Example: Configuring Persistent NAT with Source NAT Address Pool (CLI)

You can configure any of the persistent NAT types with source NAT rules. The example in this section shows how to configure persistent NAT when source NAT is performed with a user-defined address pool.

The following example configures the target host persistent NAT type when source NAT is performed. In the following configuration, the source NAT address pool sp1 consists of the address 30.1.1.5/32. The source NAT rule set srs1 configures the following:

Traffic direction is from zone internal to zone external.
For packets with source address in the 40.1.1.0/24 subnet (internal phones) and destination address 20.20.20.0/24 (including STUN server, SIP proxy server and external phones), use the source NAT pool sp1 to perform source NAT with the target host persistent NAT type.
Set the persistent NAT inactivity-timeout to 180 seconds.

To configure the source NAT address pool:

user@host# set security nat source pool sp1 address 30.1.1.5/32

To configure the source NAT rule set:

user@host# set security nat source rule-set srs1 from zone internaluser@host# set security nat source rule-set srs1 to zone externaluser@host# set security nat source rule-set srs1 rule sr1 match source-address 40.1.1.0/24user@host# set security nat source rule-set srs1 rule sr1 match destination-address 20.20.20.0/24user@host# set security nat source rule-set srs1 rule sr1 then source-nat pool sp1user@host# set security nat source rule-set srs1 rule sr1 then source-nat pool persistent-nat permit target-hostuser@host# set security nat source rule-set srs1 rule sr1 then source-nat pool persistent-nat inactivity-timeout 180

For the target host persistent NAT type, configure a security policy to allow persistent NAT traffic from the internal network (internal zone) to the external network (external zone).

To configure a security policy to allow STUN traffic from internal SIP phones to an external STUN server:

user@host# set security policies from-zone internal to-zone external policy stun_traffic match source-address internal_phones destination-address stun_server application junos-stunuser@host# set security policies from-zone internal to-zone external policy stun_traffic then permit

To configure a security policy to allow SIP proxy traffic from internal SIP phones to an external SIP proxy server:

user@host# set security policies from-zone internal to-zone external policy sip_proxy_traffic match source-address internal_phones destination-address sip_proxy_server application junos-sipuser@host# set security policies from-zone internal to-zone external policy stun_proxy_traffic then permit

To configure a security policy to allow SIP traffic from internal to external SIP phones:

user@host# set security policies from-zone internal to-zone external policy sip_traffic match source-address internal_phones destination-address external_phones application junos-persistent-natuser@host# set security policies from-zone internal to-zone external policy sip_traffic then permit

Example: Configuring Persistent NAT with Source NAT Address Pool (CLI)

Related Topics