Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Static NAT

 

Static NAT maps network traffic from a static external IP address to an internal IP address or network. It creates a static translation of real addresses to mapped addresses. Static NAT provides internet connectivity to networking devices through a private LAN with an unregistered private IP address.

Understanding Static NAT

Static NAT defines a one-to-one mapping from one IP subnet to another IP subnet. The mapping includes destination IP address translation in one direction and source IP address translation in the reverse direction. From the NAT device, the original destination address is the virtual host IP address while the mapped-to address is the real host IP address.

Static NAT allows connections to be originated from either side of the network, but translation is limited to one-to-one or between blocks of addresses of the same size. For each private address, a public address must be allocated. No address pools are necessary.

Static NAT also supports the following types of translation:

  • To map multiple IP addresses and specified ranges of ports to a same IP address and different range of ports

  • To map a specific IP address and port to a different IP address and port

The port address translation (PAT) is also supported by giving static mapping between destination-port (range) and mapped-port (range).

Note

The original destination address, along with other addresses in source and destination NAT pools, must not overlap within the same routing instance.

In NAT rule lookup, static NAT rules take precedence over destination NAT rules and reverse mapping of static NAT rules take precedence over source NAT rules.

Understanding Static NAT Rules

Static Network Address Translation (NAT) rules specify two layers of match conditions:

  • Traffic direction—Allows you to specify from interface, from zone, or from routing-instance.

  • Packet information—Can be source addresses and ports, and destination addresses and ports.

For all ALG traffic, except FTP, we recommend that you not use the static NAT rule options source-address or source-port. Data session creation can fail if these options are used because the IP address and the source port value, which is a random value, might not match the static NAT rule. For FTP ALG traffic, the source-address option can be used because an IP address can be provided to match the source address of a static NAT rule.

When both source and destination addresses are configured as match conditions for a rule, traffic is matched to both the source address and destination address. Because static NAT is bidirectional, traffic in the opposite direction reverse matches the rule, and the destination address of the traffic is matched to the configured source address.

If multiple static NAT rules overlap in the match conditions, the most specific rule is chosen. For example, if rules A and B specify the same source and destination IP addresses, but rule A specifies traffic from zone 1 and rule B specifies traffic from interface ge-0/0/0, rule B is used to perform static NAT. An interface match is considered to be more specific than a zone match, which is more specific than a routing instance match.

Because static NAT rules do not support overlapping addresses and ports, they should not be used to map one external IP address to multiple internal IP addresses for ALG traffic. For example, if different sites want to access two different FTP servers, the internal FTP servers should be mapped to two different external IP addresses.

For the static NAT rule action, specify the translated address and (optionally) the routing instance.

In NAT lookup, static NAT rules take precedence over destination NAT rules and reverse mapping of static NAT rules takes precedence over source NAT rules.

Static NAT Configuration Overview

The main configuration tasks for static NAT are as follows:

  1. Configure static NAT rules that align with your network and security requirements.
  2. Configure NAT proxy ARP entries for IP addresses in the same subnet of the ingress interface.

Example: Configuring Static NAT for Single Address Translation

This example describes how to configure a static NAT mapping of a single private address to a public address.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See Interfaces User Guide for Security Devices.
  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space.

In Figure 1, devices in the untrust zone access a server in the trust zone by way of public address 203.0.113.200/32. For packets that enter the Juniper Networks security device from the untrust zone with the destination IP address 203.0.113.200/32, the destination IP address is translated to the private address 192.168.1.200/32. For a new session originating from the server, the source IP address in the outgoing packet is translated to the public address 203.0.113.200/32.

Figure 1: Static NAT Single Address Translation
 Static NAT Single
Address Translation

This example describes the following configurations:

  • Static NAT rule set rs1 with rule r1 to match packets from the untrust zone with the destination address 203.0.113.200/32. For matching packets, the destination IP address is translated to the private address 192.168.1.200/32.

  • Proxy ARP for the address 203.0.113.200 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for that address.

  • Security policies to permit traffic to and from the 192.168.1.200 server.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a static NAT mapping from a private address to a public address:

  1. Create a static NAT rule set.
  2. Configure a rule that matches packets and translates the destination address in the packets to a private address.
  3. Configure proxy ARP.
  4. Configure an address in the global address book.
  5. Configure a security policy that allows traffic from the untrust zone to the server in the trust zone.
  6. Configure a security policy that allows all traffic from the server in the trust zone to the untrust zone.

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Static NAT Configuration

Purpose

Verify that there is traffic matching the static NAT rule set.

Action

From operational mode, enter the show security nat static rule command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Example: Configuring Static NAT for Subnet Translation

This example describes how to configure a static NAT mapping of a private subnet address to a public subnet address.

Note

Address blocks for static NAT mapping must be of the same size.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See Interfaces User Guide for Security Devices.
  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 2, devices in the untrust zone access devices in the trust zone by way of public subnet address 203.0.113.0/24. For packets that enter the Juniper Networks security device from the untrust zone with a destination IP address in the 203.0.113.0/24 subnet, the destination IP address is translated to a private address on the 192.168.1.0/24 subnet. For new sessions originating from the 192.168.1.0/24 subnet, the source IP address in outgoing packets is translated to an address on the public 203.0.113.0/24 subnet.

Figure 2: Static NAT Subnet Translation
Static NAT Subnet Translation

This example describes the following configurations:

  • Static NAT rule set rs1 with rule r1 to match packets received on interface ge-0/0/0.0 with a destination IP address in the 203.0.113.0/24 subnet. For matching packets, the destination address is translated to an address on the 192.168.1.0/24 subnet.

  • Proxy ARP for the address ranges 203.0.113.1/32 through 203.0.113.249/32 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for those addresses. The address 203.0.113.250/32 is assigned to the interface itself, so this address is not included in the proxy ARP configuration.

  • Security policies to permit traffic to and from the 192.168.1.0/24 subnet.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a static NAT mapping from a private subnet address to a public subnet address:

  1. Create a static NAT rule set.
  2. Configure a rule that matches packets and translates the destination address in the packets to an address in a private subnet.
  3. Configure proxy ARP.
  4. Configure an address in the global address book.
  5. Configure a security policy that allows traffic from the untrust zone to the subnet in the trust zone.
  6. Configure a security policy that allows all traffic from the subnet in the trust zone to the untrust zone.

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Static NAT Configuration

Purpose

Verify that there is traffic matching the static NAT rule set.

Action

From operational mode, enter the show security nat static rule command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Example: Configuring Static NAT for Port Mapping

This example describes how to configure static NAT mappings of a public address to private addresses on a specified range of ports.

This topic includes the following sections:

Requirements

Before you begin:

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space.

In Figure 3, devices in the untrust zone access a server in the trust zone by way of public addresses 203.0.113.1/32, 203.0.113.1/32, and 203.0.113.3/32. For packets that enter the Juniper Networks security device from the untrust zone with the destination IP addresses 203.0.113.1/32, 203.0.113.1/32, and 203.0.113.3/32, the destination IP address is translated to the private addresses 10.1.1.1/32,10.1.1.2/32, and 10.1.1.2/32.

Figure 3: Static NAT for Port Mapping
Static NAT for Port
Mapping
Note
  • To configure the destination port, you must use an IP address for the destination address field instead of an IP address prefix.

  • You must configure the destination port to configure the mapped port and vice versa.

  • Use the same number range for the ports while configuring the destination port and the mapped port.

  • If you do not configure the destination port and the mapped port, the IP mapping will be the one-to-one mapping.

  • Any address overlapping or any address and port overlapping is not allowed.

This example describes the following configurations:

  • Static NAT rule set rs1 with rule r1 to match packets from the untrust zone with the destination address 203.0.113.1/32 and destination port 100 to 200. For matching packets, the destination IP address is translated to the private address 10.1.1.1/32 and mapped to port 300 to 400.

  • Static NAT rule set rs1 with rule r2 to match packets from the untrust zone with the destination address 203.0.113.1/32 and destination port 300 to 400. For matching packets, the destination IP address is translated to the private address 10.1.1.2/32 and mapped to port 300 to 400.

