Destination NAT enables the translation of one destination address to another, a destination address and port to another destination address and port, or a group of destination addresses to another group of equal size. Figure 5-10 shows a simple example where a public IP address is mapped directly to a private internal IP address while maintaining the original port number.
Figure 5-10. Destination NAT
Destination NAT in SRX Junos is a superset of ScreenOS VIP and security policy destination translations. Figure 5-11 shows the equivalent of a ScreenOS VIP translation where both the destination port and destination IP address are translated.
Figure 5-11. Destination NAT with PAT
Destination NAT is most commonly used for hiding internal servers, migrating servers, or mapping different services on a single public address to multiple internal systems.
Figure 5-12 shows a snippet of our book’s topology (see Figure 1 in the Preface), the Internal-Servers network of Organization-XYZ and its path through the core SRX5800 cluster to the public Internet. In Chapter 3, the necessary security policies were configured to allow inbound Internet traffic to the Internal-Servers network’s devices. But like Dept-A and Dept-B earlier, the IPv4 address space used for Internal-Servers is not globally ...