630_ce_addresstranslation

8/7/2019 630_ce_AddressTranslation

1/122

Concepts & ExamplesScreenOS Reference Guide

Address Translation

Release 6.3.0, Rev. 01

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, California 94089

USA

408-745-2000

www.juniper.net

Revision 01

Published: 2009-08-20


2/122

Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc. inthe United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, orregistered service marks are the property of their respective owners.Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or

otherwise revise this publication without notice.Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensedto Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347,6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.Copyright 2009, Juniper Networks, Inc.All rights reserved. Printed in USA.

Revision HistoryAugust 2009Revision 01

Content subject to change. The information in this document is current as of the date listed in the revision history.

SOFTWARE LICENSE

The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase order or, to theextent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks. By using this software, youindicate that you understand and agree to be bound by those terms and conditions.

Generally speaking, the software license restricts the manner in which you are permitted to use the software and may contain prohibitions against certainuses. The software license may state conditions under which the license is automatically terminated. You should consult the license for further details.

For complete product documentation, please see the Juniper Networks Web site at www.juniper.net/techpubs.

ii
http://www.juniper.net/techpubshttp://www.juniper.net/techpubs


3/122

END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (AGREEMENT) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING,INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMEROR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS

AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE,AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.

1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customers principal office is located in the Americas) or Juniper Networks(Cayman) Limited (if the Customers principal office is located outside the Americas) (such applicable entity being referred to herein as Juniper), and (ii)the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (Customer)(collectively, the Parties).

2. The Software. In this Agreement, Software means the program modules and features of the Juniper or Juniper-supplied software, for which Customerhas paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customerpurchased from Juniper or an authorized Juniper reseller. Software also includes updates, upgrades and new releases of such software. EmbeddedSoftware means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacementswhich are subsequently embedded in or loaded onto the equipment.

3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusiveand non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:

a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniperor an authorized Juniper reseller.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customerhas paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall usesuch Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of theSteel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whethersuch computers or virtualizations are physically contained on a single chassis.

c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits toCustomers use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls,connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features,functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing,temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Softwareto be used only in conjunction with other specific Software. Customers use of the Software shall be subject to all such limitations and purchase of all applicablelicenses.

d. For any trial copy of the Software, Customers right to use the Software expires 30 days after download, installation or use of the Software. Customermay operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trialperiod by re-installing the Software after the 30-day trial period.

e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customers enterprise network.Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support anycommercial network access services.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicablelicense(s) for the Software from Juniper or an authorized Juniper reseller.

4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shallnot: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except asnecessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) removeany proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) dist ribute any copy ofthe Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any locked or key-restricted

feature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, evenif such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniperto any third party; (h) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniperreseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that theCustomer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software toany third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.

5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnishsuch records to Juniper and certify its compliance with this Agreement.

iii


4/122

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customershall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includesrestricting access to the Software to Customer employees and contractors having a need to use the Software for Customers internal business purposes.

7. Ownership. Juniper and Junipers licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software,

associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest inthe Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.

8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statement thataccompanies the Software (the Warranty Statement). Nothing in this Agreement shall give rise to any obligation to support the Software. Support servicesmay be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTEDBY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER ORJUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANYJUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW,JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDINGANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPERWARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION,OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Junipers or its suppliers or licensors liability to Customer, whetherin contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, orif the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniperhas set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same

reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss),and that the same form an essential basis of the bargain between the Parties.

9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the licensegranted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customerspossession or control.

10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase ofthe license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper priorto invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of anyapplicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniperwith valid tax receipts and other required documentation showing Customers payment of any withholding taxes; completing appropriate applications thatwould reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder.Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages relatedto any liability incurred by Juniper as a result of Customers non-compliance or delay with its responsibilities herein. Customers obligations under thisSection shall survive termination or expiration of this Agreement.

11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreignagency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, orwithout all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryptionor other capabilities restricting Customers ability to export the Software without an export license.

12. Commercial Computer Software. The Software is commercial computer software and is provided with restricted rights. Use, duplication, or disclosureby the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212,FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interfaceinformation needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any.Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicableterms and conditions upon which Juniper makes such information available.

14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technologyare embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor

shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with theSoftware and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under andsubject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License(GPL) or the GNU Library General Public License (LGPL)), Juniper will make such source code portions (including Juniper modifications, as appropriate)available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194

N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, anda copy of the LGPL at http://www.gnu.org/licenses/lgpl.html.

15. Miscellaneous.This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisionsof the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Partieshereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreementconstitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous

iv
http://www.gnu.org/licenses/gpl.htmlhttp://www.gnu.org/licenses/lgpl.htmlhttp://www.gnu.org/licenses/lgpl.htmlhttp://www.gnu.org/licenses/gpl.html


5/122

agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of aseparate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflictwith terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to inwriting by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of theremainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English

version will govern. (For Canada: Les parties aux prsents confirment leur volont que cette convention de mme que tous les documents y compris toutavis qui s'y rattach, soient redigs en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will bein the English language)).

v


6/122

vi


7/122

Abbreviated Table of Contents

About This Guide xvii

Part 1 Address Translation

Chapter 1 Address Translation 3

Chapter 2 Source Network Address Translation 15

Chapter 3 Destination Network Address Translation 33

Chapter 4 Mapped and Virtual Addresses 69

Part 2 Index

Index 99

Abbreviated Table of Contents vii


8/122

viii

Address Translation


9/122

Table of Contents


Document Conventions .............................................................................. xviiiDocument Feedback ...................................................................................... xxRequesting Technical Support ....................................................................... xx



Introduction to Address Translation ................................................................ 3Source Network Address Translation ........................................................ 3Destination Network Address Translation ................................................. 5

Policy-Based NAT-Dst ......................................................................... 5Mapped Internet Protocol ................................................................... 8Virtual Internet Protocol ..................................................................... 8

Policy-Based Translation Options .................................................................... 9Example: NAT-Src from a DIP Pool with PAT ............................................ 9

Example: NAT-Src From a DIP Pool Without PAT ..................................... 9Example: NAT-Src from a DIP Pool with Address Shifting ....................... 10Example: NAT-Src from the Egress Interface IP Address ......................... 10Example: NAT-Dst to a Single IP Address with Port Mapping ..................10Example: NAT-Dst to a Single IP Address Without Port Mapping ............11Example: NAT-Dst from an IP Address Range to a Single IP Address ......11Example: NAT-Dst Between IP Address Ranges ...................................... 12

Directional Nature of NAT-Src and NAT-Dst ................................................... 12

Chapter 2 Source Network Address Translation 15

Introduction to NAT-Src ................................................................................. 15

WebUI .................................................................................................... 17CLI .......................................................................................................... 17

NAT-Src from a DIP Pool with PAT Enabled .................................................. 18Example: NAT-Src with PAT Enabled ...................................................... 19

WebUI .............................................................................................. 23CLI .................................................................................................... 23

Table of Contents ix


10/122

NAT-Src from a DIP Pool with PAT Disabled ................................................. 24Example: NAT-Src with PAT Disabled ..................................................... 24

WebUI .............................................................................................. 24CLI .................................................................................................... 25

NAT-Src from a DIP Pool with Address Shifting ............................................. 26Example: NAT-Src with Address Shifting ................................................. 26

WebUI .............................................................................................. 27CLI .................................................................................................... 29

NAT-Src from the Egress Interface IP Address ............................................... 30Example: NAT-Src Without DIP ............................................................... 30

WebUI .............................................................................................. 31CLI .................................................................................................... 31


Introduction to NAT-Dst ................................................................................ 33

Packet Flow for NAT-Dst ......................................................................... 35Routing for NAT-Dst ................................................................................ 37

Example: Addresses Connected to One Interface ............................. 38Example: Addresses Connected to One Interface

But Separated by a Router ......................................................... 39Example: Addresses Separated by an Interface ................................ 39

NAT-DstOne-to-One Mapping .................................................................... 40Example: One-to-One Destination Translation ........................................ 41

WebUI .............................................................................................. 41CLI .................................................................................................... 43

Translating from One Address to Multiple Addresses .............................. 43Example: One-to-Many Destination Translation ............................... 43

NAT-DstMany-to-One Mapping .................................................................. 46Example: Many-to-One Destination Translation ...................................... 46

WebUI .............................................................................................. 47CLI .................................................................................................... 48

NAT-DstMany-to-Many Mapping ................................................................ 49Example: Many-to-Many Destination Translation .................................... 50

WebUI .............................................................................................. 50CLI .................................................................................................... 51

NAT-Dst with Port Mapping ........................................................................... 52Example: NAT-Dst with Port Mapping ..................................................... 52

WebUI .............................................................................................. 53CLI .................................................................................................... 54

Using proxy-arp-entry to import the NATDST traffic to the right VSI ..........55

NAT-Src and NAT-Dst in the Same Policy ...................................................... 56Example: NAT-Src and NAT-Dst Combined ............................................. 56WebUI (Security Device-1) ................................................................ 58CLI (Security Device-1) ..................................................................... 62WebUI (Security Device-A) ............................................................... 63CLI (Security Device-A) ..................................................................... 65WebUI (Security Device-B) ................................................................ 65CLI (Security Device-B) ..................................................................... 67

x Table of Contents

Address Translation


11/122


12/122

xii Table of Contents

Address Translation


13/122

List of Figures


Figure 1: Images in Illustrations ..................................................................... xx



Figure 2: Source IP Address Translation .......................................................... 4

Figure 3: Source IP and Source Port Address Translation ................................ 5Figure 4: Destination IP Address Translation ................................................... 6Figure 5: NAT-Dst from an IP Address Range to a Single IP Address ...............7Figure 6: NAT-Dst with Address Shifting .......................................................... 7Figure 7: NAT-Src with Port Address Translation ............................................. 9Figure 8: NAT-Src Without Port Address Translation ....................................... 9Figure 9: NAT-Src with Address Shifting ........................................................ 10Figure 10: NAT-Src Using the Egress Interface IP Address ............................. 10Figure 11: NAT-Dst with Port Mapping .......................................................... 11Figure 12: NAT-Dst Without Port Mapping .................................................... 11Figure 13: NAT-Dst from an Address Range to a Single IP Address ...............11Figure 14: NAT-Dst Between Address Ranges ................................................ 12Figure 15: Packet Flow for NAT-Dst ............................................................... 13

Figure 16: Packet Flow for Source IP Address Translation ............................. 14Chapter 2 Source Network Address Translation 15

Figure 17: NAT-Src Using a DIP Pool with PAT Enabled ................................. 19Figure 18: NAT-Src with PAT Enabled ........................................................... 21Figure 19: NAT-Src Without DIP .................................................................... 30


Figure 20: NAT-DstOne-to-One and Many-to-One ...................................... 34Figure 21: NAT-DstMany-to-Many .............................................................. 34Figure 22: NAT-Dst Packet FlowPacket Arrival ........................................... 35Figure 23: NAT-Dst Packet FlowPacket Forwarding ................................... 37Figure 24: Original and Translated Addresses Using the Same Egress

Interface ................................................................................................. 38

Figure 25: Original and Translated Addresses Separated by a Router ............39Figure 26: Original and Translated Addresses Using Different EgressInterfaces ................................................................................................ 40

Figure 27: One-to-One NAT-Dst ..................................................................... 40Figure 28: NAT-DstOne-to-One .................................................................. 41Figure 29: NAT-DstOne-to-Many ................................................................ 44Figure 30: NAT-DstMany-to-One ................................................................ 46Figure 31: NAT-DstMany-to-Many .............................................................. 50Figure 32: Proxy ARP Entry ........................................................................... 56

List of Figures xiii


14/122

Figure 33: NAT-Src and NAT-Dst Combined .................................................. 58

Chapter 4 Mapped and Virtual Addresses 69

Figure 34: Mapped IP Address ....................................................................... 70Figure 35: MIP on Untrust Zone Interface ...................................................... 71Figure 36: Reaching a MIP from Different Zones ........................................... 73Figure 37: MIP on the Loopback Interface ..................................................... 79Figure 38: MIP for Two Tunnel Interfaces ...................................................... 80Figure 39: Virtual IP Address ......................................................................... 86Figure 40: Virtual IP Server ............................................................................ 89Figure 41: VIP with Custom and Multiple-Port Services ................................. 91Figure 42: NATdst Port Range Mapping with VIP ....................................... 96

xiv List of Figures

Address Translation


15/122


16/122

xvi List of Tables

Address Translation


17/122

About This Guide

Address Translation focuses on the various methods available in ScreenOS to performaddress translation. This guide contains the following chapters:

Address Translation on page 3 gives an overview of the various translationoptions, which are covered in detail in subsequent chapters.

Source Network Address Translation on page 15 describes NAT-src, thetranslation of the source IP address in a packet header, with and without PortAddress Translation (PAT).

Destination Network Address Translation on page 33 describes NAT-dst, thetranslation of the destination IP address in a packet header, with and withoutdestination port address mapping. This section also includes information aboutthe packet flow when doing NAT-src, routing considerations, and address shifting.

Mapped and Virtual Addresses on page 69 describes the mapping of onedestination IP address to another based on IP address alone (Mapped IP) or basedon destination IP address and destination port number (Virtual IP).

NOTE: For coverage of interface-based Source Network Address Translationreferredto simply as NATsee NAT Mode.

xvii


18/122

Document Conventions on page xviii

Document Feedback on page xx

Requesting Technical Support on page xx

Document Conventions

This document uses the conventions described in the following sections:

Web User Interface Conventions on page xviii

Command Line Interface Conventions on page xviii

Naming Conventions and Character Types on page xix

Illustration Conventions on page xix

Web User Interface

Conventions

The Web user interface (WebUI) contains a navigational path and configurationsettings. To enter configuration settings, begin by clicking a menu item in thenavigation tree on the left side of the screen. As you proceed, your navigation pathappears at the top of the screen, with each page separated by angle brackets.

