NAT can include one of the following attributes with or without port address translation:
When a policy configuration includes Network Address Translation (NAT) in its match criteria, the J-series Services Router, acting like a Layer 3 switch (or router), translates two components in the header of an outgoing IP packet destined for the external zone: its source IP address and source port number. The router replaces the source IP address of the originating host with the IP address of the external zone interface. Also, it replaces the source port number with another random port number generated by the router. See Figure 58.
Figure 58: NAT Topology
When the reply packet arrives at the device, the device translates two components in the IP header of the incoming packet (the destination address and port number) which are translated back to the original numbers. The device then forwards the packet to its destination.
The addresses of hosts sending traffic through the interface in an internal zone (where NAT is configured) are never exposed to hosts in the external zone, unless the two zones are in the same virtual routing domain and the device is advertising routes to peers through a Dynamic Routing Protocol (DRP). Even then, the internal zone addresses are only reachable if you have a policy permitting inbound traffic to them. (If you want to keep the internal zone addresses hidden while using a DRP, then put the external zone in the external-vr and the internal zone in the internal-vr, and do not export routes for internal addresses in the internal-vr to the external-vr.)
Also, NAT preserves the use of public IP addresses. In many environments, resources are not available to provide public IP addresses for all devices on the network. NAT services allow many private IP addresses to have access to Internet resources through one or a few public IP addresses. The following IP address ranges are reserved for private IP networks and must not get routed on the Internet:
NAT can involve either destination IP address translation or source IP address translation, or both, with or without port address translation.
This topic covers: