Traditional NAT

Traditional NAT, specified in RFC 3022, Traditional IP Network Address Translator, is fully supported by JUNOS software. In addition, network address port translation (NAPT) is supported for source addresses.

The AS and MultiServices PIC interfaces support three types of NAT processing:

• Static-source NAT hides a private network without using NAPT.
• Dynamic-source NAT hides a private network using NAPT.
• Static-destination NAT makes selected private servers accessible.

You can implement NAT to hide one or many hosts on a private network behind a pool of public IP addresses. The pool can be as small as one IP address, or it can be a set of contiguous IP addresses. You can specify a port range to restrict port translation when NAT is configured in dynamic-source mode.

Private address to public address binding can be either static or dynamic. In the basic NAT mode, a NAT rule can force a private IP address to be always bound to a public address; in the NAPT mode, a NAT rule can force a paired private address and private TCP or UDP port to be mapped to a public IP and public TCP or UDP port. However, when the address binding is not statically forced by the NAT rules, NAT can dynamically pick an available address or address and TCP or UDP port pairing when a new session starts. You can specify multiple prefixes and address ranges in a dynamic or static source NAT pool.

The option to assign NAT addresses statically from a dynamic NAT pool enables you to advertise one subnet that represents the NAT pool and use an address within that subnet for static rules. Statically assigned addresses are not reused for dynamic assignment and can only be used for static-source NAT (not for static-destination NAT).

You can configure an overload (fallback) pool to be used when the source pool of addresses is exhausted. The overload pool must be configured with NAPT.

You can also configure NAT rules without configuring a pool by directly specifying the address prefix to be translated within the rule. And, within the rule, you can assign particular addresses that you do not want to be translated.

Like most traditional NAT implementations, the JUNOS implementation of NAT supports sessions initiated from the private side only. Sessions initiated from the public side are supported only when you configure static address binding.

You are not required to configure a stateful firewall rule to allow NAT traffic. By default, NAT traffic is allowed unless it is explicitly configured to be dropped. If only NAT is configured in a service set, all traffic is accepted.

For more information about configuring NAT rules, see Network Address Translation Services Configuration Guidelines.

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.