A host in a zone sending traffic through an interface in NAT mode can initiate traffic to the external zone—assuming that a policy permits it. However, if issues of privacy and private IP addresses are not a concern, traffic from the external zone can reach hosts behind an interface in NAT mode directly, without the use of a VPN. See Figure 59.
Figure 59: NAT Traffic Flow
 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |