NAT Overview
Network Address Translation (NAT) is a form of network masquerading where you can hide devices between the zones or interfaces. A trust zone is a segment of the network where security measures are applied. It is usually assigned to the internal LAN. An untrust zone is the Internet. NAT modifies the IP addresses of the packets moving between the trust and untrust zones.
Whenever a packet arrives at the NAT device, the device performs a translation on the packet’s IP address by rewriting it with an IP address that was specified for external use. After translation, the packet appears to have originated from the gateway rather than from the original device within the network. This helps you hide internal IP addresses from the other networks and keep your network secure.
Using NAT also allows you to use more internal IP addresses. Because these IP addresses are hidden, there is no risk of conflict with an IP address from a different network. This helps you conserve IP addresses.
Junos Space Security Director supports three types of NAT:
Source NAT--Translates the source IP address of a packet leaving the trust zone (outbound traffic). It translates the traffic originating from the device in the trust zone. Using source NAT, an internal device can access the network by using the IP addresses specified in the NAT policy. The following use cases are supported with IPv6 NAT:
Translation from one IPv6 subnet to another IPv6 subnet without Port Address Translation (PAT)
Translation from IPv4 addresses to IPv6 prefixes along with IPv4 address translation
Translation from IPv6 host(s) to IPv6 host(s) with or without PAT
Translation from IPv6 host(s) to IPv4 host(s) with or without PAT
Translation from IPv4 host(s) to IPv6 host(s) with or without PAT
Destination NAT--Translates the destination IP address of a packet entering the trust zone (inbound traffic). It translates the traffic originating from a device outside the trust zone. Using destination NAT, an external device can send packets to a hidden internal device. The following use cases are supported with IPv6 NAT:
Mapping of one IPv6 subnet to another IPv6 subnet
Mapping between one IPv6 host and another IPv6 host
Mapping of one IPv6 host (and optional port number) to another special IPv6 host (and optional port number)
Mapping of one IPv6 host (and optional port number) to another special IPv4 host (and optional port number)
Mapping of one IPv4 host (and optional port number) to another special IPv6 host (and optional port number)
Static NAT-- Always translates a private IP address to the same public IP address. It translates traffic from both sides of the network (both source and destination). For example, a webserver with a private IP address can access the Internet using a static, one-to-one address translation. The following use cases are supported with IPv6 NAT:
Mapping of one IPv6 subnet to another IPv6 subnet
Mapping between one IPv6 host and another IPv6 host
Mapping between IPv4 address a.b.c.d and IPv6 address Prefix::a.b.c.d
Mapping between IPv4 host(s) and IPv6 host(s)
Mapping between IPv6 host(s) and IPv4 host(s)
Table 1 shows the persistent NAT support for different source NAT and destination NAT addresses.
Source NAT Address |
Translated Address |
Destination NAT Address |
Persistent NAT |
---|---|---|---|
IPv4 |
IPv6 |
IPv4 |
No |
IPv4 |
IPv6 |
IPv6 |
No |
IPv6 |
IPv4 |
IPv4 |
Yes |
IPv6 |
IPv6 |
IPv6 |
No |
Table 2 and Table 3 show the translated address pool selection for source NAT, destination NAT, and static NAT addresses.
Source NAT Address |
Destination Address |
Pool Address |
---|---|---|
IPv4 |
IPv4 |
IPv4 |
IPv4 |
IPv6 - Subnet must be greater than 96 |
IPv6 |
IPv6 |
IPv4 |
IPv4 |
IPv6 |
IPv6 |
IPv6 |
Source NAT Address |
Destination Address |
Pool Address |
---|---|---|
IPv4 |
IPv4 |
IPv4 or IPv6 |
IPv4 |
IPv6 - Subnet must be greater than 96 |
IPv4 or IPv6 |
IPv6 |
IPv4 |
IPv4 |
IPv6 |
IPv6 |
IPv4 or IPv6 |
For source NAT, the proxy NDP is available for NAT pool addresses. For destination NAT and static NAT, the proxy NDP is available for destination NAT addresses.
A NAT pool can have a single IPv6 subnet or multiple IPv6 hosts.
You cannot configure the overflow pool if the address type is IPv6.
NAT pools permit address entries of only one version type: IPv4 or IPv6.
Junos Space Security Director provides you with a workflow where you can create and apply NAT policies on devices in a network.
Security Director views each logical system or tenant system as any other security device and takes ownership of the security configuration of the logical system or tenant system. In Security Director, each logical system or tenant system is managed as a unique security device.
If the root logical system is discovered, all other user logical systems inside the device, will also be discovered.
Because an SRX Series logical system device does not support interface NAT, Security Director also does not allow interface NAT configuration of logical system. The logical system cannot participate in group NAT in Security Director. For a device NAT policy, the interface based translation selection and pool with Overflow Pool as interface are not supported in logical systems. The configuration is validated during the publishing of the NAT policy to avoid commit failures in the device.