NAT is a mechanism for concealing a set of host addresses on a private network behind a pool of public addresses. It can be used as a security measure to protect the host addresses from direct targeting in network attacks.
You can configure NAT using traditional NAT or twice NAT, as described in the following sections:
Traditional NAT, specified in RFC 3022, Traditional IP Network Address Translator, is fully supported by JUNOS software. In addition, network address port translation (NAPT) is supported for source addresses.
The AS and MultiServices PIC interfaces support three types of NAT processing:
You can implement NAT to hide one or many hosts on a private network behind a pool of public IP addresses. The pool can be as small as one IP address, or it can be a set of contiguous IP addresses. You can specify a port range to restrict port translation when NAT is configured in dynamic-source mode.
Private address to public address binding can be either static or dynamic. In the basic NAT mode, a NAT rule can force a private IP address to be always bound to a public address; in the NAPT mode, a NAT rule can force a paired private address and private TCP or UDP port to be mapped to a public IP and public TCP or UDP port. However, when the address binding is not statically forced by the NAT rules, NAT can dynamically pick an available address or address and TCP or UDP port pairing when a new session starts. You can specify multiple prefixes and address ranges in a dynamic or static source NAT pool.
The option to assign NAT addresses statically from a dynamic NAT pool enables you to advertise one subnet that represents the NAT pool and use an address within that subnet for static rules. Statically assigned addresses are not reused for dynamic assignment and can only be used for static-source NAT (not for static-destination NAT).
You can configure an overload (fallback) pool to be used when the source pool of addresses is exhausted. The overload pool must be configured with NAPT.
You can also configure NAT rules without configuring a pool by directly specifying the address prefix to be translated within the rule. And, within the rule, you can assign particular addresses that you do not want to be translated.
Like most traditional NAT implementations, the JUNOS implementation of NAT supports sessions initiated from the private side only. Sessions initiated from the public side are supported only when you configure static address binding.
You are not required to configure a stateful firewall rule to allow NAT traffic. By default, NAT traffic is allowed unless it is explicitly configured to be dropped. If only NAT is configured in a service set, all traffic is accepted.
For more information about configuring NAT rules, see Network Address Translation Services Configuration Guidelines.
Twice NAT, specified in RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations, is fully supported by JUNOS software.
In twice NAT, both the source and destination addresses are subject to translation as packets traverse the NAT router. For example, you would use twice NAT when you are connecting two networks in which all or some addresses in one network overlap with addresses in another network (whether the network is private or public). In traditional NAT, only one of the addresses is translated.
To configure twice NAT, you must specify both a destination address and a source address for the match direction, pool or prefix, and translation type.
You can configure application-level gateways (ALGs) for ICMP and traceroute under stateful firewall, NAT, or CoS rules when twice NAT is configured in the same service set. These ALGs cannot be applied to flows created by the Packet Gateway Controller Protocol (PGCP). Twice NAT does not support other ALGs. By default, the twice NAT feature can affect IP, TCP, and UDP headers embedded in the payload of ICMP error messages.
For more information about configuring NAT rules, see Network Address Translation Services Configuration Guidelines.