Creating NAT Rules
Before You Begin
Read the NAT Overview topic.
Read the Creating NAT Policies topic.
NAT processing centers on the evaluation of NAT rule sets and rules. A rule set determines the overall direction of the traffic to be processed. Once a rule set that matches the traffic has been found, each rule in the rule set is evaluated in order for a match. NAT rules can match on the following packet information:
Source and destination address
Source port (for source and static NAT only)
Destination port
The first rule in the rule set that matches the traffic is used. If a packet matches a rule in a rule set during session establishment, traffic is processed according to the action specified by that rule.
When you create a new NAT policy, click on the NAT policy name to configure the rules. You can configure the following types of NAT rules:
Source
Static
Destination
Depending on the type of rule you have chosen, some fields in the rule will not be applicable. In addition to defining rules between zones and interfaces, you can define NAT rules with virtual routers defined on the device. These rules can be successfully published and updated on the device.
To configure a NAT rule:
A new NAT rule is configured for a NAT policy.
Setting |
Guideline |
---|---|
Seq. |
Displays the sequence number assigned to the NAT rule. |
Name |
Select the name of the NAT policy that you want to add a rule to. |
NAT Type |
Select the type of NAT rule:
|
Source Ingress |
Click the Source Ingress field to configure the ingress type.
|
Source Address |
Click the Source Address field to assign the source address for the policy, from the Available list. Starting in Security Director Release 21.3R1 hot patch v3, while creating NAT rules for a group policy, you can select a polymorphic address as source address. |
Source Port |
Click the Source Port field to configure the source port for the policy.
|
Protocol |
Select the protocol from the Available list to permit or deny traffic. |
Destination Egress |
Click the Destination Egress field to configure the egress type.
|
Destination Address |
Click the Destination Address field to assign the destination address for the policy, from the Available list. Create a destination address inline by clicking Add New Destination Address. Starting in Security Director Release 21.3R1 hot patch v3, while creating NAT rules for a group policy, you can select a polymorphic address as the destination address. Note:
Polymorphic addresses are not supported in static NAT destination addresses. |
Destination Port |
Click the Destination Port field to configure the destination port for the policy.
|
Service |
Select the service to permit or deny for the source and destination type NAT rules. This is supported for devices running Junos OS Release 12.1X47. Select one of the following options:
|
Translated Packet Source |
Click Translated Packet Source. Select the appropriate source address. This option is available only for the source NAT rule. You can select the translation type as None, Interface, or Pool.
If you select Pool, then select the source NAT pool from where the IP addresses are used for translation. If you enable proxy ARP, the switch captures and routes traffic to the intended destination. Enable the Persistent check box to ensure that all requests from the same internal transport address are mapped to the same reflexive transport address. Configure the Persistent NAT type:
Select Inactivity timeout. It is the amount of time, in seconds, that the persistent NAT binding remains in the Juniper Networks device’s memory when all the sessions of the binding entry are gone. When the configured timeout is reached, the binding is removed from memory. The range is 60 through 7200 seconds. Select the Maximum session number. It is the maximum number of sessions with which a persistent NAT binding can be associated. For example, if the max-session-number of the persistent NAT rule is 65,536, then a 65,537th session cannot be established if that session uses the persistent NAT binding created from the persistent NAT rule. The range is 8 through 65,536. The default is 30 sessions. Enable address mapping to allow requests from a specific internal IP address to be mapped to the same reflexive IP address. |
Translated Packet Destination |
Click Translated Packet Destination. Select the appropriate destination address. This option is available only for the destination NAT rule. You can select the translation type as None or Pool.
If you select Pool, then select the destination pool from where the IP addresses are used for translation. |
Description |
Enter a description for the NAT rule; maximum length is 4096 characters. |