Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

NAT Overview

Network Address Translation (NAT) is a form of network masquerading where you can hide devices between the zones or interfaces. A trust zone is a segment of the network where security measures are applied. It is usually assigned to the internal LAN. An untrust zone is the Internet. NAT modifies the IP addresses of the packets moving between the trust and untrust zones.

Whenever a packet arrives at the NAT device, the device performs a translation on the packet’s IP address by rewriting it with an IP address that was specified for external use. After translation, the packet appears to have originated from the gateway rather than from the original device within the network. This helps you hide internal IP addresses from the other networks and keep your network secure.

Using NAT also allows you to use more internal IP addresses. Because these IP addresses are hidden, there is no risk of conflict with an IP address from a different network. This helps you conserve IP addresses.

Junos Space Security Director supports three types of NAT:

  • Source NAT--Translates the source IP address of a packet leaving the trust zone (outbound traffic). It translates the traffic originating from the device in the trust zone. Using source NAT, an internal device can access the network by using the IP addresses specified in the NAT policy. The following use cases are supported with IPv6 NAT:

    • Translation from one IPv6 subnet to another IPv6 subnet without Port Address Translation (PAT)

    • Translation from IPv4 addresses to IPv6 prefixes along with IPv4 address translation

    • Translation from IPv6 host(s) to IPv6 host(s) with or without PAT

    • Translation from IPv6 host(s) to IPv4 host(s) with or without PAT

    • Translation from IPv4 host(s) to IPv6 host(s) with or without PAT

  • Destination NAT--Translates the destination IP address of a packet entering the trust zone (inbound traffic). It translates the traffic originating from a device outside the trust zone. Using destination NAT, an external device can send packets to a hidden internal device. The following use cases are supported with IPv6 NAT:

    • Mapping of one IPv6 subnet to another IPv6 subnet

    • Mapping between one IPv6 host and another IPv6 host

    • Mapping of one IPv6 host (and optional port number) to another special IPv6 host (and optional port number)

    • Mapping of one IPv6 host (and optional port number) to another special IPv4 host (and optional port number)

    • Mapping of one IPv4 host (and optional port number) to another special IPv6 host (and optional port number)

  • Static NAT-- Always translates a private IP address to the same public IP address. It translates traffic from both sides of the network (both source and destination). For example, a webserver with a private IP address can access the Internet using a static, one-to-one address translation. The following use cases are supported with IPv6 NAT:

    • Mapping of one IPv6 subnet to another IPv6 subnet

    • Mapping between one IPv6 host and another IPv6 host

    • Mapping between IPv4 address a.b.c.d and IPv6 address Prefix::a.b.c.d

    • Mapping between IPv4 host(s) and IPv6 host(s)

    • Mapping between IPv6 host(s) and IPv4 host(s)

Table 1 shows the persistent NAT support for different source NAT and destination NAT addresses.

Table 1: Persistent NAT Support

Source NAT Address

Translated Address

Destination NAT

Address

Persistent NAT

IPv4

IPv6

IPv4

No

IPv4

IPv6

IPv6

No

IPv6

IPv4

IPv4

Yes

IPv6

IPv6

IPv6

No

Table 2 and Table 3 show the translated address pool selection for source NAT, destination NAT, and static NAT addresses.

Table 2: Translated Address Pool Selection for Source NAT

Source NAT Address

Destination Address

Pool Address

IPv4

IPv4

IPv4

IPv4

IPv6 - Subnet must be greater than 96

IPv6

IPv6

IPv4

IPv4

IPv6

IPv6

IPv6

Table 3: Translated Address Pool Selection for Destination NAT And Static NAT

Source NAT Address

Destination Address

Pool Address

IPv4

IPv4

IPv4 or IPv6

IPv4

IPv6 - Subnet must be greater than 96

IPv4 or IPv6

IPv6

IPv4

IPv4

IPv6

IPv6

IPv4 or IPv6

  • For source NAT, the proxy NDP is available for NAT pool addresses. For destination NAT and static NAT, the proxy NDP is available for destination NAT addresses.

  • A NAT pool can have a single IPv6 subnet or multiple IPv6 hosts.

  • You cannot configure the overflow pool if the address type is IPv6.

  • NAT pools permit address entries of only one version type: IPv4 or IPv6.

Junos Space Security Director provides you with a workflow where you can create and apply NAT policies on devices in a network.

Security Director views each logical system or tenant system as any other security device and takes ownership of the security configuration of the logical system or tenant system. In Security Director, each logical system or tenant system is managed as a unique security device.

Note:

If the root logical system is discovered, all other user logical systems inside the device, will also be discovered.

Because an SRX Series logical system device does not support interface NAT, Security Director also does not allow interface NAT configuration of logical system. The logical system cannot participate in group NAT in Security Director. For a device NAT policy, the interface based translation selection and pool with Overflow Pool as interface are not supported in logical systems. The configuration is validated during the publishing of the NAT policy to avoid commit failures in the device.