Working with IP Addressing and NAT Services
You can configure NAT addressing and services from Enterprise Manager Portal. For information about NAT services and policies, see Chapter 17, Reviewing and Configuring Policies and Services for Enterprise Manager Portal.
Requesting Public IP Addresses for NAT Services
To request one or more IP addresses:
- In the navigation pane of Enterprise Manager Portal, click the access to which you want to request an IP address.
- Click the Addresses tab.
![]()
- In the Number of Addresses field, enter the number of addresses that you want.
- (Optional) If you specify multiple IP addresses and you want the addresses to be sequential, select Contiguous.
- Click Request.
Enterprise Manager Portal sends a request to the service provider for the IP addresses and displays the number of outstanding requests. When the service provider allocates the IP addresses, Enterprise Manager Portal displays the public IP addresses assigned to this access and makes the addresses visible in the menus on the NAT page for that access, as shown in Figure 42. If a request for an IP address is outstanding for a certain period of time, Enterprise Manager Portal automatically sends a reminder to the service provider.
![]()
Number of Addresses
- Number of IP addresses that you want the service provider to supply.
- Value—Integer in the range 1-2147483647
- Default—1
Contiguous
Canceling Requests for Public IP Addresses
![]()
Returning Public IP Addresses to Service Providers
To return one or more IP addresses to the service provider:
- Start at the Addresses page for the subscriber (see Figure 42).
- In the Public IP Addresses table, click in the small box in the last column for each address that you want to return.
If an enabled NAT rule is using an address, the box for that address is dimmed, and you cannot release that address until you disable or delete the NAT rule listed in the Used By field.
Applying NAT Rules to Traffic
After you protect an access with a firewall and have obtained one or more public IP addresses for the access, you can apply the following types of NAT rules to traffic on the access.
Also known as dynamic source NAT, this type of NAT allows computers with private IP addresses in a private network to share a small set of public IP addresses for outgoing connections. For example, employees in an enterprise can use these public IP address for browsing the Web. You can specify the source IP addresses and, optionally, the ports that the outgoing traffic will use.
Also known as static destination NAT, this type of NAT allows you to expose to the world a server, such as a Web server, that has a private IP address in your private network. You specify a public IP address, and incoming connections destined for that public IP address will be received by your server at its private IP address.
Also known as static source NAT, this type of NAT allows you to specify the public source IP to be used for specific outgoing traffic. To specify this type of NAT you must set the configuration level of the portal to Advanced (see Setting the Configuration Level for Enterprise Manager Portal).
Enterprise Manager Portal ensures that the SAE activates a basic firewall service before it activates a NAT service.
To apply NAT rules to traffic on JUNOS routing platforms:
- In the navigation pane of Enterprise Manager Portal, click the access that connects to the router.
- Click the NAT tab.
![]()
- See the following sections for information about configuring NAT for incoming and outgoing interfaces on the router.
Configuring Public IP Addresses for Outgoing Traffic
To configure public IP addresses for outgoing traffic:
- Locate the area called Public Addresses for Outgoing Traffic in the NAT page.
- Using the field descriptions below, specify how the router will apply the NAT rule to outgoing traffic.
- Select Enabled.
- Click Create.
Address Range
- Contiguous range of public IP addresses to which the source addresses of clients in the enterprise are translated.
- Value—Public IP addresses
- Guidelines—Select the starting and ending IP addresses in the From and To menus. For one IP address, select the same address in the From and To menus.
- Default—No value
Port Range
- Range of ports that are used as the source ports in outgoing IP packets after the NAT translation.
- Value—Integers in the range 0-65535
- Guidelines—Specify the starting and ending port numbers in the From and To fields. Be sure to use a port range big enough to allow all the private addresses to share the limited set of public addresses. To specify all ports in the range 1024-65535, leave these fields empty.
- Default—No value
Enabled
Configuring Public IP Addresses for Incoming Traffic
To configure public IP addresses for incoming traffic:
- Locate the area called Public Addresses for Incoming Traffic in the NAT page.
- Using the field descriptions below, specify how the router will apply the NAT rule to incoming traffic.
- Click Create.
Priority
- Numeric value that indicates which NAT rule takes precedence if you specify more than one NAT rule for an IP address.
- Value—Integer in the range specified by the online help for this field
- Guidelines—You must specify a priority for the NAT rule. A lower number indicates a higher priority. Use a unique priority for each NAT rule that relates to the same traffic. If two rules have the same priority, they will be applied to traffic in an unpredictable order.
- Default—No value
- Example—5
Name
Public IP
- Public IP address that the router translates to a private address in the enterprise.
- Value—IP address
- Guidelines—Select the public destination address that is to be translated into a private destination address inside the enterprise.
- Default—No value
Private IP
- Private IP address to which the router translates the public IP address.
- Value—IP address
- Guidelines—Enter the private address of the host you wish to make available outside the enterprise.
- Default—No value
Application
- <application>—An application object that you created (see Classifying Traffic for Stateful Firewall Exceptions and NAT Rules)
- Any—Any application
Enabled
Configuring Fixed Public Addresses for Outgoing Traffic
To configure fixed public IP addresses for outgoing traffic:
- Set the portal configuration level to Advanced (see Setting the Configuration Level for Enterprise Manager Portal).
- Locate the area called Fixed Public Addresses for Outgoing Traffic in the NAT page (see Figure 43).
- Click Create.
Modifying NAT Rules
Deleting NAT Rules
To delete a public IP address for outgoing traffic, click delete for the address range in the Public Addresses for Outgoing Traffic table.