The following example shows the WebUI path and parameters for defining an address:

Policy > Policy Elements > Addresses > List > New: Enter the following, then clickOK:

Address Name: addr_1IP Address/Domain Name:

IP/Netmask: (select), 10.2.2.5/32Zone: Untrust

To open Online Help for configuration settings, click the question mark (?) in theupper right of the screen.

The navigation tree also provides a Help > Config Guide configuration page to helpyou configure security policies and Internet Protocol Security (IPSec). Select an optionfrom the list, and follow the instructions on the page. Click the ? character in theupper right for Online Help on the Config Guide.

Command Line Interface

Conventions

The following conventions are used to present the syntax of command line interface(CLI) commands in text and examples.

In text, commands are in boldface type and variables are in italic type.

In examples:

Variables are in italic type.

Anything inside square brackets [ ] is optional.

Anything inside braces { } is required.

If there is more than one choice, each choice is separated by a pipe ( | ). Forexample, the following command means set the management options for theethernet1, the ethernet2, or the ethernet3 interface:

xviii Document Conventions

Address Translation


19/122

NOTE: When entering a keyword, you only have to type enough letters to identifythe word uniquely. Typing set adm u whee j12fmt54 will enter the command setadmin user wheezer j12fmt54. However, all the commands documented in this

guide are presented in their entirety.

set interface { ethernet1 | ethernet2 | ethernet3 } manage

Naming Conventions and

Character Types

ScreenOS employs the following conventions regarding the names of objectssuchas addresses, admin users, auth servers, IKE gateways, virtual systems, VPN tunnels,and zonesdefined in ScreenOS configurations:

If a name string includes one or more spaces, the entire string must be enclosedwithin double quotes; for example:

set address trust local LAN 10.1.1.0/24

Any leading spaces or trailing text within a set of double quotes are trimmed;for example, local LAN becomes local LAN.

Multiple consecutive spaces are treated as a single space.

Name strings are case-sensitive, although many CLI keywords are case-insensitive.For example, local LAN is different from local lan.

ScreenOS supports the following character types:

Single-byte character sets (SBCS) and multiple-byte character sets (MBCS).Examples of SBCS are ASCII, European, and Hebrew. Examples of MBCSalsoreferred to as double-byte character sets (DBCS)are Chinese, Korean, andJapanese.

ASCII characters from 32 (0x20 in hexadecimals) to 255 (0xff), except doublequotes ( ), which have special significance as an indicator of the beginning orend of a name string that includes spaces.

NOTE: A console connection only supports SBCS. The WebUI supports both SBCSand MBCS, depending on the character sets that your browser supports.

Illustration Conventions Figure 1 on page xx shows the basic set of images used in illustrations throughoutthis guide.

Document Conventions xix

About This Guide


20/122

Figure 1: Images in Illustrations

Document Feedback

If you find any errors or omissions in this document, contact Juniper Networks [email protected].

Requesting Technical Support

Technical product support is available through the Juniper Networks TechnicalAssistance Center (JTAC). If you are a customer with an active J-Care or JNASC supportcontract, or are covered under warranty, and need postsales technical support, youcan access our tools and resources online or open a case with JTAC.

JTAC policiesFor a complete understanding of our JTAC procedures and policies,review the JTAC User Guide located athttp://www.juniper.net/customers/support/downloads/710059.pdf.

Product warrantiesFor product warranty information, visithttp://www.juniper.net/support/warranty/.

JTAC hours of operationThe JTAC centers have resources available 24 hours aday, 7 days a week, 365 days a year.

xx Document Feedback

Address Translation
http://www.juniper.net/customers/support/downloads/710059.pdfhttp://www.juniper.net/support/warranty/http://www.juniper.net/support/warranty/http://www.juniper.net/customers/support/downloads/710059.pdf


21/122

Self-Help Online Tools

and Resources

For quick and easy problem resolution, Juniper Networks has designed an onlineself-service portal called the Customer Support Center (CSC) that provides you withthe following features:

Find CSC offeringshttp://www.juniper.net/customers/support/

Find product documentationhttp://www.juniper.net/techpubs/

Find solutions and answer questions using our KnowledgeBasehttp://kb.juniper.net/

Download the latest versions of software and review your release noteshttp://www.juniper.net/customers/csc/software/

Search technical bulletins for relevant hardware and softwarenotificationshttp://www.juniper.net/alerts/

Join and participate in the Juniper Networks Community Forumhttp://www.juniper.net/company/communities/

Open a case online in the CSC Case Managerhttp://www.juniper.net/customers/cm/

To verify service entitlement by product serial number, use our Serial NumberEntitlement (SNE) Toolhttps://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with

JTAC

You can open a case with JTAC on the Web or by telephone.

Use the Case Manager tool in the CSC at http://www.juniper.net/customers/cm/.

Call 1-888-314-JTAC (1-888-314-5822toll free in USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visitus at http://www.juniper.net/customers/support/requesting-support/.

Requesting Technical Support xxi

About This Guide
http://www.juniper.net/customers/support/http://www.juniper.net/techpubs/http://kb.juniper.net/http://www.juniper.net/customers/csc/software/http://www.juniper.net/alerts/http://www.juniper.net/company/communities/http://www.juniper.net/customers/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/customers/cm/http://www.juniper.net/customers/support/requesting-support/http://www.juniper.net/customers/support/requesting-support/http://www.juniper.net/customers/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/customers/cm/http://www.juniper.net/company/communities/http://www.juniper.net/alerts/http://www.juniper.net/customers/csc/software/http://kb.juniper.net/http://www.juniper.net/techpubs/http://www.juniper.net/customers/support/


22/122

xxii Requesting Technical Support

Address Translation


23/122

Part 1

Address Translation

Address Translation on page 3

Source Network Address Translation on page 15

Destination Network Address Translation on page 33

Mapped and Virtual Addresses on page 69

Address Translation 1


24/122

2 Address Translation

Address Translation


25/122


26/122

policy level. If you configure a policy to apply NAT-src and the ingress interface is inNAT mode, the policy-based NAT-src settings override the interface-based NAT. (Thischapter focusses on policy-based NAT-src. For details on interface-based NAT-srcorNAT alonesee NAT Mode. For more information about DIP pools, see Dynamic IP

Pools.)

NOTE: You can use policy-based NAT-src when the ingress interface is in Route orNAT mode. If it is in NAT mode, the policy-level NAT-src parameters supersede theinterface-level NAT parameters.

Figure 2: Source IP Address Translation

With policy-based NAT-src, you can optionally choose to have the security deviceperform Port Address Translation (PAT) on the original source port number. WhenPAT is enabled, the security device can translate up to 64,500 different IP addressesto a single IP address with up to 64,500 different port numbers. The security deviceuses the unique, translated port number to maintain session state information fortraffic to and from the same, single IP address. For interface-based NAT-srcor justNATPAT is enabled automatically. Because the security device translates all originalIP addresses to the same translated IP address (that of the egress interface), thesecurity device uses the translated port number to identify each session to which a

packet belongs. Similarly, if a DIP pool consists of only one IP address and you wantthe security device to apply NAT-src to multiple hosts using that address, then PATis required for the same reason.

NOTE: With PAT enabled, the security device maintains a pool of free port numbersto assign along with addresses from the DIP pool. The figure of up to 64,500 is derivedby subtracting 1023, the numbers reserved for the well-known ports, from themaximum number of ports, which is 65,535. Thus, when the security device performsNAT-src with a DIP pool containing a single IP address and PAT is enabled, thesecurity device can translate the original IP addresses of up to 64,500 hosts to asingle IP address and translate each original port number to a unique port number.

4 Introduction to Address Translation

Address Translation


27/122


28/122


29/122

Figure 5: NAT-Dst from an IP Address Range to a Single IP Address

When you configure a policy to perform NAT-dst for an address range, the securitydevice uses address shifting to translate a destination IP address from within a rangeof original destination addresses to a known address in another range of addresses.

Figure 6: NAT-Dst with Address Shifting

Introduction to Address Translation 7

Chapter 1: Address Translation


30/122

NOTE: You can combine NAT-src and NAT-dst within the same policy. Each translationmechanism operates independently and unidirectionally. That is, if you enableNAT-dst on traffic from zone1 to zone2, the security device does not perform NAT-src

on traffic originating from zone2 and destined to zone1 unless you specificallyconfigure it to do so. For more information, see Directional Nature of NAT-Src andNAT-Dst on page 12. For more information about NAT-dst, see Destination NetworkAddress Translation on page 33.

Mapped Internet Protocol

A mapped Internet Protocol (MIP) is a mapping of one IP address to another IPaddress. You define one address in the same subnet as an interface IP address. Theother address belongs to the host to which you want to direct traffic. Addresstranslation for a MIP behaves bidirectionally, so that the security device translatesthe destination IP address in all traffic coming to a MIP to the host IP address and

source IP address in all traffic originating from the host IP address to the MIP address.MIPs do not support port mapping. For more information about MIPs, see MappedIP Addresses on page 69.

Virtual Internet Protocol

A virtual Internet Protocol (VIP) is a mapping of one IP address to another IP addressbased on the destination port number. A single IP address defined in the same subnetas an interface can host mappings of several servicesidentified by variousdestination port numbersto as many hosts. VIPs also support port mapping. UnlikeMIPs, address translation for a VIP behaves unidirectional. The security devicetranslates the destination IP address in all traffic coming to a VIP to a host IP address.The security device does not translate the original source IP address in outbound

traffic from a VIP host to that of the VIP address. Instead, the security device appliesinterface-based or policy-based NAT-src if you have previously configured it.Otherwise, the security device does not perform any NAT-src on traffic originatingfrom a VIP host. For more information about VIPs, see Virtual IP Addresses onpage 86.

NOTE: You can define a VIP to be the same as an interface IP address. This abilityis convenient when the security device only has one assigned IP address and whenthe IP address is assigned dynamically.

Whereas the address translation mechanisms for MIPs and VIPs are bidirectional,

the capabilities provided by policy-based NAT-src and NAT-dst separate addresstranslation for inbound and outbound traffic, providing better control and security.For example, if you use a MIP to a Web server, whenever that server initiatesoutbound traffic to get an update or patch, its activity is exposed, which might provideinformation for a vigilant attacker to exploit. The policy-based address translationmethods allow you to define a different address mapping when the Web serverreceives traffic (using NAT-dst) than when it initiates traffic (using NAT-src). By thuskeeping its activities hidden, you can better protect the server from anyone attemptingto gather information in preparation for an attack. Policy-based NAT-src and NAT-dst

8 Introduction to Address Translation

Address Translation


31/122

offer a single approach that can duplicate and surpass the functionality ofinterface-based MIPs and VIPs.

Policy-Based Translation Options

ScreenOS provides the following ways to apply Source Network Address Translation(NAT-src) and Destination Network Address Translation (NAT-dst). Note that you canalways combine NAT-src with NAT-dst within the same policy.

Example: NAT-Src from a DIP Pool with PAT

The security device translates the original source IP address to an address drawnfrom a Dynamic IP (DIP) pool. The security device also applies source Port AddressTranslation (PAT). For more information, see NAT-Src from a DIP Pool with PATEnabled on page 18.

Figure 7: NAT-Src with Port Address Translation

NOTE: In Figure 7 on page 9 and in subsequent figures, a virtual device is usedto indicate a translated source or destination address when that address does notbelong to an actual device.

Example: NAT-Src From a DIP Pool Without PAT

The security device translates the original source IP address to an address drawnfrom a DIP pool. The security device does not apply source PAT. For moreinformation, see NAT-Src from a DIP Pool with PAT Disabled on page 24.

Figure 8: NAT-Src Without Port Address Translation

Policy-Based Translation Options 9



32/122

Example: NAT-Src from a DIP Pool with Address Shifting

The security device translates the original source IP address to an address drawnfrom a dynamic IP (DIP) pool, consistently mapping each original address to aparticular translated address. The security device does not apply source Port AddressTranslation (PAT). For more information, see NAT-Src from a DIP Pool with AddressShifting on page 26.

Figure 9: NAT-Src with Address Shifting

Example: NAT-Src from the Egress Interface IP Address

The security device translates the original source IP address to the address of theegress interface. The security device applies source PAT as well. For more information,see NAT-Src from the Egress Interface IP Address on page 30.

Figure 10: NAT-Src Using the Egress Interface IP Address

Example: NAT-Dst to a Single IP Address with Port Mapping

The security device performs Destination Network Address Translation (NAT-dst)

and destination port mapping. For more information, see

NAT-Dst with PortMapping on page 52.

10 Policy-Based Translation Options

Address Translation


33/122

Figure 11: NAT-Dst with Port Mapping

Example: NAT-Dst to a Single IP Address Without Port Mapping

The security device performs NAT-dst but does not change the original destinationport number. For more information, see Destination Network Address Translationon page 33.

Figure 12: NAT-Dst Without Port Mapping

Example: NAT-Dst from an IP Address Range to a Single IP Address

The security device performs NAT-dst to translate a range of IP addresses to a singleIP address. If you also enable port mapping, the security device translates the originaldestination port number to another number. For more information, seeNAT-DstMany-to-One Mapping on page 46.

Figure 13: NAT-Dst from an Address Range to a Single IP Address

Policy-Based Translation Options 11



34/122

Example: NAT-Dst Between IP Address Ranges

When you apply NAT-dst for a range of IP addresses, the security device maintainsa consistent mapping of an original destination address to a translated address withinthe specified range using a technique called address shifting. Note that addressshifting does not support port mapping. For more information, seeNAT-DstMany-to-Many Mapping on page 49.

Figure 14: NAT-Dst Between Address Ranges

Directional Nature of NAT-Src and NAT-Dst

The application of NAT-src is separate from that of NAT-dst. You determine theirapplications on traffic by the direction indicated in a policy. For example, if thesecurity device applies a policy requiring NAT-dst for traffic sent from host A to virtualhost B, the security device translates the original destination IP address from 2.2.2.2to 3.3.3.3. (It also translates the source IP address from 3.3.3.3 to 2.2.2.2 inresponding traffic.)

