Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Static NAT

Static NAT maps network traffic from a static external IP address to an internal IP address or network. It creates a static translation of real addresses to mapped addresses. Static NAT provides internet connectivity to networking devices through a private LAN with an unregistered private IP address.

Understanding Static NAT

Static NAT defines a one-to-one mapping from one IP subnet to another IP subnet. The mapping includes destination IP address translation in one direction and source IP address translation in the reverse direction. From the NAT device, the original destination address is the virtual host IP address while the mapped-to address is the real host IP address.

Static NAT allows connections to be originated from either side of the network, but translation is limited to one-to-one or between blocks of addresses of the same size. For each private address, a public address must be allocated. No address pools are necessary.

Static NAT also supports the following types of translation:

  • To map multiple IP addresses and specified ranges of ports to a same IP address and different range of ports

  • To map a specific IP address and port to a different IP address and port

The port address translation (PAT) is also supported by giving static mapping between destination-port (range) and mapped-port (range).

Note:

The original destination address, along with other addresses in source and destination NAT pools, must not overlap within the same routing instance.

In NAT rule lookup, static NAT rules take precedence over destination NAT rules and reverse mapping of static NAT rules take precedence over source NAT rules.

Understanding Static NAT Rules

Static Network Address Translation (NAT) rules specify two layers of match conditions:

  • Traffic direction—Allows you to specify from interface, from zone, or from routing-instance.

  • Packet information—Can be source addresses and ports, and destination addresses and ports.

For all ALG traffic, except FTP, we recommend that you not use the static NAT rule options source-address or source-port. Data session creation can fail if these options are used because the IP address and the source port value, which is a random value, might not match the static NAT rule. For FTP ALG traffic, the source-address option can be used because an IP address can be provided to match the source address of a static NAT rule.

When both source and destination addresses are configured as match conditions for a rule, traffic is matched to both the source address and destination address. Because static NAT is bidirectional, traffic in the opposite direction reverse matches the rule, and the destination address of the traffic is matched to the configured source address.

If multiple static NAT rules overlap in the match conditions, the most specific rule is chosen. For example, if rules A and B specify the same source and destination IP addresses, but rule A specifies traffic from zone 1 and rule B specifies traffic from interface ge-0/0/0, rule B is used to perform static NAT. An interface match is considered to be more specific than a zone match, which is more specific than a routing instance match.

Because static NAT rules do not support overlapping addresses and ports, they should not be used to map one external IP address to multiple internal IP addresses for ALG traffic. For example, if different sites want to access two different FTP servers, the internal FTP servers should be mapped to two different external IP addresses.

For the static NAT rule action, specify the translated address and (optionally) the routing instance.

In NAT lookup, static NAT rules take precedence over destination NAT rules and reverse mapping of static NAT rules takes precedence over source NAT rules.

Static NAT Configuration Overview

The main configuration tasks for static NAT are as follows:

  1. Configure static NAT rules that align with your network and security requirements.
  2. Configure NAT proxy ARP entries for IP addresses in the same subnet of the ingress interface.

Example: Configuring Static NAT for Single Address Translation

This example describes how to configure a static NAT mapping of a single private address to a public address.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See Interfaces User Guide for Security Devices.

  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space.

In Figure 1, devices in the untrust zone access a server in the trust zone by way of public address 203.0.113.200/32. For packets that enter the Juniper Networks security device from the untrust zone with the destination IP address 203.0.113.200/32, the destination IP address is translated to the private address 192.168.1.200/32. For a new session originating from the server, the source IP address in the outgoing packet is translated to the public address 203.0.113.200/32.

Figure 1: Static NAT Single Address TranslationStatic NAT Single Address Translation

This example describes the following configurations:

  • Static NAT rule set rs1 with rule r1 to match packets from the untrust zone with the destination address 203.0.113.200/32. For matching packets, the destination IP address is translated to the private address 192.168.1.200/32.

  • Proxy ARP for the address 203.0.113.200 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for that address.

  • Security policies to permit traffic to and from the 192.168.1.200 server.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a static NAT mapping from a private address to a public address:

  1. Create a static NAT rule set.

  2. Configure a rule that matches packets and translates the destination address in the packets to a private address.

  3. Configure proxy ARP.

  4. Configure an address in the global address book.

  5. Configure a security policy that allows traffic from the untrust zone to the server in the trust zone.

  6. Configure a security policy that allows all traffic from the server in the trust zone to the untrust zone.

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Static NAT Configuration

Purpose

Verify that there is traffic matching the static NAT rule set.

