Configuring NAT Type

The NAT type specifies whether a particular term supports traditional NAT processing or full-cone NAT. A full-cone NAT is one in which all requests from the same internal IP address and port are mapped to the same external IP address and port. In addition, any external host can send a packet to the internal host by sending it to the mapped external address. Full-cone NAT is useful if you want to allow external hosts from the public network to connect to internal hosts using public IP addresses. However, we recommend that you use this feature along with strict firewall rules that allow only the intended traffic from the public network to reach the customer-edge router.

To configure the NAT type, include the nat-type statement at the [edit services nat rule rule-name term term-name] hierarchy level:

nat-type has two possible options:

• full-cone—Specifies that the term supports full-cone NAT.
• symmetric—Specifies that the term supports only traditional NAT; this is the default setting.

The following specifications and restrictions apply to full-cone NAT:

• As long as an internal host has a connection to an external host and uses source NAT, this feature allows any external host to connect back to the internal host over the public IP network.
• When the internal host terminates its connection to the external host, initiation of any new connections from external host to internal host over the public IP network is disallowed. Existing connections are not affected.
• Use of full-cone NAT enables the external-to-internal host connection to be independent from the internal-to-external host connection with regard to protocol and source and destination port.
• The aging mechanism for the external-to-internal host connection is similar to other host connections. Once the connection is established from the external host to the internal host, it is treated like any other network connection.
• Full-cone NAT is available with both source static and source dynamic NAT processing; for more information, see Configuring NAT Actions.
• It supports IPv4 addresses on Juniper Networks J-series Services Routers only. It is not supported on M-series or T-series routing platforms.
• It does not support Port Address Translation (PAT) or Network Address Port Translation (NAPT).
• It is not supported for use with twice NAT configurations.

For a configuration example, see Configuring Full-Cone NAT.