Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

Juniper Security Director® is the next generation on-premises security management product for SRX Series Firewalls and vSRX. For more details, visit Juniper Security Director documentation page or contact your sales team.

close
header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Junos Space Security Director Junos Space Security Director User Guide Configure NAT Policy-Policies

Junos Space Security Director User Guide

keyboard_arrow_up
close
keyboard_arrow_left
Junos Space Security Director User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

Creating NAT Rules

date_range 10-Jul-23
arrow_backward
arrow_forward

Before You Begin

NAT processing centers on the evaluation of NAT rule sets and rules. A rule set determines the overall direction of the traffic to be processed. Once a rule set that matches the traffic has been found, each rule in the rule set is evaluated in order for a match. NAT rules can match on the following packet information:

  • Source and destination address

  • Source port (for source and static NAT only)

  • Destination port

The first rule in the rule set that matches the traffic is used. If a packet matches a rule in a rule set during session establishment, traffic is processed according to the action specified by that rule.

When you create a new NAT policy, click on the NAT policy name to configure the rules. You can configure the following types of NAT rules:

  • Source

  • Static

  • Destination

Depending on the type of rule you have chosen, some fields in the rule will not be applicable. In addition to defining rules between zones and interfaces, you can define NAT rules with virtual routers defined on the device. These rules can be successfully published and updated on the device.

To configure a NAT rule:

  1. Select Configure > NAT Policies > Policies.
  2. Click the NAT policy name.

    The Rules page appears.

  3. Add a rule by clicking Create. Select the type of rule you want to add (source, static, or destination).
  4. Complete the configuration according to the guidelines provided in Table 1.
  5. Click Save.

A new NAT rule is configured for a NAT policy.

Table 1: NAT Rules Settings

Setting

Guideline

Seq.

Displays the sequence number assigned to the NAT rule.

Name

Select the name of the NAT policy that you want to add a rule to.

NAT Type

Select the type of NAT rule:

  • Source

  • Static

  • Destination

Source Ingress

Click the Source Ingress field to configure the ingress type.

  • Ingress Type—Select an ingress type: zone, interface, or routing instance.

  • From the appropriate selector, select the zones, interfaces, or routing instance that you want to associate the rule to, from the Available column.

    For the Routing Instance option, you can select one or more of the available virtual routers on the device. For the group NAT policy, you will see a consolidated list of all virtual routers on all devices that the policy is assigned to.

  • Click OK.

Source Address

Click the Source Address field to assign the source address for the policy, from the Available list.

Starting in Security Director Release 21.3R1 hot patch v3, while creating NAT rules for a group policy, you can select a polymorphic address as source address.

Source Port

Click the Source Port field to configure the source port for the policy.

  • Enter a maximum of eight ports and port ranges separated by commas.

  • Select the required port set from the Available list.

    Create a source port inline by clicking Add New Source Port.

Protocol

Select the protocol from the Available list to permit or deny traffic.

Destination Egress

Click the Destination Egress field to configure the egress type.

  • Select an egress type: zone, interface, or routing instance.

  • From the appropriate selector, select the zones, interfaces, or routing instance that you want to associate the rule to, from the Available column.

  • Click OK.

Destination Address

Click the Destination Address field to assign the destination address for the policy, from the Available list. Create a destination address inline by clicking Add New Destination Address.

Starting in Security Director Release 21.3R1 hot patch v3, while creating NAT rules for a group policy, you can select a polymorphic address as the destination address.

Note:

Polymorphic addresses are not supported in static NAT destination addresses.

Destination Port

Click the Destination Port field to configure the destination port for the policy.

  • Enter a maximum of eight ports and port ranges separated by commas. Devices running Junos OS Release 12.1X47 and later support multiple ports and ranges, in the same way as Source ports.

  • Select the required port set from the Available list.

    Create a destination port inline by clicking Add New Source Port.

Service

Select the service to permit or deny for the source and destination type NAT rules. This is supported for devices running Junos OS Release 12.1X47.

Select one of the following options:

  • Include Any Service

  • Include Specific

Translated Packet Source

Click Translated Packet Source.

Select the appropriate source address. This option is available only for the source NAT rule.

You can select the translation type as None, Interface, or Pool.

  • None—No translation is required.

  • Interface—Enable interface NAT with or without port overloading.

  • Pool- IP addresses are used from the NAT pool.

If you select Pool, then select the source NAT pool from where the IP addresses are used for translation.

If you enable proxy ARP, the switch captures and routes traffic to the intended destination.

Enable the Persistent check box to ensure that all requests from the same internal transport address are mapped to the same reflexive transport address.

Configure the Persistent NAT type:

  • Permit any remote host—All requests from a specific internal IP address and port are mapped to the same reflexive transport address. (The reflexive transport address is the public IP address and port created by the NAT device closest to the STUN server.) Any external host can send a packet to the internal host by sending the packet to the reflexive transport address.

  • Permit target host—All requests from a specific internal IP address and port are mapped to the same reflexive transport address. An external host can send a packet to an internal host by sending the packet to the reflexive transport address. The internal host must have previously sent a packet to the external host’s IP address.

  • Permit target host port—All requests from a specific internal IP address and port are mapped to the same reflexive transport address. An external host can send a packet to an internal host by sending the packet to the reflexive transport address. The internal host must have previously sent a packet to the external host’s IP address and port.

Select Inactivity timeout. It is the amount of time, in seconds, that the persistent NAT binding remains in the Juniper Networks device’s memory when all the sessions of the binding entry are gone. When the configured timeout is reached, the binding is removed from memory. The range is 60 through 7200 seconds.

Select the Maximum session number. It is the maximum number of sessions with which a persistent NAT binding can be associated. For example, if the max-session-number of the persistent NAT rule is 65,536, then a 65,537th session cannot be established if that session uses the persistent NAT binding created from the persistent NAT rule. The range is 8 through 65,536. The default is 30 sessions.

Enable address mapping to allow requests from a specific internal IP address to be mapped to the same reflexive IP address.

Translated Packet Destination

Click Translated Packet Destination.

Select the appropriate destination address. This option is available only for the destination NAT rule.

You can select the translation type as None or Pool.

  • None—No translation is required.

  • Pool- IP addresses are used from the NAT pool.

If you select Pool, then select the destination pool from where the IP addresses are used for translation.

Description

Enter a description for the NAT rule; maximum length is 4096 characters.

Related Documentation

arrow_backward PREVIOUS NAT Policy Rules Main Page Field
NEXT arrow_forward Updating Policies on Devices
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top