O'Reilly logo

Junos Security by James Quinn, Timothy Eberhard, Patricio Giecco, Brad Woodberg, Rob Cameron

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Destination NAT

Destination NAT enables the translation of one destination address to another, a destination address and port to another destination address and port, or a group of destination addresses to another group of equal size. Figure 5-10 shows a simple example where a public IP address is mapped directly to a private internal IP address while maintaining the original port number.

Destination NAT

Figure 5-10. Destination NAT

Destination NAT in SRX Junos is a superset of ScreenOS VIP and security policy destination translations. Figure 5-11 shows the equivalent of a ScreenOS VIP translation where both the destination port and destination IP address are translated.

Destination NAT with PAT

Figure 5-11. Destination NAT with PAT

Destination NAT is most commonly used for hiding internal servers, migrating servers, or mapping different services on a single public address to multiple internal systems.

Figure 5-12 shows a snippet of our book’s topology (see Figure 1 in the Preface), the Internal-Servers network of Organization-XYZ and its path through the core SRX5800 cluster to the public Internet. In Chapter 3, the necessary security policies were configured to allow inbound Internet traffic to the Internal-Servers network’s devices. But like Dept-A and Dept-B earlier, the IPv4 address space used for Internal-Servers is not globally ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required