Understanding Persistent NAT

Persistent NAT allows applications to use the Session Traversal Utilities for NAT (STUN) protocol when passing through NAT firewalls (see Understanding Session Traversal Utilities for NAT (STUN) Protocol). Persistent NAT ensures that all requests from the same internal transport address are mapped to the same reflexive transport address (the public IP address and port created by the NAT device closest to the STUN server).

The following types of persistent NAT can be configured on the Juniper Networks device:

• Any remote host—All requests from a specific internal IP address and port are mapped to the same reflexive transport address. Any external host can send a packet to the internal host by sending the packet to the reflexive transport address. An incoming policy that allows external to internal traffic must be configured.
• Target host—All requests from a specific internal IP address and port are mapped to the same reflexive transport address. An external host can send a packet to an internal host by sending the packet to the reflexive transport address. The internal host must have previously sent a packet to the external host’s IP address.
• Target host port—All requests from a specific internal IP address and port are mapped to the same reflexive transport address. An external host can send a packet to an internal host by sending the packet to the reflexive transport address. The internal host must have previously sent a packet to the external host’s IP address and port.

You configure any of the persistent NAT types with source NAT rules. The source NAT rule action can use a source NAT pool (with or without port translation) or an egress interface. Persistent NAT is not applicable for destination NAT, because persistent NAT bindings are based on outgoing sessions from internal to external.

Note: Port overloading is used in JUNOS Software only for normal interface NAT traffic. Persistent NAT does not support port overloading, and you must explicitly disable port overloading with the port-overloading off option at the [edit security nat source] hierarchy level.

To configure security policies to permit or deny persistent NAT traffic, you can use two new predefined services—junos-stun and junos-persistent-nat.

Note: Persistent NAT is different from the persistent address feature (see Example: Configuring a Persistent Address (CLI)). The persistent address feature applies to address mappings for source NAT pools configured on the device. The persistent NAT feature applies to address mappings on an external NAT device, and is configured for a specific source NAT pool or egress interface. Also, persistent NAT is intended for use with STUN client/server applications.

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Understanding Session Traversal Utilities for NAT (STUN) Protocol
• Persistent NAT Configuration Overview
• Understanding Source NAT
• Example: Configuring Persistent NAT with Source NAT Address Pool (CLI)
• Example: Configuring Persistent NAT with Interface NAT (CLI)