Chapter 8 - Address Translation

Abstract

Network address translation (NAT) has always been an essential part of network design. NAT provides the ability to hide the originating Internet protocol (IP) address thus providing an extra layer of security to protect the host's identity. NAT provides the ability to utilize one IP for several thousand devices thus conserving non-RFC 1918 IP addresses. This chapter describes the network address and port translation (NAPT) features of the Juniper NetScreen products with example scenarios and their respective configuration steps. One of the original methods used for NAT is the interface-based NAT mode, which is enabled by default on the Ethernet interface bonded to the Trust security zone. It is recommended that the interface-based NAT mode setting be disabled and set to Route mode all the time, thus using policy-based NAT instead. Policy-based NAT provides a more efficient and scalable method than interface-based NAT. As seen with Mapped IP (MIP) and Virtual IP (VIP), there are capacity limitations that restrict the use of these NAPT methods. Policy-based translation can perform the same functions as a MIP or a VIP and also has a much larger capacity support. This chapter provides an understanding of the limitations and capabilities of the Juniper NetScreen firewall address translation features. Knowing how the firewall handles a packet is a key essential for troubleshooting NAT issues.