Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Creating NAT Rules

Before You Begin

NAT processing centers on the evaluation of NAT rule sets and rules. A rule set determines the overall direction of the traffic to be processed. Once a rule set that matches the traffic has been found, each rule in the rule set is evaluated in order for a match. NAT rules can match on the following packet information:

  • Source and destination address

  • Source port (for source and static NAT only)

  • Destination port

The first rule in the rule set that matches the traffic is used. If a packet matches a rule in a rule set during session establishment, traffic is processed according to the action specified by that rule.

When you create a new NAT policy, click on the NAT policy name to configure the rules. You can configure the following types of NAT rules:

  • Source

  • Static

  • Destination

Depending on the type of rule you have chosen, some fields in the rule will not be applicable. In addition to defining rules between zones and interfaces, you can define NAT rules with virtual routers defined on the device. These rules can be successfully published and updated on the device.

To configure a NAT rule:

  1. Select Configure > NAT Policies > Policies.
  2. Click the NAT policy name.

    The Rules page appears.

  3. Add a rule by clicking Create. Select the type of rule you want to add (source, static, or destination).
  4. Complete the configuration according to the guidelines provided in Table 1.
  5. Click Save.

A new NAT rule is configured for a NAT policy.

Table 1: NAT Rules Settings

Setting

Guideline

Seq.

Displays the sequence number assigned to the NAT rule.

Name

Select the name of the NAT policy that you want to add a rule to.

NAT Type

Select the type of NAT rule:

  • Source

  • Static

  • Destination

Source Ingress

Click the Source Ingress field to configure the ingress type.

  • Ingress Type—Select an ingress type: zone, interface, or routing instance.

  • From the appropriate selector, select the zones, interfaces, or routing instance that you want to associate the rule to, from the Available column.

    For the Routing Instance option, you can select one or more of the available virtual routers on the device. For the group NAT policy, you will see a consolidated list of all virtual routers on all devices that the policy is assigned to.

  • Click OK.

Source Address

Click the Source Address field to assign the source address for the policy, from the Available list.

Starting in Security Director Release 21.3R1 hot patch v3, while creating NAT rules for a group policy, you can select a polymorphic address as source address.

Source Port

Click the Source Port field to configure the source port for the policy.

  • Enter a maximum of eight ports and port ranges separated by commas.

  • Select the required port set from the Available list.

    Create a source port inline by clicking Add New Source Port.

Protocol

Select the protocol from the Available list to permit or deny traffic.

Destination Egress

Click the Destination Egress field to configure the egress type.

  • Select an egress type: zone, interface, or routing instance.

  • From the appropriate selector, select the zones, interfaces, or routing instance that you want to associate the rule to, from the Available column.

  • Click OK.

Destination Address

Click the Destination Address field to assign the destination address for the policy, from the Available list. Create a destination address inline by clicking Add New Destination Address.

Starting in Security Director Release 21.3R1 hot patch v3, while creating NAT rules for a group policy, you can select a polymorphic address as the destination address.

Note:

Polymorphic addresses are not supported in static NAT destination addresses.

Destination Port

Click the Destination Port field to configure the destination port for the policy.

  • Enter a maximum of eight ports and port ranges separated by commas. Devices running Junos OS Release 12.1X47 and later support multiple ports and ranges, in the same way as Source ports.

  • Select the required port set from the Available list.

    Create a destination port inline by clicking Add New Source Port.

Service

Select the service to permit or deny for the source and destination type NAT rules. This is supported for devices running Junos OS Release 12.1X47.

Select one of the following options:

  • Include Any Service

  • Include Specific

Translated Packet Source

Click Translated Packet Source.

Select the appropriate source address. This option is available only for the source NAT rule.

You can select the translation type as None, Interface, or Pool.

  • None—No translation is required.

  • Interface—Enable interface NAT with or without port overloading.

  • Pool- IP addresses are used from the NAT pool.

If you select Pool, then select the source NAT pool from where the IP addresses are used for translation.

If you enable proxy ARP, the switch captures and routes traffic to the intended destination.

Enable the Persistent check box to ensure that all requests from the same internal transport address are mapped to the same reflexive transport address.

Configure the Persistent NAT type:

  • Permit any remote host—All requests from a specific internal IP address and port are mapped to the same reflexive transport address. (The reflexive transport address is the public IP address and port created by the NAT device closest to the STUN server.) Any external host can send a packet to the internal host by sending the packet to the reflexive transport address.

  • Permit target host—All requests from a specific internal IP address and port are mapped to the same reflexive transport address. An external host can send a packet to an internal host by sending the packet to the reflexive transport address. The internal host must have previously sent a packet to the external host’s IP address.

  • Permit target host port—All requests from a specific internal IP address and port are mapped to the same reflexive transport address. An external host can send a packet to an internal host by sending the packet to the reflexive transport address. The internal host must have previously sent a packet to the external host’s IP address and port.

Select Inactivity timeout. It is the amount of time, in seconds, that the persistent NAT binding remains in the Juniper Networks device’s memory when all the sessions of the binding entry are gone. When the configured timeout is reached, the binding is removed from memory. The range is 60 through 7200 seconds.

Select the Maximum session number. It is the maximum number of sessions with which a persistent NAT binding can be associated. For example, if the max-session-number of the persistent NAT rule is 65,536, then a 65,537th session cannot be established if that session uses the persistent NAT binding created from the persistent NAT rule. The range is 8 through 65,536. The default is 30 sessions.

Enable address mapping to allow requests from a specific internal IP address to be mapped to the same reflexive IP address.

Translated Packet Destination

Click Translated Packet Destination.

Select the appropriate destination address. This option is available only for the destination NAT rule.

You can select the translation type as None or Pool.

  • None—No translation is required.

  • Pool- IP addresses are used from the NAT pool.

If you select Pool, then select the destination pool from where the IP addresses are used for translation.

Description

Enter a description for the NAT rule; maximum length is 4096 characters.