NAT
NAT Rule and Objects
The Network Address Translation (NAT) rule capacity requirement depends on the SRX Series Firewall and the Junos OS release.
The limit on rules per rule set reflects the total number of rules the device can support. This restriction is provided to help you better plan and configure the NAT rules for the device.
| NAT Rule Type | Number of Rules per Rule Set |
|---|---|
| Source NAT rules | 30,720 |
| Destination NAT rules | 30,720 |
| Static NAT rules | 30,720 |
The SRX4700 Firewall supports up to 128 IP addresses with its object locking (OL) capability. Object locking enables efficient management and control of network resources, enhancing security and operational efficiency.
| Object Type | Number of Objects |
|---|---|
| Total NAT rule sets per system | 51200 |
| Total NAT rules per rule set | 51200 |
Source NAT pools and rule set configuration:
Source NAT pools set security nat source pool src-nat-pool-1 address 192.0.2.1/32 to 192.0.2.24/32 set security nat source pool src-nat-pool-2 address 192.0.2.100/32 to 192.0.2.249/32 set security nat source pool src-nat-pool-2 port no-translation Source NAT rule-set rs1 set security nat source rule-set rs1 from zone trust set security nat source rule-set rs1 to zone untrust r1: 10.1.1.0/24 and 10.1.2.0/24 NAT to pool-1 set security nat source rule-set rs1 rule r1 match source-address 10.1.1.0/24 set security nat source rule-set rs1 rule r1 match source-address 10.1.2.0/24 set security nat source rule-set rs1 rule r1 match destination-address 0.0.0.0/0 set security nat source rule-set rs1 rule r1 then source-nat pool src-nat-pool-1 r2: 192.168.1.250/32 no-NAT set security nat source rule-set rs1 rule r2 match source-address 192.168.1.250/32 set security nat source rule-set rs1 rule r2 match destination-address 0.0.0.0/0 set security nat source rule-set rs1 rule r2 then source-nat off r3: 192.168.1.0/24 NAT to pool-2 set security nat source rule-set rs1 rule r3 match source-address 192.168.1.0/24 set security nat source rule-set rs1 rule r3 match destination-address 0.0.0.0/0 set security nat source rule-set rs1 rule r3 then source-nat pool src-nat-pool-2 Proxy ARP (on the external interface unit referenced) set security nat proxy-arp interface et-1/0/0.0 address 192.0.2.24/32 to 192.0.2.24/32 set security nat proxy-arp interface et-1/0/0.0 address 192.0.2.249/32 to 192.0.2.249/32 Security policy trust -> untrust (permit any) set security policies from-zone trust to-zone untrust policy internet-access match source-address any set security policies from-zone trust to-zone untrust policy internet-access match destination-address any set security policies from-zone trust to-zone untrust policy internet-access match application any set security policies from-zone trust to-zone untrust policy internet-access then permit
Persistent NAT Binding
The SRX4700 Firewall supports 2,000,000 persistent NAT bindings when NAT binding is enabled
and the maximize-persistent-nat-capacity option is configured.
NAT64 configuration:
set security nat source pool PERSIST-PUB address 192.168.17.19/32 to 192.168.17.20/32 set security nat source pool PERSIST-PUB address-persistent set security nat source pool PERSIST-PUB port-address-translation set security nat source rule-set RS-PERSIST from zone trust set security nat source rule-set RS-PERSIST to zone untrust set security nat source rule-set RS-PERSIST rule R1 match source-address 10.1.1.0/24 set security nat source rule-set RS-PERSIST rule R1 match destination-address 0.0.0.0/0 set security nat source rule-set RS-PERSIST rule R1 then source-nat pool PERSIST-PUB
Ensure security policies permit the traffic and proxy-ARP if needed on untrust interfaces.
Verify your configurations using the show configuration security nat source |
display set commit check command.
NAT Softwire Initiator Capacity
The SRX4700 Firewall supports a maximum of 100,000 softwire initiators.
Configure a DS-Lite softwire concentrator to convert IPv4 packets into IPv6 packets.
set security softwires softwire-name my_sc1 softwire-concentrator 2001:db8::1 softwire-type IPv4-in-IPv6
NAT Pool and Port Address Translation (PAT) Maximum Address Capacity
Source NAT pool configuration:
[edit security nat source] set pool src-nat-pat-addr address 192.168.0.0/32 to 192.168.3.255/32 set pool src-nat-pat-addr address 192.168.4.0/32 to 192.168.7.255/32 set pool-default-port-range 2001 set pool-default-port-range to 32720
| Pool/PAT Maximum Address Capacity | Maximum Number Supported |
|---|---|
| Source NAT pools | 30,720 |
| IP addresses supporting port translation | 1,048,576 |
| PAT port number | 2576 million |