12 Directional Nature of NAT-Src and NAT-Dst

Address Translation


35/122

Figure 15: Packet Flow for NAT-Dst

NOTE: You must set a route to 2.2.2.2/32 (virtual host B) so the security device cando a route lookup to determine the destination zone. For more about NAT-dst routingissues, see Routing for NAT-Dst on page 37.

However, if you only create the above policy specifying NAT-dst from host A to hostB, the security device does not translate the original source IP address of host B ifhost B initiates traffic to host A, rather than responding to traffic from host A. Forthe security device to do translate the source IP address of host B when it initiatestraffic to host A, you must configure a second policy from host B to host A specifyingNAT-src. (This behavior differs from that of MIPs. See Mapped IP Addresses onpage 69.)

NOTE: To retain focus on the IP address translation mechanisms, Port AddressTranslation (PAT) is not shown. If you specify fixed port numbers for a DIP poolconsisting of a single IP address, then only one host can use that pool at a time. Thepolicy above specifies only host B as the source address. Ifhost B is the onlyhost that uses DIP pool 7, then it is unnecessary to enable PAT.

Directional Nature of NAT-Src and NAT-Dst 13



36/122

Figure 16: Packet Flow for Source IP Address Translation

14 Directional Nature of NAT-Src and NAT-Dst

Address Translation


37/122

Chapter 2

Source Network Address Translation

ScreenOS provides many methods for performing Source Network Address Translation(NAT-src) and Source Port Address Translation (PAT). This chapter describes thevarious address translation methods available and contains the following sections:

Introduction to NAT-Src on page 15

NAT-Src from a DIP Pool with PAT Enabled on page 18 NAT-Src from a DIP Pool with PAT Disabled on page 24

NAT-Src from a DIP Pool with Address Shifting on page 26

NAT-Src from the Egress Interface IP Address on page 30

Introduction to NAT-Src

It is sometimes necessary for the security device to translate the original source IPaddress in an IP packet header to another address. For example, when hosts withprivate IP addresses initiate traffic to a public address space, the security device musttranslate the private source IP address to a public one. Also, when sending traffic

from one private address space through a VPN to a site using the same addresses,the security devices at both ends of the tunnel must translate the source anddestination IP addresses to mutually neutral addresses.

NOTE: For information about public and private IP addresses, see Public IP Addressesand Private IP Addresses.

A dynamic IP (DIP) address pool provides the security device with a supply ofaddresses from which to draw when performing Source Network Address Translation(NAT-src). When a policy requires NAT-src and references a specific DIP pool, thesecurity device draws addresses from that pool when performing the translation.

NOTE: The DIP pool must use addresses within the same subnet as the defaultinterface in the destination zone referenced in the policy. If you want to use a DIPpool with addresses outside the subnet of the destination zone interface, you mustdefine a DIP pool on an extended interface. For more information, see Using DIP ina Different Subnet.

Introduction to NAT-Src 15


38/122

The DIP pool can be as small as a single IP address, which, if you enable Port AddressTranslation (PAT), can support up to 64,500 hosts concurrently. Although all packetsreceiving a new source IP address from that pool get the same address, they eachget a different port number. The unique port number assigned for each IP address

can be used only once and can support up to 62463 sessions per IP address. Bymaintaining a session table entry that matches the original address and port numberwith the translated address and port number, the security device can track whichpackets belong to which session and which sessions belong to which hosts.

NOTE: When PAT is enabled, the security device also maintains a pool of free portnumbers to assign along with addresses from the DIP pool. The figure of up to 64,500is derived by subtracting 1023, the numbers reserved for the well-known ports, fromthe maximum number of ports, which is 65,535.

The DIP pool supports more ports per session only if two packets have different

destination IP addresses. The security device translates different source IP addressesand port numbers to a single IP address and port number without any conflict aslong as the destination IP packets are different.

To enable a DIP pool to support more ports per session, you create port pools. A portpool consists of all available ports for an IP address. You override the port pool fora group of destination IP addresses that have the same hash value. The number oftimes you override the port pool of an IP address is determined by the scale-size.You can configure the scale-size using the following CLI:

set interface interface [ ext ip ip_addr/mask ] dip id_num ip_addr1 [ ip_addr2 ] [random-port | incoming ] [ scale-size number]

By default, scale-size is 1. The maximum scale-size for an interface cannot exceed

the dip-scale-size value specified in the vsys profile.

After you configure the scale-size, an IP address will have multiple port pools. Whenthe packets arrive, screenOS calculates the hash value using the destination IP addressand the scale-size. Based on the hash value, a port number is allocated from the portpool. Every port pool will have 62463 single ports. Hence, every IP address cansupport up to scale-size* 62463 sessions.

In this example, you assign ethernet3/1 an IP Address Range1.1.1.23 to 1.1.1.26with DIP ID 5. Set the Scale Size to 2 and the DIP Scale Size of the vsys profile to 2.

WebUI

Network > Interface > Edit (for ethernet3/1) > DIP: Enter the following, thenclick OK:

ID: 5IP Address Range: 1.1.1.23 ~ 1.1.1.26Port Translation: (select)Scale Size: 2

Vsys > Profile > Edit: Enter the following, then click OK:

DIP Scale Size: 2

16 Introduction to NAT-Src

Address Translation


39/122

CLI

set interface etherent3/1 dip 5 1.1.1.23 1.1.1.26 scale-size 2get interface ethernet3/1 dip 5 detail

set vsys-profile name dip-scale-size 2get vsys-profile

After you configure the scale-size, every IP address supports up to scale-size* 62463sessions.

In transparent mode, the current version of ScreenOS supports only policy basedNAT-src with the dip pool built on the extended VLAN interface. To perform theaddress translation, you must configure a DIP pool on the VLAN interface and usethe extended interface option to define an address range for the DIP pool. For moreinformation, see Using DIP in a Different Subnet.

In the following example, you configure various DIP pools such as fix-port, port-xlate,and ip-shift on the vlan1 interface.

WebUI

1. Interfaces

Network>Interface>Edit (vlan1): Enter the following, then click OK:

Zone Name: VLANIp Address/ Netmask: 10.10.10.1/24

2. DIP

Network > Interfaces > Edit (for vlan1) > DIP > New: Enter the following,then click OK:

ID: 21IP Address Range (select), 20.20.20.1 ~ 20.20.20.10Port translation (select)IP Shift (select), From 5.5.5.1 To 20.20.20.50 ~ 20.20.20.59In the same subnet as the extended IP (select)Extended Ip/Netmask: 20.20.20.1/24

CLI

set interface vlan1 ip 10.10.10.1/24set interface vlan1 ext ip 20.20.20.1/24 dip 20 20.20.20.1 20.20.20.10set interface vlan1 ext ip 20.20.20.1/24 dip 21 20.20.20.30 20.20.20.39 fix-portset interface vlan1 ext ip 20.20.20.1/24 dip 22 shift-from 5.5.5.1 to 20.20.20.5020.20.20.59save

Introduction to NAT-Src 17

Chapter 2: Source Network Address Translation


40/122

NOTE: In transparent mode, ScreenOS supports only policy based NAT-src onincoming packets.