Action

From operational mode, enter the show security nat static rule command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Example: Configuring Static NAT for Subnet Translation

This example describes how to configure a static NAT mapping of a private subnet address to a public subnet address.

Note:

Address blocks for static NAT mapping must be of the same size.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See Interfaces User Guide for Security Devices.

  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 2, devices in the untrust zone access devices in the trust zone by way of public subnet address 203.0.113.0/24. For packets that enter the Juniper Networks security device from the untrust zone with a destination IP address in the 203.0.113.0/24 subnet, the destination IP address is translated to a private address on the 192.168.1.0/24 subnet. For new sessions originating from the 192.168.1.0/24 subnet, the source IP address in outgoing packets is translated to an address on the public 203.0.113.0/24 subnet.

Figure 2: Static NAT Subnet TranslationStatic NAT Subnet Translation

This example describes the following configurations:

  • Static NAT rule set rs1 with rule r1 to match packets received on interface ge-0/0/0.0 with a destination IP address in the 203.0.113.0/24 subnet. For matching packets, the destination address is translated to an address on the 192.168.1.0/24 subnet.

  • Proxy ARP for the address ranges 203.0.113.1/32 through 203.0.113.249/32 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for those addresses. The address 203.0.113.250/32 is assigned to the interface itself, so this address is not included in the proxy ARP configuration.

  • Security policies to permit traffic to and from the 192.168.1.0/24 subnet.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a static NAT mapping from a private subnet address to a public subnet address:

  1. Create a static NAT rule set.

  2. Configure a rule that matches packets and translates the destination address in the packets to an address in a private subnet.

  3. Configure proxy ARP.

  4. Configure an address in the global address book.

  5. Configure a security policy that allows traffic from the untrust zone to the subnet in the trust zone.

  6. Configure a security policy that allows all traffic from the subnet in the trust zone to the untrust zone.

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Static NAT Configuration

Purpose

Verify that there is traffic matching the static NAT rule set.

Action

From operational mode, enter the show security nat static rule command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Example: Configuring Static NAT64 for Subnet Translation

This example provides the steps for static NAT64 configuration on an SRX Firewall device. By following this example, you can set up seamless translation between IPv6 and IPv4 address spaces. This feature is particularly useful in environments transitioning from IPv4 to IPv6, as it eliminates the need for dual-stack configurations while ensuring reliable cross-IP version communication.

Tip:
Table 1: Readability Score and Time Estimates

Readability Score

  • Flesch reading ease: 34

  • Flesch-Kincaid reading grade level: 11.9

Reading Time

Less than 15 minutes.

Configuration Time

Less than an hour.

Example Prerequisites

Use this configuration example to configure and verify Static NAT64 on your device. Static NAT64 enables seamless communication between IPv6-only clients and IPv4 servers by translating IPv6 addresses into IPv4 using a well-known NAT64 prefix (64:ff9b::/96). This feature is particularly useful in environments transitioning from IPv4 to IPv6, as it eliminates the need for dual-stack configurations while ensuring reliable cross-IP version communication.

Hardware requirements

vSRX Virtual Firewall

Software requirements

Junos OS Release 24.1R1 or later

Licensing requirements

Activate a security license to enable Network Address Translation (NAT) and security features.

Before You Begin

Benefits

  • Seamless Communication: Enables IPv6-only clients to access IPv4 servers by translating IPv6 addresses into IPv4 seamlessly.

  • Simplified Network Design: Reduces the need for dual-stack configurations, simplifying network architecture and operations.

  • Enhanced Scalability: Supports environments with a growing number of IPv6 devices while maintaining IPv4 compatibility.

Useful resources:

Know more

Static NAT

Hands-on experience

vLab Sandbox: NAT - Source & Destination

Learn more

NAT64 with DNS64 on SRX Series - Part 1

Functional Overview

Table 2: Static NAT64 Functional Overview

Profiles

Translation profile

The NAT64 configuration includes a translation profile to define the mapping between IPv6 and IPv4.

Prefix profile

Specifies the NAT64 well-known prefix (64:ff9b::/96) for IPv6-to-IPv4 address translation.

Address Mapping

Maps specific IPv6 addresses or subnets to corressponding IPv4 addresses to facilitate translation.

Policies

Inbound policy

Allows IPv6-only clients to initite traffic toward IPv4 servers by matching the NAT64 translation rules.

Outbound policy

Permits the return traffic from IPv4 servers back to IPv6 clients based on NAT64 rules.

Security zones

trust

Network segment for IPv6-only clients initiating connections.

untrust

Network segment where IPv4 servers reside, responding to client requests.

NAT64 zone

A dedicated zone for NAT64 processing, ensuring efficient translation and traffic management.

Topology Overview

In this Static NAT64 topology, an IPv6-only client communicates with an IPv4 server through the SRX Series Firewall. The firewall translates IPv6 addresses to IPv4 using Static NAT64 mappings, while a DNS64 server synthesizes IPv6 DNS responses for seamless address resolution. This setup ensures smooth communication between IPv6-only clients and IPv4 servers without requiring dual-stack configurations.

Topology

Role

Function

Client

IPv6-only device

Initiates requests from an IPv6-only environment to communicate with IPv4 servers.

SRX Series Firewall

NAT64 gateway

Translates IPv6 addresses to IPv4 addresses using the configured Static NAT64 mapping, ensuring seamless communication across IP versions.

DNS64 server

DNS translator

Converts IPv4 DNS responses for the client, enabling address resolution.

IPv4 server

Destination server

Responds to client requests using its IPv4 address, allowing interaction with IPv6-only clients through NAT64.

Topology Illustration

Figure 3: Static NAT64 Subnet Translation

Configure Static NAT64 on Device-Under-Test (DUT)

Note:

For complete sample configurations on the DUT, see:

  1. Define the rule set for static NAT and specify the zone from which traffic originates.
  2. Configure the rule to match the destination address within the NAT64 prefix and set the destination address to translate into an IPv4 address.
  3. Set up a source NAT pool to support IPv6 address translations into IPv4 addresses.
  4. Enable proxy Address Resolution Protocol (ARP) to respond to ARP requests for NAT pool addresses.
  5. Configure security policies to allow traffic from the trust zone to the untrust zone.
  6. Assign the interfaces to the respective zones and permit inbound traffic.
  7. Configure IP addresses for each interface.

Verification

Verify Static NAT64 Configuration

Purpose

Verify that there is traffic matching the static NAT64 rule set.

Action

From operational mode, enter the show security nat static rule command. View the Translation hits field to check for traffic that matches the rule.

Verify NAT64 Application to Traffic

Purpose

Verify that NAT64 is applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Appendix 1: Set Commands on All Devices

The following example requires navigating through various levels of the Junos OS configuration hierarchy. For detailed guidance on navigating the CLI, see Use the CLI Editor in Configuration Mode.

Appendix 2: Show Configuration Output on DUT

Show command output on the DUT.

From operational mode, verify your configuration using the following commands. If the output

Example: Configuring Static NAT for Port Mapping

This example describes how to configure static NAT mappings of a public address to private addresses on a specified range of ports.

This topic includes the following sections:

Requirements

Before you begin:

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space.

In Figure 4, devices in the untrust zone access a server in the trust zone by way of public addresses 203.0.113.1/32, 203.0.113.1/32, and 203.0.113.3/32. For packets that enter the Juniper Networks security device from the untrust zone with the destination IP addresses 203.0.113.1/32, 203.0.113.1/32, and 203.0.113.3/32, the destination IP address is translated to the private addresses 10.1.1.1/32,10.1.1.2/32, and 10.1.1.2/32.

Figure 4: Static NAT for Port MappingStatic NAT for Port Mapping
Note:
  • To configure the destination port, you must use an IP address for the destination address field instead of an IP address prefix.

  • You must configure the destination port to configure the mapped port and vice versa.

  • Use the same number range for the ports while configuring the destination port and the mapped port.

  • If you do not configure the destination port and the mapped port, the IP mapping will be the one-to-one mapping.

  • Any address overlapping or any address and port overlapping is not allowed.

This example describes the following configurations:

  • Static NAT rule set rs1 with rule r1 to match packets from the untrust zone with the destination address 203.0.113.1/32 and destination port 100 to 200. For matching packets, the destination IP address is translated to the private address 10.1.1.1/32 and mapped to port 300 to 400.