  • Static NAT rule set rs1 with rule r3 to match packets from the untrust zone with the destination address 203.0.113.3/32 and destination port 300. For matching packets, the destination IP address is translated to the private address 10.1.1.2/32 and mapped to port 200.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

set security nat static rule-set rs from zone untrust
set security nat static rule-set rs rule r1 match destination-address 203.0.113.1/32
set security nat static rule-set rs rule r1 match destination-port 100 to 200
set security nat static rule-set rs rule r1 then static-nat prefix 10.1.1.1/32
set security nat static rule-set rs rule r1 then static-nat prefix mapped-port 300 to 400
set security nat static rule-set rs rule r2 match destination-address 203.0.113.1/32
set security nat static rule-set rs rule r2 match destination-port 300 to 400
set security nat static rule-set rs rule r2 then static-nat prefix 10.1.1.2/32
set security nat static rule-set rs rule r2 then static-nat prefix mapped-port 300 to 400
set security nat static rule-set rs rule r3 match destination-address 203.0.113.3/32
set security nat static rule-set rs rule r3 match destination-port 300
set security nat static rule-set rs rule r3 then static-nat prefix 10.1.1.2/32
set security nat static rule-set rs rule r3 then static-nat prefix mapped-port 200

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a static NAT mapping from a private subnet address to a public subnet address:

  1. Create a static NAT rule set.
  2. Configure a rule that matches packets and translates the destination address in the packets to a private address.
  3. Configure a rule that matches packets and translates the destination address in the packets to a private address.
  4. Configure a rule that matches packets and translates the destination address in the packets to a private address.

Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]

user@host# show security nat

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Static NAT Configuration

Purpose

Verify that there is traffic matching the static NAT rule set.

Action

From operational mode, enter the show security nat static rule command. View the Translation hits field to check for traffic that matches the rule.

user@host> show security nat static rule all

Troubleshooting

Troubleshooting Static NAT Port Configuration

Problem

Static NAT port mapping configuration failures occur during a commit.

Invalid configurations with overlapped IP addresses and ports result in commit failure.

The following example shows invalid configurations with overlapped addresses and ports:

  • set security nat static rule-set rs rule r1 match destination-address 203.0.113.1

    set security nat static rule-set rs rule r1 then static-nat prefix 10.1.1.1

  • set security nat static rule-set rs rule r2 match destination-address 203.0.113.1

    set security nat static rule-set rs rule r2 match destination-port 300 to 400

    set security nat static rule-set rs rule r2 then static-nat prefix 10.1.1.2

    set security nat static rule-set rs rule r2 then static-nat prefix mapped-port 300 to 400

  • set security nat static rule-set rs rule r1 match destination-address 203.0.113.1

    set security nat static rule-set rs rule r1 match destination-port 100 to 200

    set security nat static rule-set rs rule r1 then static-nat prefix 10.1.1.1

    set security nat static rule-set rs rule r1 then static-nat prefix mapped-port 300 to 400

  • set security nat static rule-set rs rule r2 match destination-address 203.0.113.2

    set security nat static rule-set rs rule r2 match destination-port 300 to 400

    set security nat static rule-set rs rule r2 then static-nat prefix 10.1.1.1

    set security nat static rule-set rs rule r2 then static-nat prefix mapped-port 390 to 490

The following error message was displayed when the aforementioned configuration was submitted for commit:

Solution

To configure the destination port, you must avoid any address overlapping or any address and port overlapping. For an example of valid configuration, see Configuration.

Monitoring Static NAT Information

Purpose

View static NAT rule information.

Action

Select Monitor>NAT>Static NAT in the J-Web user interface, or enter the following CLI command:

show security nat static rule

Table 1 summarizes key output fields in the static NAT display.

Table 1: Summary of Key Static NAT Output Fields

Field

Values

Action

Rule-set Name

Name of the rule set.

Select all rule sets or a specific rule set to display from the list.

Total rules

Number of rules configured.

ID

Rule ID number.

Position

Position of the rule that indicates the order in which it applies to traffic.

Name

Name of the rule.

Ruleset Name

Name of the rule set.

From

Name of the routing instance/interface/zone from which the packet comes

Source addresses

Source IP addresses.

Source ports

Source port numbers.

Destination addresses

Destination IP address and subnet mask.

Destination ports

Destination port numbers .

Host addresses

Name of the host addresses.

Host ports

Host port numbers.

Netmask

Subnet IP address.

Host routing instance

Name of the routing instance from which the packet comes.

Alarm threshold

Utilization alarm threshold.

Sessions (Succ/

Failed/

Current)

Successful, failed, and current sessions.

  • Succ–Number of successful session installations after the NAT rule is matched.

  • Failed–Number of unsuccessful session installations after the NAT rule is matched.

  • Current–Number of sessions that reference the specified rule.

Translation hits

Number of times a translation in the translation table is used for a static NAT rule.

Top 10 Translation Hits Graph

Displays the graph of top 10 translation hits.