If you use NAT-src but do not specify a DIP pool in the policy, the security devicetranslates the source address to that of the egress interface in the destination zone.In such cases, PAT is required and automatically enabled.

For applications requiring that a particular source port number remain fixed, youmust disable PAT and define a DIP pool with a range of IP addresses large enoughfor each concurrently active host to receive a different translated address. Forfixed-port DIP, the security device assigns one translated source address to the samehost for all its concurrent sessions. In contrast, when the DIP pool has PAT enabled,the security device might assign a single host different addresses for differentconcurrent sessionsunless you define the DIP as sticky (see Sticky DIP Addresses).

NAT-Src from a DIP Pool with PAT Enabled

When applying Source Network Address Translation (NAT-src) with Port AddressTranslation (PAT), the security device translates IP addresses and port numbers, andperforms stateful inspection as illustrated in Figure 17 on page 19 (note that onlythe elements in the IP packet and TCP segment headers relevant to NAT-src areshown).

NOTE: You can add a maximum of three IP address ranges for a fixed-port DIP pool.The IP address ranges should not overlap. When the first address range is exhausted,the security device attempts to process the NAT request using the second addressrange. When the second address range is exhausted, the security device attempts

to process the NAT request using the third address range. Note that the total rangeof all IP addresses defined in the fixed-port DIP pool must not exceed the permittedaddress scope of the subnet. For more information, see Creating a DIP Pool with PAT.

18 NAT-Src from a DIP Pool with PAT Enabled

Address Translation


41/122

Figure 17: NAT-Src Using a DIP Pool with PAT Enabled

Example: NAT-Src with PAT Enabled

In this example, you define a DIP pool 5 on ethernet3, an interface bound to theUntrust zone. The DIP pool contains a single IP address1.1.1.30and has PATenabled by default.

NOTE: When you define a DIP pool, the security device enables PAT by default. Todisable PAT, you must add the key word fix-port to the end of the CLI command, orclear the Port Translation option on the DIP configuration page in the WebUI. Forexample, set interface ethernet3 dip 5 1.1.1.30 1.1.1.30 fix-port, or Network >Interfaces > Edit (for ethernet3) > DIP: ID: 5; Start: 1.1.1.30; End: 1.1.1.30; PortTranslation: (clear).

You then set a policy that instructs the security device to perform the following tasks:

Permit HTTP traffic from any address in the Trust zone to any address in theUntrust zone

Translate the source IP address in the IP packet header to 1.1.1.30, which is thesole entry in DIP pool 5

NAT-Src from a DIP Pool with PAT Enabled 19



42/122

Translate the original source port number in the TCP segment header or UDPdatagram header to a new, unique number

Send HTTP traffic with the translated source IP address and port number outethernet3 to the Untrust zone


Address Translation


43/122

Figure 18: NAT-Src with PAT Enabled




44/122


Address Translation


45/122

WebUI

1. Interfaces

Network > Interfaces > Edit (for ethernet1): Enter the following, then clickApply:

Zone Name: TrustStatic IP: (select this option when present)IP Address/Netmask: 10.1.1.1/24

Select the following, then click OK:

Interface Mode: NAT

Network > Interfaces > Edit (for ethernet3): Enter the following, then click OK:

Zone Name: UntrustStatic IP: (select this option when present)IP Address/Netmask: 1.1.1.1/24

2. DIP

Network > Interfaces > Edit (for ethernet3) > DIP > New: Enter the following,then click OK:

ID: 5IP Address Range: (select), 1.1.1.30 ~ 1.1.1.30Port Translation: (select)In the same subnet as the interface IP or its secondary IPs: (select)

3. Policy

Policies > (From: Trust, To: Untrust) New: Enter the following, then click OK:

Source Address:Address Book Entry: (select), AnyDestination Address:Address Book Entry: (select), AnyService: HTTPAction: Permit

> Advanced: Enter the following, then click Return to set the advanced optionsand return to the basic configuration page:

NAT:Source Translation: (select)(DIP on): 5 (1.1.1.30 - 1.1.1.30)/X-late

CLI

1. Interfaces




46/122

set interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 natset interface ethernet3 zone untrust

set interface ethernet3 ip 1.1.1.1/24

2. DIP

set interface ethernet3 dip 5 1.1.1.30 1.1.1.30

3. Policy

set policy from trust to untrust any any http nat src dip-id 5 permitsave

NAT-Src from a DIP Pool with PAT Disabled

Certain configurations or situations may require you to perform Source NetworkAddress Translation (NAT-src) for the IP address without performing Port AddressTranslation (PAT) for the source port number. For example, a custom applicationmight require a specific number for the source port address. In such a case, you candefine a policy instructing the security device to perform NAT-src without performingPAT.

Example: NAT-Src with PAT Disabled

In this example, you define a DIP pool 6 on ethernet3, an interface bound to theUntrust zone. The DIP pool contains a range of IP addresses from 1.1.1.50 to1.1.1.150. You disable PAT. You then set a policy that instructs the security device

to perform the following tasks: Permit traffic for a user-defined service named e-stock from any address in

the Trust zone to any address in the Untrust zone

NOTE: It is assumed that you have previously defined the user-defined servicee-stock. This fictional service requires that all e-stock transactions originate fromspecific source port numbers. For this reason, you must disable PAT for DIP pool 6.

Translate the source IP address in the IP packet header to any available addressin DIP pool 6

Retain the original source port number in the TCP segment header or UDPdatagram header

Send e-stock traffic with the translated source IP address and original port numberout ethernet3 to the Untrust zone

WebUI

1. Interfaces

24 NAT-Src from a DIP Pool with PAT Disabled

Address Translation


47/122


Zone Name: Trust

Static IP: (select this option when present)IP Address/Netmask: 10.1.1.1/24Select the following, then click OK:Interface Mode: NAT



2. DIP

Network > Interfaces > Edit (for ethernet3) > DIP > New: Enter the following,

then click OK:ID: 6IP Address Range: (select), 1.1.1.50 ~ 1.1.1.150Port Translation: (clear)In the same subnet as the interface IP or its secondary IPs: (select)

3. Policy


Source Address:Address Book Entry: (select), AnyDestination Address:

Address Book Entry: (select), AnyService: e-stockAction: Permit


NAT:Source Translation: (select)DIP on: (select), 6 (1.1.1.50 - 1.1.1.150)

CLI

1. Interfaces

set interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 natset interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24

2. DIP

NAT-Src from a DIP Pool with PAT Disabled 25



48/122

set interface ethernet3 dip 6 1.1.1.50 1.1.1.150 fix-port

3. Policy

set policy from trust to untrust any any e-stock nat src dip-id 6 permitsave

NAT-Src from a DIP Pool with Address Shifting

You can define a one-to-one mapping from an original source IP address to atranslated source IP address for a range of IP addresses. Such a mapping ensuresthat the security device always translates a particular source IP address from withinthat range to the same translated address within a DIP pool. There can be any numberof addresses in the range. You can even map one subnet to another subnet, with aconsistent one-to-one mapping of each original address in one subnet to its translatedcounterpart in the other subnet.