  • Static NAT rule set rs1 with rule r2 to match packets from the untrust zone with the destination address 203.0.113.1/32 and destination port 300 to 400. For matching packets, the destination IP address is translated to the private address 10.1.1.2/32 and mapped to port 300 to 400.

  • Static NAT rule set rs1 with rule r3 to match packets from the untrust zone with the destination address 203.0.113.3/32 and destination port 300. For matching packets, the destination IP address is translated to the private address 10.1.1.2/32 and mapped to port 200.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Procedure

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a static NAT mapping from a private subnet address to a public subnet address:

  1. Create a static NAT rule set.

  2. Configure a rule that matches packets and translates the destination address in the packets to a private address.

  3. Configure a rule that matches packets and translates the destination address in the packets to a private address.

  4. Configure a rule that matches packets and translates the destination address in the packets to a private address.

Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]

user@host# show security nat

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Static NAT Configuration

Purpose

Verify that there is traffic matching the static NAT rule set.

Action

From operational mode, enter the show security nat static rule command. View the Translation hits field to check for traffic that matches the rule.

Troubleshooting

Troubleshooting Static NAT Port Configuration

Problem

Static NAT port mapping configuration failures occur during a commit.

Invalid configurations with overlapped IP addresses and ports result in commit failure.

The following example shows invalid configurations with overlapped addresses and ports:

  • set security nat static rule-set rs rule r1 match destination-address 203.0.113.1

    set security nat static rule-set rs rule r1 then static-nat prefix 10.1.1.1

  • set security nat static rule-set rs rule r2 match destination-address 203.0.113.1

    set security nat static rule-set rs rule r2 match destination-port 300 to 400

    set security nat static rule-set rs rule r2 then static-nat prefix 10.1.1.2

    set security nat static rule-set rs rule r2 then static-nat prefix mapped-port 300 to 400

  • set security nat static rule-set rs rule r1 match destination-address 203.0.113.1

    set security nat static rule-set rs rule r1 match destination-port 100 to 200

    set security nat static rule-set rs rule r1 then static-nat prefix 10.1.1.1

    set security nat static rule-set rs rule r1 then static-nat prefix mapped-port 300 to 400

  • set security nat static rule-set rs rule r2 match destination-address 203.0.113.2

    set security nat static rule-set rs rule r2 match destination-port 300 to 400

    set security nat static rule-set rs rule r2 then static-nat prefix 10.1.1.1

    set security nat static rule-set rs rule r2 then static-nat prefix mapped-port 390 to 490

The following error message was displayed when the aforementioned configuration was submitted for commit:

Solution

To configure the destination port, you must avoid any address overlapping or any address and port overlapping. For an example of valid configuration, see Configuration

Monitoring Static NAT Information

Purpose

View static NAT rule information.

Action

Select Monitor>NAT>Static NAT in the J-Web user interface, or enter the following CLI command:

show security nat static rule

Table 3 summarizes key output fields in the static NAT display.

Table 3: Summary of Key Static NAT Output Fields

Field

Values

Action

Rule-set Name

Name of the rule set.

Select all rule sets or a specific rule set to display from the list.

Total rules

Number of rules configured.

ID

Rule ID number.

Position

Position of the rule that indicates the order in which it applies to traffic.

Name

Name of the rule.

Ruleset Name

Name of the rule set.

From

Name of the routing instance/interface/zone from which the packet comes

Source addresses

Source IP addresses.

Source ports

Source port numbers.

Destination addresses

Destination IP address and subnet mask.

Destination ports

Destination port numbers .

Host addresses

Name of the host addresses.

Host ports

Host port numbers.

Netmask

Subnet IP address.

Host routing instance

Name of the routing instance from which the packet comes.

Alarm threshold

Utilization alarm threshold.

Sessions (Succ/Failed/Current)

Successful, failed, and current sessions.

  • Succ–Number of successful session installations after the NAT rule is matched.

  • Failed–Number of unsuccessful session installations after the NAT rule is matched.

  • Current–Number of sessions that reference the specified rule.

Translation hits

Number of times a translation in the translation table is used for a static NAT rule.

Top 10 Translation Hits Graph

Displays the graph of top 10 translation hits.