nat
Syntax
nat {
destination {
pool pool-name {
address ip-address {
(port port-number | to ip-address);
}
description text;
routing-instance routing-instance-name;
}
rule-set rule-set-name {
description text;
from {
interface [interface-name];
routing-instance [routing-instance-name];
zone [zone-name];
}
rule rule-name {
description text;
match {
(destination-address <ip-address> | destination-address-name <address-name>);
destination-port port-number;
protocol [protocol-name-or-number];
source-address [ip-address];
source-address-name [address-name];
}
then {
destination-nat (off | pool pool-name);
}
}
}
}
proxy-arp {
interface interface-name {
address ip-address {
to ip-address;
}
}
}
proxy-ndp {
interface interface-name {
address ip-address {
to ip-address;
}
}
}
natv6v4 {
no-v6-frag-header;
}
source {
address-persistent;
interface {
port-overloading {
off;
}
}
pool pool-name {
address ip-address {
to ip-address;
}
description text;
host-address-base ip-address;
overflow-pool (interface | pool-name);
port {
(no-translation | port-overloading-factor number | range port-low <to port-high>);
}
routing-instance routing-instance-name;
}
pool-default-port-range lower-port-range to upper-port-range;
pool-utilization-alarm {
clear-threshold value;
raise-threshold value;
}
port-randomization {
disable;
}
port-round-robin {
disable;
}
port-scaling-enlargement;
radius-accounting {
session-drop;
}
rule-set rule-set-name {
description text;
from {
interface [interface-name];
routing-instance [routing-instance-name];
zone [zone-name];
}
rule rule-name {
description text;
match {
(destination-address <ip-address> | destination-address-name <address-name>);
destination-port port-number;
protocol [protocol-name-or-number];
source-address [ip-address];
source-address-name [address-name];
}
then {
source-nat {
interface {
persistent-nat {
address-mapping;
inactivity-timeout seconds;
max-session-number value;
permit (any-remote-host | target-host | target-host-port);
}
}
off;
pool {
persistent-nat {
address-mapping;
inactivity-timeout seconds;
max-session-number number;
permit (any-remote-host | target-host | target-host-port);
}
pool-name;
}
}
}
}
to {
interface [interface-name];
routing-instance [routing-instance-name];
zone [zone-name];
}
}
session-persistence-scan;
subscriber-extension;
}
static {
rule-set rule-set-name {
description text;
from {
interface [interface-name];
routing-instance [routing-instance-name];
zone [zone-name];
}
rule rule-name {
description text;
match {
(destination-address ip-address | destination-address-name address-name);
}
then {
static-nat {
inet {
routing-instance (default | routing-instance-name);
}
prefix {
address-prefix;
routing-instance (default | routing-instance-name);
}
prefix-name {
address-prefix-name;
routing-instance (default | routing-instance-name);
}
}
}
}
}
}
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
Hierarchy Level
[edit security] [edit tenants tenant-name security]
Description
Enabling tracing can adversely impact scale and performance and may increase security risk. We strongly recommend using the trace, tracing, or traceoptions commands only under the guidance of a JTAC support engineer. After collecting the debug information, immediately disable tracing to minimize risk and restore normal system performance.
Configure Network Address Translation (NAT) for NFX Series and SRX Series Firewalls.
Options
| destination |
Configure Destination NAT. |
| natv6v4 |
Configure NAT between IPv6 and IPv4 options. |
| no-v6-frag-header | Configure to disable adding fragment header in non-fragmented IPv6 packets when performing IPv4 to IPv6 translation. |
| proxy-arp |
Configure Proxy ARP. |
| proxy-ndp |
Configure Proxy NDP. |
| source |
Configure Source NAT. |
| static |
Configure Static NAT. |
| traceoptions |
Configure NAT traceoptions. |
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement modified in Junos OS Release 9.6.
The description option added in Junos OS Release 12.1.
The tenant option is introduced in Junos OS Release 18.3R1.
The radius-accounting and subscriber-extension
options are introduced in Junnos OS Release 24.2R1.