One possible use for performing NAT-src with address shifting is to provide greaterpolicy granularity on another security device that receives traffic from the first one.For example, the admin for Device-A at site A defines a policy that translates thesource addresses of its hosts when communicating with Device-B at site B througha site-to-site VPN tunnel. If Device-A applies NAT-src using addresses from a DIP poolwithout address shifting, the Device-B admin can only configure generic policiesregarding the traffic it can allow from site A. Unless the Device-B admin knows thespecific translated IP addresses, he can only set inbound policies for the range ofsource addresses drawn from the Device-A DIP pool. On the other hand, if theDevice-B admin knows what the translated source addresses are (because of addressshifting), the Device-B admin can now be more selective and restrictive with thepolicies he sets for inbound traffic from site A.

Note that it is possible to use a DIP pool with address shifting enabled in a policythat applies to source addresses beyond the range specified in the pool. In such cases,the security device passes traffic from all source addresses permitted in the policy,applying NAT-src with address shifting to those addresses that fall within the DIPpool range but leaving those addresses that fall outside the DIP pool range unchanged.If you want the security device to apply NAT-src to all source addresses, make surethat the range of source addresses is smaller or the same size as the range of theDIP pool.

NOTE: The security device does not support source Port Address Translation (PAT)with address shifting.

Example: NAT-Src with Address Shifting

In this example, you define DIP pool 10 on ethernet3, an interface bound to theUntrust zone. You want to translate five addresses between 10.1.1.11 and 10.1.1.15to five addresses between 1.1.1.101 and 1.1.1.105, and you want the relationshipbetween each original and translated address to be consistent:

26 NAT-Src from a DIP Pool with Address Shifting

Address Translation


49/122

Table 1: NAT-Src with Address Shifting

Translated Source IP AddressOriginal Source IP Address

1.1.1.10110.1.1.11

1.1.1.10210.1.1.12

1.1.1.10310.1.1.13

1.1.1.10410.1.1.14

1.1.1.10510.1.1.15

You define addresses for five hosts in the Trust zone and added them to an addressgroup named group1. The addresses for these hosts are 10.1.1.11, 10.1.1.12,10.1.1.13, 10.1.1.14, and 10.1.1.15. You configure a policy from the Trust zone to

the Untrust zone that references that address group in a policy to which you applyNAT-src with DIP pool 10. The policy instructs the security device to perform NAT-srcwhenever a member of group1 initiates HTTP traffic to an address in the Untrustzone. Furthermore, the security device always performs NAT-src from a particularIP addresssuch as 10.1.1.13to the same translated IP address1.1.1.103.

You then set a policy that instructs the security device to perform the following tasks:

Permit HTTP traffic from group1 in the Trust zone to any address in the Untrustzone

Translate the source IP address in the IP packet header to its correspondingaddress in DIP pool 10

Send HTTP traffic with the translated source IP address and port number outethernet3 to the Untrust zone

WebUI

1. Interfaces


Zone Name: TrustStatic IP: (select this option when present)IP Address/Netmask: 10.1.1.1/24

Select the following, then click OK:Interface Mode: NAT



NAT-Src from a DIP Pool with Address Shifting 27



50/122

2. DIP

Network > Interfaces > Edit (for ethernet3) > DIP > New: Enter the following,then click OK:

ID: 10IP Shift: (select)From: 10.1.1.11To: 1.1.1.101 ~ 1.1.1.105In the same subnet as the interface IP or its secondary IPs: (select)

3. Addresses

Policy > Policy Elements> Addresses > List > New: Enter the followinginformation, then click OK:

Address Name: host1IP Address/Domain Name:

IP/Netmask: (select), 10.1.1.11/32Zone: Trust


Address Name: host2IP Address/Domain Name:IP/Netmask: (select), 10.1.1.12/32Zone: Trust





Policy > Policy Elements> Addresses > List > New: Enter the following

information, then click OK:


Policy > Policy Elements > Addresses > Group > (for Zone: Trust) New: Enterthe following group name, move the following addresses, then click OK:

28 NAT-Src from a DIP Pool with Address Shifting

Address Translation


51/122

Group Name: group1

Select host1 and use the


52/122

set address trust host5 10.1.1.15/32set group address trust group1 add host1set group address trust group1 add host2set group address trust group1 add host3

set group address trust group1 add host4set group address trust group1 add host5

4. Policy

set policy from trust to untrust group1 any http nat src dip-id 10 permitsave

NAT-Src from the Egress Interface IP Address

If you apply NAT-src to a policy but do not specify a DIP pool, then the security devicetranslates the source IP address to the address of the egress interface. In such cases,

the security device always applies PAT.

Example: NAT-Src Without DIP

In this example, you define a policy that instructs the security device to perform thefollowing tasks:

Permit HTTP traffic from any address in the Trust zone to any address in theUntrust zone

Translate the source IP address in the IP packet header to 1.1.1.1, which is theIP address of ethernet3, the interface bound to the Untrust zone, and thus theegress interface for traffic sent to any address in the Untrust zone

Translate the original source port number in the TCP segment header or UDPdatagram header to a new, unique number

Send traffic with the translated source IP address and port number out ethernet3to the Untrust zone

Figure 19: NAT-Src Without DIP

30 NAT-Src from the Egress Interface IP Address

Address Translation


53/122

WebUI

1. Interfaces


Zone Name: TrustStatic IP: (select this option when present)IP Address/Netmask: 10.1.1.1/24Select the following, then click OK:Interface Mode: NAT



2. Policy


Source Address:Address Book Entry: (select), AnyDestination Address:Address Book Entry: (select), AnyService: HTTPAction: Permit


NAT:Source Translation: (select)(DIP on): None (Use Egress Interface IP)

CLI

1. Interfaces

set interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24

set interface ethernet1 natset interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24

2. Policy

set policy from trust to untrust any any http nat src permitsave

NAT-Src from the Egress Interface IP Address 31



54/122

32 NAT-Src from the Egress Interface IP Address

Address Translation


55/122

Chapter 3

Destination Network Address Translation

ScreenOS provides many methods for performing Destination Network AddressTranslation (NAT-dst) and destination port address mapping. This chapter describesthe various address-translation methods available and contains the following sections:

NOTE: For information about destination address translation using a mapped IP(MIP) or virtual IP (VIP) address, see Mapped and Virtual Addresses on page 69.

Introduction to NAT-Dst on page 33

NAT-DstOne-to-One Mapping on page 40

NAT-DstMany-to-One Mapping on page 46

NAT-DstMany-to-Many Mapping on page 49

NAT-Dst with Port Mapping on page 52

Using proxy-arp-entry to import the NATDST traffic to the right VSI on page 55

NAT-Src and NAT-Dst in the Same Policy on page 56

Introduction to NAT-Dst

You can define policies to translate the destination address from one IP address toanother. Perhaps you need the security device to translate one or more public IPaddresses to one or more private addresses. The relationship of the original destinationaddress to the translated destination address can be a one-to-one relationship, amany-to-one relationship, or a many-to-many relationship. Figure 20 on page 34depicts the concepts of one-to-one and many-to-one NAT-dst relationships.

