Persistent NAT Configuration Overview

To configure persistent NAT, specify the following with the source NAT rule action (for either a source NAT pool or an egress interface):

• The type of persistent NAT—One of the following: any remote host, target host, or target host port (see Understanding Persistent NAT).
• (Optional) Address mapping—This option allows requests from a specific internal IP address to be mapped to the same reflexive IP address; internal and reflexive ports can be any ports. An external host using any port can send a packet to the internal host by sending the packet to the reflexive IP address (with a configured incoming policy that allows external to internal traffic). If this option is not configured, the persistent NAT binding is for specific internal and reflexive transport addresses.

  You can only specify the address-mapping option when the persistent NAT type is any remote host and the source NAT rule action is one of the following:

  • Source NAT pool with IP address shifting
  • Source NAT pool with no port translation and no overflow pool
• (Optional) Inactivity timeout—Time, in seconds, that the persistent NAT binding remains in the device’s memory when all the sessions of the binding entry are gone. When the configured timeout is reached, the binding is removed from memory. The default value is 5 minutes. Configure a value from 60 through 7200 seconds.

  When all sessions of a persistent NAT binding are gone, the binding remains in a query state in the SRX Series device’s memory for the specified inactivity timeout period. The query binding is automatically removed from memory when the inactivity timeout period expires (the default is 5 minutes). You can explicitly remove all or specific persistent NAT query bindings with the clear security nat source persistent-nat-table command.

• (Optional) Maximum session number—Maximum number of sessions with which a persistent NAT binding can be associated. The default is 30 sessions. Configure a value from 8 through 100.

For interface NAT, you need to explicitly disable port overloading with the port-overloading off option at the [edit security nat source] hierarchy level.

Finally, there are two predefined services that you can use in security policies to permit or deny STUN and persistent NAT traffic:

• junos-stun—STUN protocol traffic
• junos-persistent-nat—Persistent NAT traffic

For the any remote host persistent NAT type, the direction of the security policy is from external to internal. For target host or target host port persistent NAT types, the direction of the security policy is from internal to external.

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Example: Configuring Persistent NAT with Source NAT Address Pool (CLI)
• Example: Configuring Persistent NAT with Interface NAT (CLI)
• Understanding Persistent NAT
• Understanding Session Traversal Utilities for NAT (STUN) Protocol