Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Create a NAT Policy Rule

NAT processing centers on the evaluation of NAT rule sets and rules. A rule set determines the overall direction of the traffic to be processed. After a rule set matches the traffic, each rule in the rule set is evaluated for a match. NAT rules can match on the following packet information:

  • Source and destination address

  • Source port (for source and static NAT only)

  • Destination port

The first rule in the rule set that matches the traffic is used. If a packet matches a rule in a rule set during session establishment, traffic is processed according to the action specified by that rule.

To create NAT rule, click the NAT policy name. The NAT policy rules page appears, providing your with options to configure NAT rules. Alternately, you can click on the rule number listed under Rules against the policy, to create a rule. You can configure the following types of NAT rules:

  • Static—To add a static NAT rule, click Create on the top right corner and select Static.

  • Source—To add a source NAT rule, click Create on the top right corner and select Source.

  • Destination—To add a destination NAT rule, click Create on the top right corner and select Destination.

Depending on the type of rule you have chosen, some fields in the rule will not be applicable. In addition to defining rules between zones and interfaces, you can define NAT rules with virtual routers defined on the device.

To create a NAT policy rule:

  1. Select SRX > NAT > NAT Policies.

    The NAT Policies page appears that shows the existing NAT policies.

  2. Click the name of the NAT policy for which you want to create rules. Alternately, you can click Add Rule link against a NAT policy.

    The NAT policy rules page appears.

  3. Click Create and select either Source, Static, or Destination. The page displays fields for creating a NAT rule.
  4. Complete the configuration according to the guidelines provided in Table 1.
  5. Click OK to save the changes.

    A NAT rule with the configuration you provided is created.

    Table 1 provides guidelines on using the fields on the NAT Policies page.

    Table 1: Fields on the NAT Policies Page for Creating NAT Rules

    Field

    Description

    Rule Name

    Enter a unique string beginning with a number or letter and consisting of letters, numbers, dashes and underscores. The maximum length is 31 characters.

    Description

    Enter a description for the policy rule that must be a string excluding '&', '<', '>' and '\n'. The maximum length is 900 characters.

    Sources

    Click the add icon (+) to select the source endpoints on which the NAT policy rule applies, from the displayed list of Source Ingress Type, Source zones, Source addresses, Soure port/port range.

    Source Ingress Type

    1. Select an ingress type: Zone, Interface, or Routing Instance.

    2. From the appropriate selector, select the zones, interfaces, or routing instance that you want to associate the rule to, from the Available column.

      Note:

      For the Routing Instance option, you can select one or more of the available virtual routers on the device. For the group NAT policy, you will see a consolidated list of all virtual routers on all devices that the policy is assigned to.

    3. Click OK.

    Source Addresses

    Enter one or more address names or address set names.

    • Any—Add any address to the NAT rule.
    • Specific—Select the check box beside each address you want to include in the address group. Click the greater-than icon (>) to move the selected address or addresses from the Available column to the Selected column. Note that you can use the fields at the top of each column to search for addresses. .

    Source Ports/Port Range

    Enter a maximum of eight ports and port ranges separated by commas.

    Destinations

    Click the add icon (+) to select the destination endpoints on which the NAT policy rule applies, from the displayed list of Destination Ingress Type, Destination zones, Destination addresses, Destination ports/port range.

    Note:

    When you create a destination NAT rule for traffic arriving on an interface that terminates a VPN link, the translation process might break the VPN link. This will happen if the destination address in a destination NAT rule is specified only as the WAN-facing IP address of that interface. For example, in the following NAT rule, any traffic destined to WAN IP will get translated to the destination pool and will break functionality of the VPN link packets terminating on this interface.

    [Any.Address] --> [Wan.IP] :: [Dest-Pool-1]

    Therefore, the recommendation in such cases is to use a destination NAT rule with destination field as [Address + Port]. For example:

    [Any.Address] --> [Wan.IP + Port] :: [Dest-Pool-1]

    Destination Addresses

    Enter one or more address names or address set names.

