NAT Overview

Junos Space Security Director supports three types of NAT:

• Source NAT--Translates the source IP address of a packet leaving the trust zone (outbound traffic). It translates the traffic originating from the device in the trust zone. Using source NAT, an internal device can access the network by using the IP addresses specified in the NAT policy. The following use cases are supported with IPv6 NAT:

  • Translation from one IPv6 subnet to another IPv6 subnet without Port Address Translation (PAT)

  • Translation from IPv4 addresses to IPv6 prefixes along with IPv4 address translation

  • Translation from IPv6 host(s) to IPv6 host(s) with or without PAT

  • Translation from IPv6 host(s) to IPv4 host(s) with or without PAT

  • Translation from IPv4 host(s) to IPv6 host(s) with or without PAT

• Destination NAT--Translates the destination IP address of a packet entering the trust zone (inbound traffic). It translates the traffic originating from a device outside the trust zone. Using destination NAT, an external device can send packets to a hidden internal device. The following use cases are supported with IPv6 NAT:

  • Mapping of one IPv6 subnet to another IPv6 subnet

  • Mapping between one IPv6 host and another IPv6 host

  • Mapping of one IPv6 host (and optional port number) to another special IPv6 host (and optional port number)

  • Mapping of one IPv6 host (and optional port number) to another special IPv4 host (and optional port number)

  • Mapping of one IPv4 host (and optional port number) to another special IPv6 host (and optional port number)

• Static NAT-- Always translates a private IP address to the same public IP address. It translates traffic from both sides of the network (both source and destination). For example, a webserver with a private IP address can access the Internet using a static, one-to-one address translation. The following use cases are supported with IPv6 NAT:

  • Mapping of one IPv6 subnet to another IPv6 subnet

  • Mapping between one IPv6 host and another IPv6 host

  • Mapping between IPv4 address a.b.c.d and IPv6 address Prefix::a.b.c.d

  • Mapping between IPv4 host(s) and IPv6 host(s)

  • Mapping between IPv6 host(s) and IPv4 host(s)

Table 1 shows the persistent NAT support for different source NAT and destination NAT addresses.

Table 2 and Table 3 show the translated address pool selection for source NAT, destination NAT, and static NAT addresses.

• For source NAT, the proxy NDP is available for NAT pool addresses. For destination NAT and static NAT, the proxy NDP is available for destination NAT addresses.

• A NAT pool can have a single IPv6 subnet or multiple IPv6 hosts.

• You cannot configure the overflow pool if the address type is IPv6.

• NAT pools permit address entries of only one version type: IPv4 or IPv6.

Junos Space Security Director provides you with a workflow where you can create and apply NAT policies on devices in a network.

Security Director views each logical system or tenant system as any other security device and takes ownership of the security configuration of the logical system or tenant system. In Security Director, each logical system or tenant system is managed as a unique security device.

Because an SRX Series logical system device does not support interface NAT, Security Director also does not allow interface NAT configuration of logical system. The logical system cannot participate in group NAT in Security Director. For a device NAT policy, the interface based translation selection and pool with Overflow Pool as interface are not supported in logical systems. The configuration is validated during the publishing of the NAT policy to avoid commit failures in the device.