Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Example: Configuring Source NAT for Egress Interface Translation
This example describes how to configure a source NAT mapping of private addresses to the public address of an egress interface.
Requirements
Before you begin:
- Configure network interfaces on the device. See the Junos OS Interfaces Configuration Guide for Security Devices.
- Create security zones and assign interfaces to them. See Understanding Security Zones.
Overview
This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 114, devices with private addresses in the trust zone access a public network through the egress interface ge-0/0/0. For packets that enter the Juniper Networks security device from the trust zone with a destination address in the untrust zone, the source IP address is translated to the IP address of the egress interface.
 | Note: No source NAT pool is required for source NAT using an egress interface. Proxy ARP does not need to be configured for the egress interface. |
Figure 114: Source NAT Egress Interface Translation
This example describes the following configurations:
- Source NAT rule set rs1 with a rule r1 to match any packet from the trust zone to the untrust zone. For matching packets, the source address is translated to the IP address of the egress interface.
- Security policies to permit traffic from the trust zone to the untrust zone.
Configuration
CLI Quick Configuration
To quickly configure a source NAT mapping to an egress interface, copy the following commands and paste them into the CLI.
Step-by-Step Procedure
The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure a source NAT translation to an egress interface:
- Create a source NAT rule set.[edit security nat source]user@host# set rule-set rs1 from zone trustuser@host# set rule-set rs1 to zone untrust
- Configure a rule that matches packets
and translates the source address to the address of the egress interface.[edit security nat source]user@host# set rule-set rs1 rule r1 match source-address 0.0.0.0/0user@host# set rule-set rs1 rule r1 match destination-address 0.0.0.0/0user@host# set rule-set rs1 rule r1 then source-nat interface
- Configure a security policy that allows
traffic from the trust zone to the untrust zone.[edit security policies from-zone trust to-zone untrust]user@host# set policy internet-access match source-address any destination-address any application anyuser@host# set policy internet-access then permit
Results
From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying Source NAT Rule Usage
Purpose
Verify that there is traffic matching the source NAT rule.
Action
From operational mode, enter the show security nat source rule all command. View the Translation hits field to check for traffic that matches the rule.
Verifying NAT Application to Traffic
Purpose
Verify that NAT is being applied to the specified traffic.
Action
From operational mode, enter the show security flow session command.
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Understanding Source NAT
- Source NAT Configuration Overview
