Configuring NAT Source Address Translation
Security services are not the only services supplied by the SRX (although security services are the most vital). You can configure other services, such as NAT source address translation, as well. In essence, NAT should solely be configured to extend the usefulness of IP addresses. NAT does so by substituting one set of packet header address information for another, according to a configured rule.
Some books also consider NAT as a kind of security service. However, NAT is not intended as a security service. Nevertheless, it is also true that disguising the host's real source address (and port!) provides a measure of security not readily available through other means.
By default, the SRX routes packets that pass the security policy tests, but it does not translate the source and destination IP addresses. The packets flowing through the session you established in the previous section demonstrate this point. Note that the In and Out addresses are unchanged as the packets flow to the destination and back.
root# show security flow session
Session ID: 100001790, Policy name: admins_to_untrust/4, Timeout: 1800
In: 192.168.2.2/4781 --> 209.239.112.126/80,-tcp, If: ge-0/0/0.0
Out: 209.239.112.126/80 --> 192.168.2.2/4781,-tcp, If: ge-0/0/2.0
…
<output truncated>
You can configure NAT to provide this address translation service on the SRX quite easily.
Major NAT options
Three major NAT options are available on the SRX: source, destination, and ...
Get Junos® OS For Dummies®, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
