Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


NAT Configuration Overview

This topic describes how to configure Network Address Translation (NAT) and multiple ISPs. Also, this topic helps to verify the NAT traffic by configuring the trace options and monitoring NAT table.

Configuring NAT Using the NAT Wizard

You can use the NAT Wizard to perform basic NAT configuration on SRX300, SRX320, SRX340, SRX345, and SRX550M devices. To perform more advanced configuration, use the J-Web interface or the CLI.

To configure NAT using the NAT Wizard:

  1. Select Configure>Tasks>Configure NAT in the J-Web interface.
  2. Click the Launch NAT Wizard button.
  3. Follow the wizard prompts.

The upper-left area of the wizard page shows where you are in the configuration process. The lower-left area of the page shows field-sensitive help. When you click a link under the Resources heading, the document opens in your browser. If the document opens in a new tab, be sure to close only the tab (not the browser window) when you close the document.

Example: Configuring NAT for Multiple ISPs

This example shows how to configure a Juniper Networks device for address translation of multiple ISPs.


Before you begin:

  1. Configure network interfaces on the device. See Interfaces User Guide for Security Devices.

  2. Create security zones and assign interfaces to them. See Understanding Security Zones.


In this example, you can configure an SRX Series Services Gateway by connecting the LAN to the Internet by using NAT feature through two ISP connections. In this configuration, trust is the security zone for the private address space and the two untrust security zones for the public address space are used to connect from LAN to the two ISPs and vice versa. The example is a combination of source NAT rules to connect to Internet from the LAN, and destination and static NAT rules to connect to the LAN from Internet.


Configuring NAT for Multiple ISPs

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

  1. Configure routing instances.

  2. Configure rib groups and routing options.

  3. Configure security policies.

  4. Configure source NAT pools and rules.

  5. Configure destination NAT pools and rules.

  6. Configure static NAT rules.


From configuration mode, confirm your configuration by entering show configuration command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.


Verifying Interfaces


Verify that the interfaces are configured correctly.


From operational mode, enter the following commands:

  • show interfaces

  • show zones

  • show routing-instances

  • show routing-options

  • show policies

  • show source nat

  • show destination nat

  • show static nat

Configuring Proxy ARP for NAT (CLI Procedure)

You use NAT proxy ARP functionality to configure proxy ARP entries for IP addresses that require either source or destination NAT and that are in the same subnet as the ingress interface.


On SRX Series Firewalls, you must explicitly configure NAT proxy ARP.

When configuring NAT proxy ARP, you must specify the logical interface on which to configure proxy ARP. Then you enter an address or address range.

The device performs proxy ARP for the following conditions:

  • When addresses defined in the static NAT and source NAT pool are in the same subnet as that of the ingress interface

  • When addresses in the original destination address entry in the destination NAT rules are in the same subnet as that of the ingress interface

Configuring NAT trace options


The NAT trace options hierarchy configures trace file and flags for verification purposes.

SRX Series Firewalls have two main components: the Routing Engine (RE) and the Packet Forwarding Engine (PFE). The PFE is divided into the ukernel portion and the real-time portion.

When a NAT configuration is committed, the configuration is first checked and validated on the RE. After validation, the configuration is pushed to the PFE. The configuration is installed on the ukernel PFE, then action is taken on each packet that matches NAT rules on the real-time PFE.

For verification, you can turn on flags individually to debug NAT functionality on the RE, ukernel PFE, or real-time PFE:

  • The nat-re flag records the trace of the NAT configuration validation on the RE and the configuration push to the PFE.

  • The nat-pfe flag records the trace of the NAT configuration installation on the ukernel PFE.

  • The nat-rt flag records the trace of the NAT rule match, and subsequent action on the real-time PFE.

The trace data is written to /var/log/security-trace by default, and can be viewed using the command show log security-trace.


If session logging has been enabled in the policy configurations on the device, the session logs will include specific NAT details for each session. See Monitoring Security Policy Statistics for information on how to enable session logging and Information Provided in Session Log Entries for SRX Series Services Gateways for a description of information provided in session logs.


To verify that NAT configurations are correctly updated to the device upon commit, and that the NAT rule match and subsequent actions are correct, use the security nat traceoptions statement.

To verify that NAT translations are being applied to the traffic, and to view individual traffic flow processing with NAT translations, use both the security nat traceoptions command and the security flow traceoptions command together. The commands are used together because the NAT trace, configured using the security nat traceoptions command, is not recorded unless the flow traceoptions command is also configured.

To filter a specific flow, you can define a packet filter and use it as a traceoption :

To verify NAT traffic and to enable all traffic trace in data plane, use the traceoptions set security flow traceoptions flag basic-datapath command, as shown in the following example using a simple packet filter:

Monitoring NAT Incoming Table Information


View NAT table information.


Select Monitor>NAT>Incoming Table in the J-Web user interface, or enter the following CLI command:

show security nat incoming-table

Table 1 summarizes key output fields in the incoming table display.

Table 1: Summary of Key Incoming Table Output Fields




In use

Number of entries in the NAT table.


Maximum number of entries possible in the NAT table.

Entry allocation failed

Number of entries failed for allocation.

Incoming Table



Destination IP address and port number.


Host IP address and port number that the destination IP address is mapped to.


Number of sessions referencing the entry.


Timeout, in seconds, of the entry in the NAT table.


Name of source pool where translation is allocated.

Monitoring Interface NAT Port Information


View port usage for an interface source pool information.


To monitoring interface NAT port information, do one of the following:

  • If you are using SRX5400, SRX5600, or SRX5800 platforms, select Monitor>Firewall/NAT>Interface NAT in the J-Web user interface or enter the CLI command show security nat interface-nat-ports.

  • Select Monitor>NAT>Interface NAT Ports in the J-Web user interface.

Table 2 summarizes key output fields in the interface NAT display.

Table 2: Summary of Key Interface NAT Output Fields



Additional Information

Interface NAT Summary Table

Pool Index

Port pool index.

Total Ports

Total number of ports in a port pool.

Single Ports Allocated

Number of ports allocated one at a time that are in use.

Single Ports Available

Number of ports allocated one at a time that are free for use.

Twin Ports Allocated

Number of ports allocated two at a time that are in use.

Twin Ports Available

Number of ports allocated two at a time that are free for use.