be applicable. In addition to defining rules between zones and interfaces, you can define NAT rules with virtual routers defined on the device. These rules can be successfully published and updated on the device.

Before You Begin

Procedure

To configure a NAT rule:

  1. Select Configure > NAT Policies > Policies.
  2. Click the NAT policy name.

    The Rules page appears.

  3. Add a rule by clicking Create. Select the type of rule you want to add (source, static, or destination).
  4. Complete the configuration according to the guidelines provided in Table 207.
  5. Click Save.

A new NAT rule is configured for a NAT policy.

Table 207: NAT Rules Settings

Setting

Guideline

Seq.

Displays the sequence number assigned to the NAT rule.

Name

Select the name of the NAT policy that you want to add a rule to.

NAT Type

Select the type of NAT rule:

  • Source

  • Static

  • Destination

Source Ingress

Click the Source Ingress field to configure the ingress type.

  • Ingress Type—Select an ingress type: zone, interface, or routing instance.

  • From the appropriate selector, select the zones, interfaces, or routing instance that you want to associate the rule to, from the Available column.

    For the Routing Instance option, you can select one or more of the available virtual routers on the device. For the group NAT policy, you will see a consolidated list of all virtual routers on all devices that the policy is assigned to.

  • Click OK.

Source Address

Click the Source Address field to assign the source address for the policy, from the Available list.

Source Port

Click the Source Port field to configure the source port for the policy.

  • Enter a maximum of eight ports and port ranges separated by commas.

  • Select the required port set from the Available list.

    Create a source port inline by clicking Add New Source Port.

Protocol

Select the protocol from the Available list to permit or deny traffic.

Destination Egress

Click the Destination Egress field to configure the egress type.

  • Select an egress type: zone, interface, or routing instance.

  • From the appropriate selector, select the zones, interfaces, or routing instance that you want to associate the rule to, from the Available column.

  • Click OK.

Destination Address

Click the Destination Address field to assign the destination address for the policy, from the Available list. Create a destination address inline by clicking Add New Destination Address.

Destination Port

Click the Destination Port field to configure the destination port for the policy.

  • Enter a maximum of eight ports and port ranges separated by commas. Devices running Junos OS Release 12.1X47 and later support multiple ports and ranges, in the same way as Source ports.

  • Select the required port set from the Available list.

    Create a destination port inline by clicking Add New Source Port.

Service

Select the service to permit or deny for the source and destination type NAT rules. This is supported for devices running Junos OS Release 12.1X47.

  • Select Service—Select one of the following options:

    • None—No translation is required.

    • Interface—Enable interface NAT with or without port overloading.

      • Persistent—Enable the check box to ensure that all requests from the same internal transport address are mapped to the same reflexive transport address.

      • Persistent NAT type—Configure persistent NAT mappings.

        • Permit any remote host—All requests from a specific internal IP address and port are mapped to the same reflexive transport address. (The reflexive transport address is the public IP address and port created by the NAT device closest to the STUN server.) Any external host can send a packet to the internal host by sending the packet to the reflexive transport address.

        • Permit target host—All requests from a specific internal IP address and port are mapped to the same reflexive transport address. An external host can send a packet to an internal host by sending the packet to the reflexive transport address. The internal host must have previously sent a packet to the external host’s IP address.

        • Permit target host port—All requests from a specific internal IP address and port are mapped to the same reflexive transport address. An external host can send a packet to an internal host by sending the packet to the reflexive transport address. The internal host must have previously sent a packet to the external host’s IP address and port.

      • Inactivity timeout—The amount of time, in seconds, that the persistent NAT binding remains in the Juniper Networks device’s memory when all the sessions of the binding entry are gone. When the configured timeout is reached, the binding is removed from memory.

        The range is 60 through 7200 seconds.

      • Maximum session number—The maximum number of sessions with which a persistent NAT binding can be associated. For example, if the max-session-number of the persistent NAT rule is 65,536, then a 65,537th session cannot be established if that session uses the persistent NAT binding created from the persistent NAT rule.

        The range is 8 through 65,536. The default is 30 sessions.

Translated Packet Destination

Click Translated Packet Destination.

Select the appropriate destination address. This option is available only for the destination NAT rule.

Description

Enter a description for the NAT rule; maximum length is 4096 characters.

Related Documentation

Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit