Source NAT

 

Source NAT is most commonly used for translating private IP address to a public routable address to communicate with the host. Source NAT changes the source address of the packets that pass through the Router. A NAT pool is a set of addresses that are designed as a replacement for client IP addresses. For more information, see the following topics:

Understanding Source NAT

Source NAT is the translation of the source IP address of a packet leaving the Juniper Networks device. Source NAT is used to allow hosts with private IP addresses to access a public network.

Source NAT allows connections to be initiated only for outgoing network connections—for example, from a private network to the Internet. Source NAT is commonly used to perform the following translations:

  • Translate a single IP address to another address (for example, to provide a single device in a private network with access to the Internet).

  • Translate a contiguous block of addresses to another block of addresses of the same size.

  • Translate a contiguous block of addresses to another block of addresses of smaller size.

  • Translate a contiguous block of addresses to a single IP address or a smaller block of addresses using port translation.

  • Translate a contiguous block of addresses to the address of the egress interface.

Translation to the address of the egress interface does not require an address pool; all other source NAT translations require configuration of an address pool. One-to-one and many-to-many translations for address blocks of the same size do not require port translation because there is an available address in the pool for every address that would be translated.

If the size of the address pool is smaller than the number of addresses that would be translated, either the total number of concurrent addresses that can be translated is limited by the size of the address pool or port translation must be used. For example, if a block of 253 addresses is translated to an address pool of 10 addresses, a maximum of 10 devices can be connected concurrently unless port translation is used.

The following types of source NAT are supported:

  • Translation of the original source IP address to the egress interface’s IP address (also called interface NAT). Port address translation is always performed.

  • Translation of the original source IP address to an IP address from a user-defined address pool without port address translation. The association between the original source IP address to the translated source IP address is dynamic. However, once there is an association, the same association is used for the same original source IP address for new traffic that matches the same NAT rule.

  • Translation of the original source IP address to an IP address from a user-defined address pool with port address translation. The association between the original source IP address to the translated source IP address is dynamic. Even if an association exists, the same original source IP address may be translated to a different address for new traffic that matches the same NAT rule.

  • Translation of the original source IP address to an IP address from a user-defined address pool by shifting the IP addresses. This type of translation is one-to-one, static, and without port address translation. If the original source IP address range is larger than the IP address range in the user-defined pool, untranslated packets are dropped.

Understanding Central Point Architecture Enhancements for NAT

System session capacity and session ramp-up rate are limited by central point memory capacity and CPU capacity. Starting in Junos OS Release 15.1X49-D30 and Junos OS Release 17.3R1, the central point architecture for NAT has been enhanced to handle higher system session capacity and session ramp-up rate for the SRX5000 line. Hence, the workload on the central point is reduced to increase the session capacity and to support more sessions to achieve higher connections per second (CPS).Starting in Junos OS Release 17.4R1, source NAT resources handled by the central point architecture have been offloaded to the SPUs when the SPC number is more than four, resulting in more efficient resource allocation. The following list describes the enhancements to NAT to improve performance:

  • The central point architecture no longer supports central point sessions. Therefore, NAT needs to maintain a NAT tracker to track the IP address or port allocation and usage. NAT tracker is a global array for SPU session ID to NAT IP or port mapping that is used to manage NAT resources.

  • By default, a NAT rule alarm and trap statistics counter update message is sent from the Services Processing Unit (SPU) to the central point at intervals of 1 second instead of updating the statistics based on each session trigger in the central point system.

  • To support a specific NAT IP address or port allocated such that the 5-tuple hash after NAT is the same as the original 5-tuple hash before NAT, select a NAT port that results in the same hash as the original hash by the specific calculation. Hence, the forwarding session is reduced. When NAT is used, the reverse wing is hashed to a different SPU. A forward session has to be installed to forward reverse traffic to a session SPU. NAT tries to select a port that can be used by the hash algorithm to make the reverse wing be hashed to the same SPU as the initial wing. So, both NAT performance and throughput are improved with this approach.

  • To improve NAT performance, IP shifting pool (non-PAT pool) management is moved from the central point to the SPU so that all local NAT resources for that pool are managed locally instead of sending the NAT request to the central point. Hence, IP address-shifting NAT pool connections per second and throughput are improved.

Optimizing Source NAT Performance

Source NAT can be optimized based on functionality and performance needs.

Port Randomization Mode (Default)

For pool-based source NAT and interface NAT, port randomization mode is enabled and used by default.

In this mode, the device selects IP addresses on a round-robin basis, and the port selection is random. That is, when the device performs NAT translation it first chooses the IP address by round robin, then chooses the port used for that IP address by randomization.

Although randomized port number allocation can provide protection from security threats such as DNS poison attacks, it can also affect performance and memory usage due to the computations and NAT table resources involved.

Round-Robin Mode

A less resource-intensive NAT translation method involves using only the round-robin allocation method. Whereas randomization requires computational work for each assigned port, the round robin method simply selects ports sequentially.

In this mode, the device selects both IP addresses and ports on a round-robin basis. That is, when the device performs NAT translation it first chooses the IP address by round robin, then chooses the port used for that IP address by round robin.

For example, if the source pool contains only one IP address:

  • When the first packet of a flow arrives (creating a session), it is translated to IP1, port N. Subsequent packets in that flow are allocated to the same IP/port.

  • When the first packet of a new flow arrives, it is translated to IP1, port N+1, and so on.

If the source pool contains two IP addresses:

  • When the first packet of a flow arrives (creating a session), it is translated to IP1, port X. Subsequent packets in that flow are allocated to the same IP/port.

  • When the first packet of a second flow arrives, it is translated to IP2, port X.

  • When the first packet of a third flow arrives, it is translated to IP1, port X+1.

  • With the first packets of a fourth flow arrives, it is translated to IP2, port X+1, and so on.

Configuration

Round-robin mode is enabled by default, however port randomization mode (also enabled) has higher priority. To use round-robin mode, disable the higher-priority port randomization mode, as follows:

user@host# set security nat source port-randomization disable

To disable round-robin mode (and re-enable port randomization), delete the configuration statement, as follows:

user@host# delete security nat source port-randomization disable

Session Affinity Mode

Starting in Junos OS Release 15.1X49-D30 and Junos OS Release 17.3R1, you can further improve NAT performance and throughput on SRX5000 Series devices using “session affinity” mode.

With the modes noted above, a given session is processed by the inbound SPU based on a 5-tuple (source IP, dest IP, source port, dest port, protocol) hash. When NAT is involved, the 5-tuple hash will be different for the outbound part of the session vs. the return part of the session. Therefore, the outbound NAT session information may be located in one SPU, while the return (reverse) NAT session information may be located in another SPU. The goal of session affinity mode is to maintain the forwarding session information for both the outbound and return traffic on the same SPU.

In this mode, the device uses a “reverse NAT enhancement” translation algorithm for IP and port selection, to improve performance for NAT sessions and throughput. The NAT module attempts to select an IP address and port that can be used with the hash algorithm to ensure the selected SPU for the outbound and return flow elements can be identical.

Configuration

Session affinity mode is enabled by default, however both port randomization and round-robin modes (also enabled) have higher priority. To use session affinity mode, disable both port randomization and round-robin modes, as follows:

user@host# set security nat source port-randomization disable
user@host# set security nat source round-robin disable

To disable session affinity mode, and re-enable either round-robin or port randomization mode, delete one or both of the configuration statements, as follows:

user@host# delete security nat source round-robin disable
user@host# delete security nat source port-randomization disable

Usage Notes

Notes and guidelines for session affinity mode include:

  • Use large NAT port pools whenever possible (see Security Considerations below)

  • The algorithm chooses a port from within the configured port range. If no port is available, the NAT port will be allocated based on random selection.

  • Static NAT and destination NAT cannot use affinity mode.

Security Considerations

Although session affinity improves performance by consolidating forwarding sessions, it decreases security to some degree since the algorithm selects the IP address and port based on a pre-defined algorithm with specific parameters, instead of pure randomization. That said, the fact there are typically multiple eligible ports for the algorithm to choose from and so there is still some degree of randomization.

The best way to mitigate the security risk is to ensure the source port number used is less predictable. That is, the larger the NAT pool resource range from which ephemeral ports are selected, the smaller the chances of an attacker guessing the selected port number. Given this, it is recommended to configure large NAT port pools whenever possible.

Monitoring Source NAT Information

Purpose

Display configured information about source Network Address Translation (NAT) rules, pools, persistent NAT, and paired addresses.

Action

Select Monitor>NAT>Source NAT in the J-Web user interface, or enter the following CLI commands:

  • show security nat source summary

  • show security nat source pool pool-name

  • show security nat source persistent-nat-table

  • show security nat source paired-address

Table 1 describes the available options for monitoring source NAT.

Table 1: Source NAT Monitoring Page

Field

Description

Action

Rules

Rule-set Name

Name of the rule set.

Select all rule sets or a specific rule set to display from the list.

Total rules

Number of rules configured.

ID

Rule ID number.

Name

Name of the rule .

From

Name of the routing instance/zone/interface from which the packet flows.

To

Name of the routing instance/zone/interface to which the packet flows.

Source address range

Source IP address range in the source pool.

Destination address range

Destination IP address range in the source pool.

Source ports

Source port numbers.

Ip protocol

IP protocol.

Action

Action taken for a packet that matches a rule.

Persistent NAT type

Persistent NAT type.

Inactivity timeout

Inactivity timeout interval for the persistent NAT binding.

Alarm threshold

Utilization alarm threshold.

Max session number

The maximum number of sessions.

Sessions (Succ/

Failed/

Current)

Successful, failed, and current sessions.

  • Succ–Number of successful session installations after the NAT rule is matched.

  • Failed–Number of unsuccessful session installations after the NAT rule is matched.

  • Current–Number of sessions that reference the specified rule.

Translation Hits

Number of times a translation in the translation table is used for a source NAT rule.

Pools

Pool Name

The names of the pools.

Select all pools or a specific pool to display from the list.

Total Pools

Total pools added.

ID

ID of the pool.

Name

Name of the source pool.

Address range

IP address range in the source pool.

Single/Twin ports

Number of allocated single and twin ports.

Port

Source port number in the pool.

Address assignment

Displays the type of address assignment.

Alarm threshold

Utilization alarm threshold.

Port overloading factor

Port overloading capacity.

Routing instance

Name of the routing instance.

Total addresses

Total IP address, IP address set, or address book entry.

Host address base

Host base address of the original source IP address range.

Translation hits

Number of times a translation in the translation table is used for source NAT.

Top 10 Translation Hits

Graph

Displays the graph of top 10 translation hits.

Persistent NAT
Persistent NAT table statistics

binding total

Displays the total number of persistent NAT bindings for the FPC.

binding in use

Number of persistent NAT bindings that are in use for the FPC.

enode total

Total number of persistent NAT enodes for the FPC.

enode in use

Number of persistent NAT enodes that are in use for the FPC.

Persistent NAT table

Source NAT pool

Name of the pool.

Select all pools or a specific pool to display from the list.

Internal IP

Internal IP address.

Select all IP addresses or a specific IP address to display from the list.

Internal port

Displays the internal ports configured in the system.

Select the port to display from the list.

Internal protocol

Internal protocols .

Select all protocols or a specific protocol to display from the list.

Internal IP

Internal transport IP address of the outgoing session from internal to external.

Internal port

Internal transport port number of the outgoing session from internal to external.

Internal protocol

Internal protocol of the outgoing session from internal to external.

Reflective IP

Translated IP address of the source IP address.

Reflective port

Displays the translated number of the port.

Reflective protocol

Translated protocol.

Source NAT pool

Name of the source NAT pool where persistent NAT is used.

Type

Persistent NAT type.

Left time/Conf time

Inactivity timeout period that remains and the configured timeout value.

Current session num/Max session num

Number of current sessions associated with the persistent NAT binding and the maximum number of sessions.

Source NAT rule

Name of the source NAT rule to which this persistent NAT binding applies.

External node table

Internal IP

Internal transport IP address of the outgoing session from internal to external.

Internal port

Internal port number of the outgoing session from internal to external.

External IP

External IP address of the outgoing session from internal to external.

External port

External port of the outgoing session from internal to external.

Zone

External zone of the outgoing session from internal to external.

Paired Address

Pool name

Name of the pool.

Select all pools or a specific pool to display from the list.

Specified Address

IP address.

Select all addresses, or select the internal or external IP address to display, and enter the IP address.

Pool name

Displays the selected pool or pools.

Internal address

Displays the internal IP address.

External address

Displays the external IP address.

Resource Usage
Utilization for all source pools

Pool name

Name of the pool.

To view additional usage information for Port Address Translation (PAT) pools, select a pool name. The information displays under Detail Port Utilization for Specified Pool.

Pool type

Pool type: PAT or Non-PAT.

Port overloading factor

Port overloading capacity for PAT pools.

Address

Addresses in the pool.

Used

Number of used resources in the pool.

For Non-PAT pools, the number of used IP addresses is displayed.

For PAT pools, the number of used ports is displayed.

Available

Number of available resources in the pool.

For Non-PAT pools, the number of available IP addresses is displayed.

For PAT pools, the number of available ports is displayed.

Total

Number of used and available resources in the pool.

For Non-PAT pools, the total number of used and available IP addresses is displayed.

For PAT pools, the total number of used and available ports is displayed.

Usage

Percent of resources used.

For Non-PAT pools, the percent of IP addresses used is displayed.

For PAT pools, the percent of ports, including single and twin ports, is displayed.

Peak usage

Percent of resources used during the peak date and time.

Detail Port Utilization for Specified Pool

Address Name

IP addresses in the PAT pool.

Select the IP address for which you want to display detailed usage information.

Factor-Index

Index number.

Port-range

Displays the number of ports allocated at a time.

Used

Displays the number of used ports.

Available

Displays the number of available ports.

Total

Displays the number of used and available ports.

Usage

Displays the percentage of ports used during the peak date and time.

Source NAT Configuration Overview

The main configuration tasks for source NAT are as follows:

  1. Configure an address pool or an interface NAT mapping of private addresses to the public address of an egress interface.

    For an address pool, also do the following:

    1. Specify the name of the pool, the addresses or address ranges, the routing instance, and whether to perform port address translation (PAT).
    2. (Optional) Configure address pool options, such as overflow pool, IP address shifting, address sharing, address pooling, and pool utilization alarms.
    3. Configure NAT proxy ARP entries for IP addresses in the same subnet of the ingress interface.
  2. (Optional) Configure the persistent address.
  3. Configure source NAT rules that align with your network and security requirements.

Example: Configuring Source NAT for Egress Interface Translation

This example describes how to configure a source NAT mapping of private addresses to the public address of an egress interface.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See Interfaces Feature Guide for Security Devices.
  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 1, devices with private addresses in the trust zone access a public network through the egress interface ge-0/0/0. For packets that enter the Juniper Networks security device from the trust zone with a destination address in the untrust zone, the source IP address is translated to the IP address of the egress interface.

Note

No source NAT pool is required for source NAT using an egress interface. Proxy ARP does not need to be configured for the egress interface.

Figure 1: Source NAT Egress Interface Translation
Source NAT Egress
Interface Translation

This example describes the following configurations:

  • Source NAT rule set rs1 with a rule r1 to match any packet from the trust zone to the untrust zone. For matching packets, the source address is translated to the IP address of the egress interface.

  • Security policies to permit traffic from the trust zone to the untrust zone.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a source NAT translation to an egress interface:

  1. Create a source NAT rule set.
  2. Configure a rule that matches packets and translates the source address to the address of the egress interface.
  3. Configure a security policy that allows traffic from the trust zone to the untrust zone.

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Source NAT Rule Usage

Purpose

Verify that there is traffic matching the source NAT rule.

Action

From operational mode, enter the show security nat source rule all command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Example: Configuring Source NAT for Single Address Translation

This example describes how to configure a source NAT mapping of a single private address to a public address.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See Interfaces Feature Guide for Security Devices.
  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 2, a device with the private address 192.168.1.200 in the trust zone accesses a public network. For packets sent by the device to a destination address in the untrust zone, the Juniper Networks security device translates the source IP address to the public IP address 203.0.113.200/32.

Figure 2: Source NAT Single Address Translation
Source NAT Single
Address Translation

This example describes the following configurations:

  • Source NAT pool src-nat-pool-1 that contains the IP address 203.0.113.200/32.

  • Source NAT rule set rs1 with rule r1 to match packets from the trust zone to the untrust zone with the source IP address 192.168.1.200/32. For matching packets, the source address is translated to the IP address in src-nat-pool-1 pool.

  • Proxy ARP for the address 203.0.113.200 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for that address.

  • Security policies to permit traffic from the trust zone to the untrust zone.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a source NAT translation for a single IP address:

  1. Create a source NAT pool.
  2. Create a source NAT rule set.
  3. Configure a rule that matches packets and translates the source address to the address in the pool.
  4. Configure proxy ARP.
  5. Configure a security policy that allows traffic from the trust zone to the untrust zone.

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Source NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the source NAT pool.

Action

From operational mode, enter the show security nat source pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Source NAT Rule Usage

Purpose

Verify that there is traffic matching the source NAT rule.

Action

From operational mode, enter the show security nat source rule all command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Example: Configuring Source and Destination NAT Translations

This example describes how to configure both source and destination NAT mappings.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See Interfaces Feature Guide for Security Devices.
  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 3, the following translations are performed on the Juniper Networks security device:

  • The source IP address in packets sent by the device with the private address 192.168.1.200 in the trust zone to any address in the untrust zone is translated to a public address in the range from 203.0.113.10 through 203.0.113.14.

  • The destination IP address 203.0.113.100/32 in packets sent from the trust zone to the untrust zone is translated to the address 10.1.1.200/32.

Figure 3: Source and Destination NAT Translations
 Source and Destination
NAT Translations

This example describes the following configurations:

  • Source NAT pool src-nat-pool-1 that contains the IP address range 203.0.113.10 through 203.0.113.14.

  • Source NAT rule set rs1 with rule r1 to match any packets from the trust zone to the untrust zone. For matching packets, the source address is translated to an IP address in the src-nat-pool-1 pool.

  • Destination NAT pool dst-nat-pool-1 that contains the IP address 10.1.1.200/32.

  • Destination NAT rule set rs1 with rule r1 to match packets from the trust zone with the destination IP address 203.0.113.100. For matching packets, the destination address is translated to the IP address in the dst-nat-pool-1 pool.

  • Proxy ARP for the addresses 203.0.113.10 through 203.0.113.14 and 203.0.113.100/32 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for those addresses.

  • Security policy to permit traffic from the trust zone to the untrust zone.

  • Security policy to permit traffic from the untrust zone to the translated destination IP addresses in the trust zone.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure the source and destination NAT translations:

  1. Create a source NAT pool.
  2. Create a source NAT rule set.
  3. Configure a rule that matches packets and translates the source address to an address in the source NAT pool.
  4. Create a destination NAT pool.
  5. Create a destination NAT rule set.
  6. Configure a rule that matches packets and translates the destination address to the address in the destination NAT pool.
  7. Configure proxy ARP.
  8. Configure a security policy that allows traffic from the trust zone to the untrust zone.
  9. Configure an address in the global address book.
  10. Configure a security policy that allows traffic from the untrust zone to the trust zone.

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Source NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the source NAT pool.

Action

From operational mode, enter the show security nat source pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Source NAT Rule Usage

Purpose

Verify that there is traffic matching the source NAT rule.

Action

From operational mode, enter the show security nat source rule all command. View the Translation hits field to check for traffic that matches the rule.

Verifying Destination NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the destination NAT pool.

Action

From operational mode, enter the show security nat destination pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Destination NAT Rule Usage

Purpose

Verify that there is traffic matching the destination NAT rule.

Action

From operational mode, enter the show security nat destination rule all command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Understanding Source NAT Rules

Source NAT rules specify two layers of match conditions:

  • Traffic direction—Allows you to specify combinations of from interface, from zone, or from routing-instance and to interface, to zone, or to routing-instance. You cannot configure the same from and to contexts for different rule sets.

  • Packet information—Can be source and destination IP addresses or subnets, source port numbers or port ranges, destination port numbers or port ranges, protocols, or applications.

For all ALG traffic, except FTP, we recommend that you not use the source-port rule option. Data session creation can fail if this option is used because the IP address and the source port value, which is a random value, might not match the rule.

In addition, we recommend that you not use the destination-port option or the application option as matching conditions for ALG traffic. If these options are used, translation may fail because the port value in the application payload might not match the port value in the IP address.

If multiple source NAT rules overlap in the match conditions, the most specific rule is chosen. For example, if rules A and B specify the same source and destination IP addresses, but rule A specifies traffic from zone 1 to zone 2 and rule B specifies traffic from zone 1 to interface ge-0/0/0, rule B is used to perform source NAT. An interface match is considered to be more specific than a zone match, which is more specific than a routing instance match.

The actions you can specify for a source NAT rule are:

  • off—Do not perform source NAT.

  • pool—Use the specified user-defined address pool to perform source NAT.

  • interface—Use the egress interface’s IP address to perform source NAT.

Source NAT rules are applied to traffic in the first packet that is processed for the flow or in the fast path for the ALG. Source NAT rules are processed after static NAT rules, destination NAT rules, and reverse mapping of static NAT rules and after route and security policy lookup.

When zones are not configured under rule-set and when active source NAT is configured with missing mandatory statement “from” then, the following message is displayed when performing commit “Missing mandatory statement: 'from' error: configuration check-out failed” and the configuration check-out fails.

Example: Configuring Source NAT with Multiple Rules

This example describes how to configure source NAT mappings with multiple rules.

Requirements

Before you begin:

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 4, the following translations are performed on the Juniper Networks security device for the source NAT mapping for traffic from the trust zone to the untrust zones:

  • The source IP address in packets sent by the 10.1.1.0/24 and 10.1.2.0/24 subnets to any address in the untrust zone is translated to a public address in the range from 192.0.2.1 to 192.0.2.24 with port translation.

  • The source IP address in packets sent by the 192.168.1.0/24 subnet to any address in the untrust zone is translated to a public address in the range from 192.0.2.100 to 192.0.2.249 with no port translation.

  • The source IP address in packets sent by the 192.168.1.250/32 host device is not translated.

Figure 4: Source NAT with Multiple Translation Rules
 Source NAT with
Multiple Translation Rules

This example describes the following configurations:

  • Source NAT pool src-nat-pool-1 that contains the IP address range 192.0.2.1 through 192.0.2.24.

  • Source NAT pool src-nat-pool-2 that contains the IP address range 192.0.2.100 through 192.0.2.249, with port address translation disabled.

    Note

    When port address translation is disabled, the number of translations that the source NAT pool can support concurrently is limited to the number of addresses in the pool, unless the address-shared option is enabled. Packets are dropped if there are no addresses available in the source NAT pool. You can optionally specify an overflow pool from which IP addresses and port numbers are allocated when there are no addresses available in the original source NAT pool.

  • Source NAT rule set rs1 to match packets from the trust zone to the untrust zone. Rule set rs1 contains multiple rules:

    • Rule r1 to match packets with a source IP address in either the 10.1.1.0/24 or 10.1.2.0/24 subnets. For matching packets, the source address is translated to an IP address in the src-nat-pool-1 pool.

    • Rule r2 to match packets with a source IP address of 192.168.1.250/32. For matching packets, there is no NAT translation performed.

    • Rule r3 to match packets with a source IP address in the 192.168.1.0/24 subnet. For matching packets, the source address is translated to an IP address in the src-nat-pool-2 pool.

      Note

      The order of rules in a rule set is important, as the first rule in the rule set that matches the traffic is used. Therefore, rule r2 to match a specific IP address must be placed before rule r3 that matches the subnet on which the device is located.

  • Proxy ARP for the addresses 192.0.2.1 through 192.0.2.24 and 192.0.2.100 through 192.0.2.249 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for those addresses.

  • Security policies to permit traffic from the trust zone to the untrust zone.

On SRX4600 devices, when you configure source NAT rule or pool with rule name or pool name as interface or service-set you will receive the following error message: syntax error, expecting <data>.

  • If there is a source NAT rule named interface, the rule cannot be viewed using the show security nat source rule interface command.

  • If there is a source NAT rule named service-set, the rule cannot be viewed using the show security nat source rule service-set command.

  • If there is a source NAT pool named interface, the pool cannot be viewed using the show security nat source pool interface command.

  • If there is a source NAT pool named service-set, the pool cannot be viewed using the show security nat source pool service-set command.

  • If there is a source NAT pool named interface, the paired-address cannot be viewed using the show security nat source paired-address pool-name interface command.

  • If there is a source NAT pool named service-set, the paired-address cannot be viewed using the show security nat source paired-address pool-name service-set command.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure multiple source NAT rules in a rule set:

  1. Create a source NAT pool.
  2. Create a source NAT pool with no port translation.
    Note

    To configure an overflow pool for src-nat-pool-2 using the egress interface:

  3. Create a source NAT rule set.
  4. Configure a rule that matches packets and translates the source address to an address in the pool.
  5. Configure a rule to match packets for which the source address is not translated.
  6. Configure a rule to match packets and translate the source address to an address in the pool with no port translation.
  7. Configure proxy ARP.
  8. Configure a security policy that allows traffic from the trust zone to the untrust zone.

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Source NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the source NAT pool.

Action

From operational mode, enter the show security nat source pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Source NAT Rule Usage

Purpose

Verify that there is traffic matching the source NAT rule.

Action

From operational mode, enter the show security nat source rule all command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Understanding Source NAT Pools

A NAT pool is a user-defined set of IP addresses that are used for translation. Unlike static NAT, where there is a one-to-one mapping that includes destination IP address translation in one direction and source IP address translation in the reverse direction, with source NAT, you translate the original source IP address to an IP address in the address pool.

For source Network Address Translation (NAT) address pools, specify the following:

  • Name of the source NAT address pool.

  • Up to eight address or address ranges.

    Note

    Do not overlap NAT addresses for source NAT, destination NAT, and static NAT within one routing instance.

  • Routing instance—Routing instance to which the pool belongs (the default is the main inet.0 routing instance).

  • Port —The Port Address Translation (PAT) for a source pool. By default, PAT is performed with source NAT. If you specify the no-translation option, the number of hosts that the source NAT pool can support is limited to the number of addresses in the pool. If you specify block-allocation, a block of ports is allocated for translation, instead of individual ports being allocated. If you specify deterministic, an incoming (source) IP address and port always map to the specific destination address and port block, based on predefined, deterministic NAT algorithm. If you specify port-overloading, you can configure the port overloading capacity in source NAT. If you specify range, you can provide the port number range attached to each address in the pool, and the twin port range for source NAT pools.

  • Overflow pool (optional)—Packets are dropped if there are no addresses available in the designated source NAT pool. To prevent that from happening when the port no-translation option is configured, you can specify an overflow pool. Once addresses from the original source NAT pool are exhausted, IP addresses and port numbers are allocated from the overflow pool. A user-defined source NAT pool or an egress interface can be used as the overflow pool. (When the overflow pool is used, the pool ID is returned with the address.)

  • IP address shifting (optional)—A range of original source IP addresses can be mapped to another range of IP addresses, or to a single IP address, by shifting the IP addresses. Specify the host-address-base option with the base address of the original source IP address range.

  • Address sharing (optional)—Multiple internal IP addresses can be mapped to the same external IP address. This option can be used only when the source NAT pool is configured with no port translation. Specify the address-shared option when a source NAT pool has few external IP addresses available, or only one external IP address. With a many-to-one mapping, use of this option increases NAT resources and improves traffic.

  • Address pooling (optional)— Address pooling can be configured as paired or no-paired. Specify address-pooling paired for applications that require all sessions associated with one internal IP address to be mapped to the same external IP address for the duration of a session. This differs from the persistent-address option, in which the same internal address is translated to the same external address every time. Specify address-pooling no-paired for applications that can be can be assigned IP addresses in a round-robin fashion. If either address-pooling paired or address-pooling no-paired is configured for a source NAT pool with PAT, the persistent address option is disabled. If address-shared is configured on a source NAT pool without PAT, then the persistent-address option is enabled. Both address-shared and address-pooling paired can be configured on the same source NAT pool without PAT.

  • Pool utilization alarm (optional)— When the raise-threshold option is configured for source NAT, an SNMP trap is triggered if the source NAT pool utilization rises above this threshold. If the optional clear-threshold option is configured, an SNMP trap is triggered if the source NAT pool utilization drops below this threshold. If clear-threshold is not configured, it is set by default to 80 percent of the raise-threshold value.

You can use the show security nat resource usage source pool command to view address use in a source NAT pool without PAT, and to view port use in a source NAT pool with PAT.

Understanding Source NAT Pool Capacities

Maximum capacities for source pools and IP addresses on SRX300, SRX320, SRX340, SRX345 and SRX650 devices are as follows:

Pool/PAT Maximum Address Capacity

SRX300

SRX320

SRX340

SRX345

SRX650

Source NAT pools

1024

2048

1024

IP addresses supporting port translation

1024

2048

1024

PAT port number

64M

64M

64M

Maximum capacities for source pools and IP addresses on SRX1400, SRX1500, SRX3400, SRX3600, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800 devices are as follows:

Pool/PAT Maximum Address Capacity

SRX1400

SRX1500

SRX3400

SRX3600

SRX4100

SRX4200

SRX5400

SRX5600

SRX5800

Source NAT pools

8192

10,240

10,240

12,288

IP addresses supporting port translation

8192

12,288

12,288

1M

PAT port number

256M

384M

384M

384M

Note

In Release 12.3X48-D40, and in Release 15.1X49-D60 and later releases, you can increase the source NAT port capacity to 2.4G on SRX5400, SRX5600, and SRX5800 devices with next-generation Services Processing Cards (SPCs) using the port-scaling-enlargement statement at the [edit security nat source] hierarchy level supported .

Note

Platform support depends on the Junos OS release in your installation.

Increasing the total number of IP addresses used for source NAT, either by increasing the number of pools in the configuration and/or by increasing the capacity or IP-addresses per pool, consumes memory needed for port allocation. When source NAT pool and IP address limits are reached, port ranges should be reassigned. That is, the number of ports for each IP address should be decreased when the number of IP addresses and source NAT pools is increased. This ensures NAT does not consume too much memory.

For example, in a source NAT pool for SRX5000 devices, when the number of IP addresses supporting port translation reaches the limit of 1M, the total number of PAT ports is 64G, which exceeds the 384M limitation. This is because, by default, each IP address supports 64,512 ports. To ensure that PAT port numbers are within capacity, the port range for each IP needs to be configured to decrease the total number of PAT ports.

Use the range and range twin-port options at the [edit security nat source pool port] hierarchy level to assign a new port range or twin port range for a specific pool. Use the pool-default-port-range and the pool-default-twin-port-range options at the [edit security nat source] hierarchy level to specify the global default port range or twin port range for all source NAT pools.

Configuring port overloading should also be done carefully when source NAT pools are increased.

For a source pool with PAT in range (63,488 through 65,535), two ports are allocated at one time for RTP/RTCP applications, such as SIP, H.323, and RTSP. In these scenarios, each IP address supports PAT, occupying 2048 ports (63,488 through 65,535) for ALG module use.

Understanding Persistent Addresses for Source NAT Pools

By default, port address translation is performed with source NAT. However, an original source address may not be translated to the same IP address for different traffic that originates from the same host. The source NAT address-persistent option ensures that the same IP address is assigned from the source NAT pool to a specific host for multiple concurrent sessions.

This option differs from the address-pooling paired option, where the internal address is mapped to an external address within the pool on a first-come, first-served basis, and might be mapped to a different external address for each session.

Example: Configuring Capacity for Source NAT Pools with PAT

This example describes how to configure the capacity of source NAT pools with Port Address Translation (PAT) if a default port range is not set or you want to override it. Translations are set for each IP address. When the source pool is increased, ports should be reassigned if the current port number exceeds limitations.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See Interfaces Feature Guide for Security Devices.
  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example shows how to configure a PAT pool of 2048 IP addresses with 32,000 ports for each IP address.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure capacity for a source NAT pool with PAT:

  1. Specify a source NAT pool with PAT and an IP address range.
  2. Specify a default port range for the source pool.

Results

From configuration mode, confirm your configuration by entering the show security nat-source-summary command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

user@host> run show security nat source summary

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Capacity of Source NAT Pools

Purpose

View port and pool information. Port limitations are automatically checked, so the configuration will not be committed if port limitations are exceeded.

Action

From operational mode, enter the show security nat source summary command to view port and pool details.

Understanding Source NAT Pools with Address Pooling

When a host initiates several sessions that match a policy that requires NAT, and is assigned an IP address from a source pool that has port address translation enabled, a different source IP address is used for each session.

Because some applications require the same source IP address for each session, you can use the address-pooling paired feature to enable all sessions associated with one internal IP address to map to the same external IP address for the duration of the sessions. When the sessions end, the mapping between the internal IP address and the external IP address ceases. The next time the host initiates a session, a different IP address from the pool might be assigned to it.

This differs from the source NAT address-persistent feature, which keeps the mapping static; the same internal IP address is mapped to the same external IP address every time. It also differs from the address-persistent feature in that address-pooling paired is configured for a specific pool. The address-persistent feature is a global configuration that applies to all source pools.

Understanding Source NAT Pools with Address Shifting

The match conditions for a source NAT rule set do not allow you to specify an address range; only address prefixes may be specified in a rule. When configuring a source NAT pool, you can specify the host-base-address option; this option specifies the IP address where the original source IP address range begins.

The range of original source IP addresses that are translated is determined by the number of addresses in the source NAT pool. For example, if the source NAT pool contains a range of ten IP addresses, then up to ten original source IP addresses can be translated, starting with a specified base address. This type of translation is one-to-one, static, and without port address translation.

The match condition in a source NAT rule may define a larger address range than that specified in the source NAT pool. For example, a match condition might specify an address prefix that contains 256 addresses, but the source NAT pool might contain a range of only a few IP addresses, or only one IP address. A packet’s source IP address can match a source NAT rule, but if the source IP address is not within the address range specified in the source NAT pool, the source IP address is not translated.

Example: Configuring Source NAT Pools with Address Shifting

This example describes how to configure a source NAT mapping of a private address range to public addresses, with optional address shifting. This mapping is one-to-one between the original source IP addresses and translated IP addresses.

Note

The match conditions for a source NAT rule set do not allow you to specify an address range; only address prefixes may be specified in a rule. When configuring a source NAT pool, you can specify the host-base-address option; this option specifies the IP address where the original source IP address range begins, and disables port translation.

The range of original source IP addresses that are translated is determined by the number of addresses in the source NAT pool. For example, if the source NAT pool contains a range of ten IP addresses, then up to ten original source IP addresses can be translated, starting with a specified base address.

The match condition in a source NAT rule may define a larger address range than that specified in the source NAT pool. For example, a match condition might specify an address prefix that contains 256 addresses, but the source NAT pool contains a range of only ten IP addresses. A packet’s source IP address can match a source NAT rule, but if the source IP address is not within the address range specified in the source NAT pool, the source IP address is not translated.

Requirements

Before you begin:

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 5, a range of private addresses in the trust zone is mapped to a range of public addresses in the untrust zone. For packets sent from the trust zone to the untrust zone, a source IP address in the range of 192.168.1.10/32 through 192.168.1.20/32 is translated to a public address in the range of 203.0.113.30/32 through 203.0.113.40/32.

Figure 5: Source NAT with Address Shifting
Source NAT
with Address Shifting

This example describes the following configurations:

  • Source NAT pool src-nat-pool-1 that contains the IP address range 203.0.113.30/32 through 203.0.113.40/32. For this pool, the beginning of the original source IP address range is 192.168.1.10/32 and is specified with the host-address-base option.

  • Source NAT rule set rs1 with rule r1 to match packets from the trust zone to the untrust zone with a source IP address in the 192.168.1.0/24 subnet. For matching packets that fall within the source IP address range specified by the src-nat-pool-1 configuration, the source address is translated to the IP address in src-nat-pool-1 pool.

  • Proxy ARP for the addresses 203.0.113.30/32 through 203.0.113.40/32 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for that address.

  • Security policies to permit traffic from the trust zone to the untrust zone.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a source NAT mapping with address shifting:

  1. Create a source NAT pool.
  2. Specify the beginning of the original source IP address range.
  3. Create a source NAT rule set.
  4. Configure a rule that matches packets and translates the source address to an address in the pool.
  5. Configure proxy ARP.
  6. Configure a security policy that allows traffic from the trust zone to the untrust zone.

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Source NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the source NAT pool.

Action

From operational mode, enter the show security nat source pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Source NAT Rule Usage

Purpose

Verify that there is traffic matching the source NAT rule.

Action

From operational mode, enter the show security nat source rule all command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Understanding Source NAT Pools with PAT

Using the source pool with Port Address Translation (PAT), Junos OS translates both the source IP address and the port number of the packets. When PAT is used, multiple hosts can share the same IP address.

Junos OS maintains a list of assigned port numbers to distinguish what session belongs to which host. When PAT is enabled, up to 63,488 hosts can share a single IP address. Each source pool can contain multiple IP addresses, multiple IP address ranges, or both. For a source pool with PAT, Junos OS may assign different addresses to a single host for different concurrent sessions, unless the source pool or Junos OS has the persistent address feature or the paired address pooling feature enabled.

For interface source pool and source pool with PAT, range (1024, 65535) is available for port number mapping per IP address. Within range (1024, 63487) one port is allocated at a time, for a total of 62,464 ports. In range (63488, 65535), two ports are allocated at a time for RTP/RTCP applications such as SIP, H.323, and RTSP, for a total of 2,048 ports.

When a host initiates several sessions that match a policy that requires network address translation and is assigned an address from a source pool that has PAT enabled, the device assigns a different source IP address for each session. Such random address assignment can be problematic for services that create multiple sessions that require the same source IP address for each session. For example, it is important to have the same IP address for multiple sessions when using the AOL Instant Message (AIM) client.

To ensure that the router assigns the same IP address from a source pool to a host for multiple concurrent sessions, you can enable a persistent IP address per router. To ensure that the device assigns the same IP address from a source pool to a host for the duration of a single session, you can enable paired address pooling.

Example: Configuring Source NAT for Multiple Addresses with PAT

This example describes how to configure a source NAT mapping of a private address block to a smaller public address block using port address translation.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See Interfaces Feature Guide for Security Devices.
  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 6, the source IP address in packets sent from the trust zone to the untrust zone is mapped to a smaller block of public addresses in the range from 203.0.113.1/32 through 203.0.113.24/32. Because the size of the source NAT address pool is smaller than the number of potential addresses that might need to be translated, port address translation is used.

Note

Port address translation includes a source port number with the source IP address mapping. This allows multiple addresses on a private network to map to a smaller number of public IP addresses. Port address translation is enabled by default for source NAT pools.

Figure 6: Source NAT Multiple Addresses with PAT
Source
NAT Multiple Addresses with PAT

This example describes the following configurations:

  • Source NAT pool src-nat-pool-1 that contains the IP address range 203.0.113.1/32 through 203.0.113.24/32.

  • Source NAT rule set rs1 to match all packets from the trust zone to the untrust zone. For matching packets, the source IP address is translated to an IP address in the src-nat-pool-1 pool.

  • Proxy ARP for the addresses 203.0.113.1/32 through 203.0.113.24/32 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for those addresses.

  • Security policies to permit traffic from the trust zone to the untrust zone.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a source NAT mapping from a private address block to a smaller public address block using PAT:

  1. Create a source NAT pool.
  2. Create a source NAT rule set.
  3. Configure a rule that matches packets and translates the source address to an address in the pool.
  4. Configure proxy ARP.
  5. Configure a security policy that allows traffic from the trust zone to the untrust zone.

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Source NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the source NAT pool.

Action

From operational mode, enter the show security nat source pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Source NAT Rule Usage

Purpose

Verify that there is traffic matching the source NAT rule.

Action

From operational mode, enter the show security nat source rule all command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Understanding Source NAT Pools Without PAT

When you define a source pool, Junos OS enables PAT by default. To disable PAT, you must specify no port translation when you are defining a source pool.

When using a source pool without PAT, Junos OS performs source Network Address Translation for the IP address without performing PAT for the source port number. For applications that require that a particular source port number remain fixed, you must use source pool without PAT.

The source pool can contain multiple IP addresses, multiple IP address ranges, or both. For source pool without PAT, Junos OS assigns one translated source address to the same host for all its concurrent sessions unless the address-pooling no-paired option is enabled.

The number of hosts that a source NAT pool without PAT can support is limited to the number of addresses in the pool. When you have a pool with a single IP address, only one host can be supported, and traffic from other hosts is blocked because there are no resources available. If a single IP address is configured for a source NAT pool without PAT when NAT resource assignment is not in active-backup mode in a chassis cluster, traffic through node 1 will be blocked.

Pool utilization for each source pool without PAT is computed. You can turn on pool utilization alarm by configuring alarm thresholds. An SNMP trap is triggered every time pool utilization rises above a threshold and goes below a threshold.

Note

If a static NAT rule is for one-to-one IP translation, avoid dividing the rule into a destination rule and a source rule when source no-pat pool without address sharing is used. If you choose to divide the rule, you will then have to use source pat-pool with single IP or source no-pat pool with multiple IP.

Example: Configuring a Single IP Address in a Source NAT Pool Without PAT

This example describes how to configure a private address block to a single public address in a source NAT pool without Port Address Translation.

Note

PAT is enabled by default for source NAT pools. When PAT is disabled, the number of translations that the source NAT pool can concurrently support is limited to the number of addresses in the pool. Packets are dropped if there are no addresses available in the source NAT pool. However, using the address-shared option, you can map more that one private IP address to a single public IP address as long as the traffic is from different source ports.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See Interfaces Feature Guide for Security Devices.
  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. The source IP address of packets sent from the trust zone to the untrust zone are mapped to a single public address.

This example describes the following configurations:

  • Source NAT pool src-nat-pool-1 that contains the IP address 203.0.113.1/30. The port no-translation option and the address shared option are specified for the pool.

  • Source NAT rule set rs1 to match all packets from the trust zone to the untrust zone. For matching packets, the source IP address is translated to an IP address in the src-nat-pool-1 pool.

  • Security policies to permit traffic from the trust zone to the untrust zone.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a source NAT mapping from a private address block to a single public address without PAT:

  1. Create a source NAT pool with a single IP address for the shared address.

    Specify the port no-translation option.

  2. Specify the address-shared option.
  3. Create a source NAT rule set.
  4. Configure a rule that matches packets and translates the source address to an address in the pool.
  5. Configure a security policy that allows traffic from the trust zone to the untrust zone.

Results

From configuration mode, confirm your configuration by entering the show security nat source pool and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Shared Address

Purpose

Verify that two internal IP addresses, with different source ports, share one external IP address.

Action

From operational mode, enter the show security nat source pool command. View the Address assignment field to verify that it is shared.

Verifying Shared Address Application to Traffic

Purpose

Verify that two sessions are using the same IP address.

Action

From operational mode, enter the show security flow session command.

Example: Configuring Multiple Addresses in a Source NAT Pool Without PAT

This example describes how to configure a source NAT mapping of a private address block to a smaller public address block without port address translation.

Note

Port address translation is enabled by default for source NAT pools. When port address translation is disabled, the number of translations that the source NAT pool can concurrently support is limited to the number of addresses in the pool. Packets are dropped if there are no addresses available in the source NAT pool. You can optionally specify an overflow pool from which IP addresses and port numbers are allocated when there are no addresses available in the original source NAT pool.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See Interfaces Feature Guide for Security Devices.
  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 7, the source IP address in packets sent from the trust zone to the untrust zone is mapped to a smaller block of public addresses in the range from 203.0.113.1/32 through 203.0.113.24/32.

Figure 7: Source NAT Multiple Addresses Without PAT
 Source
NAT Multiple Addresses Without PAT

This example describes the following configurations:

  • Source NAT pool src-nat-pool-1 that contains the IP address range 203.0.113.1/32 through 203.0.113.24/32. The port no-translation option is specified for the pool.

  • Source NAT rule set rs1 to match all packets from the trust zone to the untrust zone. For matching packets, the source IP address is translated to an IP address in the src-nat-pool-1 pool.

  • Proxy ARP for the addresses 203.0.113.1/32 through 203.0.113.24/32 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for those addresses.

  • Security policies to permit traffic from the trust zone to the untrust zone.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a source NAT mapping from a private address block to a smaller public address block without PAT:

  1. Create a source NAT pool.
  2. Specify the port no-translation option.
  3. Create a source NAT rule set.
  4. Configure a rule that matches packets and translates the source address to an address in the pool.
  5. Configure proxy ARP.
  6. Configure a security policy that allows traffic from the trust zone to the untrust zone.

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Source NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the source NAT pool.

Action

From operational mode, enter the show security nat source pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Source NAT Rule Usage

Purpose

Verify that there is traffic matching the source NAT rule.

Action

From operational mode, enter the show security nat source rule all command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Understanding Shared Addresses in Source NAT Pools without PAT

Source NAT pools with no port address translation perform static, one-to-one mappings from one source IP address to one external IP address. When there is only one external IP address, or very few available in a source no-pat pool , the address-shared option enables you to map many source IP addresses to one external IP address as long as the traffic comes from different source ports.

For example, if there is a source NAT pool with no port translation containing only two IP addresses, IP 1 and IP 2, when a packet arrives from

  1. Source IP 1, port 1, it is translated to IP 1, port 1.
  2. Source IP 2, port 2, it is translated to IP 2, port 2.
  3. Source IP 3, port 1, it is translated to IP 2, port 1. (It cannot be translated to IP 1 port 1 because that port is already used.

    However, if another packet arrives from Source IP 3, port 1 for a different destination IP and port, it cannot be translated to IP 1, port 1 or IP 2, port 1 because port 1 is already used for both available IP addresses. The session will fail.

This option increases NAT resources and improves the possibility of setting up successful translated traffic. It cannot be used on source NAT pools with port address translation because address sharing is already their default behavior.

Understanding NAT Session Persistence

Network Address Translation (NAT) session persistence provides a means to retain existing sessions, instead of clearing them, when there changes in the NAT configuration. If session persistence is enabled, the retained sessions continue to process and forward packets as time and resources are optimally used to rebuild the impacted sessions. Thus, packet forwarding does not stop even if the NAT configuration is changed for some or all sessions.

From Junos OS Release 18.3R1 onward, with the support for NAT session persistence, the Packet Forwarding Engine scans the sessions and decides whether to keep the sessions or clear the sessions. In releases before Junos OS Release 18.3R1, the NAT sessions are cleared if there is a change in the NAT configuration.

The Packet Forwarding Engine performs the following two types of scans to decide whether to retain or drop sessions:

  • Source NAT pool session persistence scan—The Packet Forwarding Engine compares the existing session IP address with source pool address range. If the existing session IP address is in the specified source pool address range, the session is kept alive, otherwise the session is cleared.

  • Source NAT rule session persistence scan—The Packet Forwarding Engine uses the rule ID to compare the source IP address, source port, destination IP address, and destination port between the old and new configurations. If the new and old configurations are the same, then the session is kept alive, otherwise the session is cleared.

Note
  • NAT session persistence is not supported for static NAT and destination NAT.

  • NAT session persistence is not supported if the PAT pool is configured with the address persistent, address pooling paired, source address-persistent, port block allocation, port deterministic, persistent nat, and port overloading factor fields.

NAT session persistence is supported only for source NAT in the following scenarios:

  • Source pool—Change in an address range in a Port Address Translation (PAT) pool.

  • Source rule—Change in match conditions for the address book, application, destination IP address, destination port, source IP address, and destination port information.

To enable the NAT session persistence scanning, include the session-persistence-scan statement at the [edit security nat source] hierarchy level.

You can also configure a timeout value to retain the sessions for the specified time period by using the set security nat source session-drop-hold-down CLI command. The value of the session-drop-hold-down option ranges from 30 through 28,800 seconds (eight hours). The session expires after the configured timeout period.

Limitations of NAT Session Persistence

  • When there is a change in IP addresses in the NAT source pool, the newly configured IP addresses are appended to the NAT source pool. After the NAT source pool is rebuilt, the new IP addresses are not the same as the existing IP addresses. The differences in the IP addresses in the NAT source pool impacts the round-robin mode of picking IP addresses from the NAT source pool.

  • If the scan types identify sessions that will never be timed out (that is, the sessions for which the session-drop-hold-down value is not configured or is configured as 8 hours), then the Packet Forwarding Engine ignores those sessions, and the sessions are retained.

Configuring the NAT Session Hold Timeout and NAT Session Persistence Scan

This configuration shows how to configure the NAT session hold timeout and NAT session persistence.

Configuring NAT Session Hold Timeout

The following configuration shows how to configure the NAT session hold timeout.

  • To set the NAT session hold timeout period:

    The value of the time variable ranges from 30 through 28,800 seconds (eight hours). The session expires after the configured timeout period.

Results

From configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Configuring NAT Session Persistence Scan

The following configuration shows how to configure the NAT session persistence scan.

  • To enable the NAT session persistence scan:

Results

From configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Understanding NAT Configuration Check on Egress Interfaces after Reroute

The Network Address Translation (NAT) configuration often changes to accommodate more users and to enhance shortest route to transfer the traffic. If there is a change in egress interface because of rerouting of traffic, you can use the set security flow enable-reroute-uniform-link-check nat command to retain the existing NAT configuration and rule.

When the enable-reroute-uniform-link-check nat command is enabled:

  • The session is retained with the existing NAT rule, if the new egress interface and the previous egress interface are in the same security zone, and there is no change in the matched NAT rule or if no rule is applied before and after rerouting.

  • The session expires if the new egress interface and the previous egress interface are in the same security zone and the matched NAT rule is changed.

When the enable-reroute-uniform-link-check nat command is disabled:

  • The traffic is forwarded to the new egress interface if the new egress interface and the previous egress interface are in the same security zone.

Configuration

To enable the NAT configuration for an existing session when there is a change in egress interface because of rerouting, use the following command:

[edit]

user@host# set security flow enable-reroute-uniform-link-check nat

The new configuration is applied when you commit the configuration changes.

The enable-reroute-uniform-link-check nat command is disabled by default.

Limitations

Retaining the NAT configuration using the set security flow enable-reroute-uniform-link-check nat command has the following limitations:

  • The TCP synchronization does not allow the new session to transfer the traffic. You must disable the TCP synchronization to allow the transfer of traffic in new sessions.

  • The packet information might lost if reroute is initiated after a three-way handshake to initialize communication. You must disable the Junos OS Services Framework (JSF) like Application Layer Gateway (ALG) to allow the transfer of traffic in new sessions.

Release History Table
Release
Description
Starting in Junos OS Release 17.4R1, source NAT resources handled by the central point architecture have been offloaded to the SPUs when the SPC number is more than four, resulting in more efficient resource allocation.
Starting in Junos OS Release 15.1X49-D30 and Junos OS Release 17.3R1, the central point architecture for NAT has been enhanced to handle higher system session capacity and session ramp-up rate for the SRX5000 line.
In Release 12.3X48-D40, and in Release 15.1X49-D60 and later releases, you can increase the source NAT port capacity to 2.4G on SRX5400, SRX5600, and SRX5800 devices with next-generation Services Processing Cards (SPCs) using the port-scaling-enlargement statement at the [edit security nat source] hierarchy level supported