O'Reilly logo

Junos Security by James Quinn, Timothy Eberhard, Patricio Giecco, Brad Woodberg, Rob Cameron

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Source NAT

Source NAT is the translation of source IP addresses and TCP/UDP ports in the headers of IP flows. It is most commonly used for the translation of private IP address space to public globally routable address space.

Source NAT on the SRX enables the translation of one or more private source IP addresses to a group of public IP addresses of equal or smaller size. TCP and UDP port translation may be used to scale translations when a larger group of private source IP addresses is overloading onto a smaller group of public IP addresses. The post-translation IP addresses may be configured in a pool, or the translations may be overloaded to the IP address configured on the egress interface of the matching flows.

In Figure 5-3, a source NAT is shown in action. Here the internal source IP address and port of an IP packet are translated to a different public source IP address and port, as the packet egresses the device.

Source NAT

Figure 5-3. Source NAT

Source NAT implementation in Junos for the SRX is a superset of the ScreenOS DIP security policy and NAT mode interface translation.

Source NAT is commonly implemented to overcome IPv4 public address exhaustion. Systems within an organization are configured with private RFC 1918 IPv4 addresses and then translated to globally routable IPv4 addresses at a public network boundary.

Figure 5-4 shows the Dept-A and Dept-B networks of Organization-XYZ (this ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required