Example: Configuring Persistent NAT with Interface NAT (CLI)

You can configure any of the persistent NAT types with source NAT rules. The example in this section shows how to configure persistent NAT when interface NAT is used to perform source NAT. For interface NAT, port overloading must be disabled.

The following example configures the any remote host persistent NAT type when interface NAT is performed. The interface NAT rule set int1 configures the following:

Traffic direction is from interface ge-0/0/1.0 to interface ge-0/0/2.0.
For packets with source address 40.1.1.0/24 (internal phones) and destination address 20.20.20.0/24 (including STUN server, SIP proxy server and external phones), perform interface NAT with the any remote host persistent NAT type.

You must also disable port overloading for interface NAT.

To configure the interface NAT rule set:

user@host# set security nat source rule-set int1 from interface ge-0/0/1.0user@host# set security nat source rule-set int1 to interface ge-0/0/2.0user@host# set security nat source rule-set int1 rule in1 match source-address 40.1.1.0/24user@host# set security nat source rule-set int1 rule in1 match destination-address 20.20.20.0/24user@host# set security nat source rule-set int1 rule in1 then source-nat interface persistent-nat permit any-remote-host

To disable port overloading for interface NAT:

user@host# set security nat source interface port-overloading off

For the any remote host persistent NAT type, configure a security policy to allow persistent NAT traffic from the external network (external zone) to the internal network (internal zone).

To configure a security policy to allow STUN traffic from the internal SIP phones to the external STUN server:

user@host# set security policies from-zone internal to-zone external policy stun_traffic match source-address internal_phones destination-address stun_server application junos-stunuser@host# set security policies from-zone internal to-zone external policy stun_traffic then permit

To configure a security policy to allow SIP proxy traffic from the internal SIP phones to the external SIP proxy server:

user@host# set security policies from-zone internal to-zone external policy sip_proxy_traffic match source-address internal_phones destination-address sip_proxy_server application junos-sipuser@host# set security policies from-zone internal to-zone external policy stun_proxy_traffic then permit

To configure a security policy to allow SIP traffic from external SIP phones to internal SIP phones:

user@host# set security policies from-zone external to-zone internal policy sip_traffic match source-address external_phones destination-address internal_phones application junos-persistent-natuser@host# set security policies from-zone external to-zone internal policy sip_traffic then permit

Example: Configuring Persistent NAT with Interface NAT (CLI)

Related Topics