    • Any—Add any address to the NAT rule.
    • Specific—Select the check box beside each address you want to include in the address group. Click the greater-than icon (>) to move the selected address or addresses from the Available column to the Selected column. Note that you can use the fields at the top of each column to search for addresses. .

    Destination Ports/Port Range

    Enter a maximum of eight ports and port ranges separated by commas.

    Service/Protocols

    Choose one among the following for a NAT rule:

    • None—Select this option if you do not want to set any service or protocols in source or destination NAT.

    • Services—Select one or more services from the Available list to permit or deny traffic.

    • Protocols—Select the protocols from the Available list to permit or deny traffic.

    Translation

    Specify the translation type for the incoming traffic. The translation options vary based on whether you are creating a source, static, or destination NAT rule.

    Chose one among the following translation types for a source NAT rule:

    • None—No translation is required for the incoming traffic.

    • Interface—Performs interface-based translations on the source or the destination packet.

      Note:

      This option is not supported for multinode high availability (MNHA) pairs. If you are creating a NAT policy rule for a MNHA pair, the Interface option is not displayed.

    • Pool—Performs pool-based translations on the source or the destination packet. Click on the add icon (+) in the Select Pool field to choose the translation pool.

      You can also create a new pool by clicking Add new pool. See Create a NAT Pool.

    Chose one among the following translation types for a static NAT rule:

    • Address—Performs address-based translations on the source or the destination packet. Click on the add icon (+) in the Select Address field to choose the translation address.

    • Corresponding IPv4—Uses the corresponding IPv4 address to perform translations on the source or the destination packet.

    Chose one among the following translation types for a destination NAT rule:

    • None—Translation is not required for the incoming traffic.

    • Pool—Performs pool-based translations on the source or the destination packet. Click on the add icon (+) in the Select Pool field to choose the translation pool.

      You can also create a new pool by clicking Add new pool. See Create a NAT Pool.

    Table 2 provides guidelines on using the fields on the Advanced Settings page for a source NAT rule.

    Table 2: Fields on the Advanced Settings Page for Source NAT Rule

    Field

    Description

    Persistent

    Click the toggle button to ensure that all requests from the same internal transport address are mapped to the same reflexive transport address.

    Note:

    For persistence to be applicable for the NAT policy, ensure that port overloading is turned off for the device to which the NAT policy is applicable. Use the following command to turn off port overloading for a device:

    [Edit mode]
    set security nat source interface port-overloading off

    Persistent NAT Type

    Configure persistent NAT mappings.

    • Permit any remote host— Any external host can send a packet to the internal host by sending the packet to the reflexive transport address.

    • Permit target host—An external host can send a packet to an internal host by sending the packet to the reflexive transport address. The internal host must have previously sent a packet to the external host's IP address.

    • Permit target host port—An external host can send a packet to an internal host by sending the packet to the reflexive transport address. The internal host must have previously sent a packet to the external host's IP address and port.

    Inactivity Timeout

    The amount of time, in seconds, that the persistent NAT binding remains in the site's memory when all the sessions of the binding entry have ended. When the configured timeout occurs, the binding is removed from memory. The value of the inactivity timeout can range from 60 through 7200 seconds. The default value of the inactivity timeout is 60 seconds.

    Maximum Session Number

    Maximum session number—The maximum number of sessions with which a persistent NAT binding can be associated. For example, if the maximum session number of the persistent NAT rule is 65,536, then a 65,537th session cannot be established if that session uses the persistent NAT binding created from the persistent NAT rule.

    The range is 8 through 65,536. The default is 30 sessions.

    Address Mapping

    Click the toggle button to enable or disable the address mapping.

    Table 3 provides guidelines on using the fields on the Advanced Settings page for a static NAT rule.

    Table 3: Fields on the Advanced Settings Page for Static NAT Rule

    Field

    Description

    Mapped Port Type

    Specify the type of port mapping:

    • Port—Enter a value for Port, ranging from 0 through 65,535.

    • Range—Enter the port range values in the Start and End fields, ranging from 0 through 65,535.

    Routing Instance

    Select the routing instance for the static NAT rule.