Introduction to NAT-Dst 33


56/122

Figure 20: NAT-DstOne-to-One and Many-to-One

Both of the configurations shown in Figure 20 on page 34 support destination portmapping. Port mapping is the deterministic translation of one original destinationport number to another specific number. The relationship of the original-to-translatednumber in port mapping differs from Port Address Translation (PAT). With portmapping, the security device translates a predetermined original port number toanother predetermined port number. With PAT, the security device translates arandomly assigned original source port number to another randomly assignednumber.

You can translate a range of destination addresses to another rangesuch as onesubnet to anotherwith address shifting, so that the security device consistently

maps each original destination address to a specific translated destination address.Note that security does not support port mapping with address shifting. Figure 21on page 34 depicts the concept of a many-to-many relationship for NAT-dst.

Figure 21: NAT-DstMany-to-Many

There must be entries in the route table for both the original destination IP addressand the translated destination IP address. The security device performs a route lookupusing the original destination IP address to determine the destination zone for asubsequent policy lookup. It then performs a second route lookup using the translatedaddress to determine where to send the packet. To ensure that the routing decisionis in accord with the policy, both the original destination IP address and the translatedIP address must be in the same security zone. (For more information about the

34 Introduction to NAT-Dst

Address Translation


57/122

relationship of the destination IP address, route lookup, and policy lookup, see PacketFlow for NAT-Dst on page 35.)

Packet Flow for NAT-Dst

The following steps describe the path of a packet through a security device and thevarious operations that it performs when applying NAT-dst:

1. An HTTP packet with source IP address:port number 1.1.1.5:32455 anddestination IP address:port number 5.5.5.5:80 arrives at ethernet1, which isbound to the Untrust zone.

Figure 22: NAT-Dst Packet FlowPacket Arrival

2. If you have enabled SCREEN options for the Untrust zone, the security deviceactivates the SCREEN module at this point. SCREEN checking can produce oneof the following three results:

If a SCREEN mechanism detects anomalous behavior for which it isconfigured to block the packet, the security device drops the packet andmakes an entry in the event log.

If a SCREEN mechanism detects anomalous behavior for which it isconfigured to record the event but not block the packet, the security devicerecords the event in the SCREEN counters list for the ingress interface andproceeds to the next step.

If the SCREEN mechanisms detect no anomalous behavior, the securitydevice proceeds to the next step.

If you have not enabled any SCREEN options for the Untrust zone, thesecurity device immediately proceeds to the next step.

3. The session module performs a session lookup, attempting to match the packetwith an existing session.

If the packet does not match an existing session, the security device performsFirst Packet Processing, a procedure involving the remaining steps.


Chapter 3: Destination Network Address Translation


58/122

If the packet matches an existing session, the security device performs FastProcessing, using the information available from the existing session entry toprocess the packet. Fast Processing bypasses all but the last step because theinformation generated by the bypassed steps has already been obtained during

the processing of the first packet in the session.4. The address-mapping module checks if a mapped IP (MIP) or virtual IP (VIP)

configuration uses the destination IP address 5.5.5.5.

NOTE: The security device checks if the destination IP address is used in a VIPconfiguration only if the packet arrives at an interface bound to the Untrust zone.

If there is such a configuration, the security device resolves the MIP or VIP tothe translated destination IP address and bases its route lookup on that. It thendoes a policy lookup between the Untrust and Global zones. If it finds a policymatch that permits the traffic, the security device forwards the packet out the

egress interface determined in the route lookup.

If 5.5.5.5 is not used in a MIP or VIP configuration, the security device proceedsto the next step.

5. To determine the destination zone, the route module does a route lookup of theoriginal destination IP address; that is, it uses the destination IP address thatappears in the header of the packet that arrives at ethernet1. (The route moduleuses the ingress interface to determine which virtual router to use for the routelookup.) It discovers that 5.5.5.5/32 is accessed through ethernet4, which isbound to the Custom1 zone.

trust-vr Route Table

Use Gateway:In Zone:Use Interface:To Reach:

1.1.1.250Untrustethernet10.0.0.0/0

0.0.0.0Untrustethernet11.1.1.0/24

0.0.0.0DMZethernet22.2.2.0/24

0.0.0.0Trustethernet33.3.3.0/24

0.0.0.0Custom1ethernet44.4.4.0/24

0.0.0.0Custom1ethernet45.5.5.5/32

6. The policy engine does a policy lookup between the Untrust and Custom1 zones(as determined by the corresponding ingress and egress interfaces). The sourceand destination IP addresses and the service match a policy redirecting HTTPtraffic from 5.5.5.5 to 4.4.4.5.

set policy from untrust to custom1 any v-server1 http nat dst ip 4.4.4.5 permit

36 Introduction to NAT-Dst

Address Translation


59/122

(You have previously defined the address v-server1 with IP address 5.5.5.5/32.It is in the Custom1 zone.)

The security device translates the destination IP address from 5.5.5.5 to 4.4.4.5.

The policy indicates that neither NAT-Src nor PAT-dst is required.7. The security device does a second route lookup using the translated IP address

and discovers that 4.4.4.5/32 is accessed through ethernet4.

8. The address-mapping module translates the destination IP address in the packetheader to 4.4.4.5. The security device then forwards the packet out ethernet4and makes an entry in its session table (unless this packet is part of an existingsession and an entry already exists).

Figure 23: NAT-Dst Packet FlowPacket Forwarding

Routing for NAT-Dst

When you configure addresses for NAT-dst, the security device must have routes inits routing table to both the original destination address that appears in the packetheader and the translated destination address (that is, the address to which thesecurity device redirects the packet). As explained in Packet Flow for NAT-Dst onpage 35, the security device uses the original destination address to do a route lookup,and thereby determine the egress interface. The egress interface in turn providesthe destination zonethe zone to which the interface is boundso that the securitydevice can do a policy lookup. When the security device finds a policy match, the


Chapter 3: Destination Network Address Translation


60/122

policy defines the mapping of the original destination address to the translateddestination address. The security device then performs a second route lookup todetermine the interface through which it must forward the packet to reach the newdestination address. In summary, the route to the original destination address provides

a means to perform the policy lookup, and the route to the translated destinationaddress specifies the egress interface through which the security device is to forwardthe packet.

In the following three scenarios, the need to enter static routes differs according tothe network topology surrounding the destination addresses referenced in this policy:

set policy from untrust to trust any oda1 http nat dst ip 10.1.1.5 permit

in which oda1 is the original destination address 10.2.1.5, and the translateddestination address is 10.1.1.5.

Example: Addresses Connected to One Interface

In this scenario, the routes to both the original and translated destination addressesdirect traffic through the same interface, ethernet3. The security device automaticallyadds a route to 10.1.1.0/24 through ethernet3 when you configure the IP address ofthe ethernet3 in

630_ce_addresstranslation

Documents