NAT Source Address Translation Options in Junos - dummies

NAT Source Address Translation Options in Junos

By Walter J. Goralski, Cathy Gadecki, Michael Bushong

Security services are not the only services supplied by the SRX (although security services are the most vital). You can configure other services, such as NAT source address translation, as well. In essence, NAT should solely be configured to extend the usefulness of IP addresses. NAT does so by substituting one set of packet header address information for another, according to a configured rule.

Some consider NAT as a kind of security service. However, NAT is not intended as a security service. Nevertheless, it is also true that disguising the host’s real source address (and port!) provides a measure of security not readily available through other means.

By default, the SRX routes packets that pass the security policy tests, but it does not translate the source and destination IP addresses. The packets flowing through a session demonstrate this point. Note that the In and Out addresses are unchanged as the packets flow to the destination and back.

root# show security flow session
Session ID: 100001790, Policy name: admins_to_untrust/4, Timeout: 1800
 In: →;tcp, If: ge-0/0/0.0
 Out: →;tcp, If: ge-0/0/2.0
<output truncated>

You can configure NAT to provide this address translation service on the SRX quite easily.

Three major NAT options are available on the SRX: source, destination, and static. The first two translate the source or destination addresses based on a pool of addresses, whereas the last option statically maps addresses from one to another (so the servers and network printers have stable, but concealed, addresses).

Once you decide on the NAT option you want, you can adjust other options. Specifically, the available option is a choice between using source-to-egress interface translation or translating the port and IP address (technically, this is NATP — NAT with ports — but NAT people frustratingly tend to just call everything NAT).


Note that in addition to translating the source IP address to the IP address on egress interface ge-0/0/2, the SRX also translates the source port. This is a very common form of NAT that conceals private local IP addresses and ports from the global public Internet.

However, you need to remember that the SRX is not designed to differentiate between a “private” LAN and the “public” Internet. The SRX knows only zones, and these must be configured correctly to supply the NAT service expected.

Also, although the NAT rules may look very much like a security policy, the SRX treats the NAT service independently of the security service (the NAT rules are under a separate [edit security nat] hierarchy).

This characteristic allows NAT rules to be adjusted without affecting the security policies, but it also requires careful consideration. NAT has nothing to do with whether a packet is accepted; only the security policies can do that.