Juniper Netscreen - NAT Explained

Source NAT

  • Interface Based Source NAT - Allows the traffic to NAT its source IP to the IP address of the egress interface which it leaves. This feature is enabled on the interface via “NAT-Mode”. And can be disabled via using “Route Mode”.
  • MIP - Provides a static NAT for the specified host, in which the Source and destination for the host is NAT`d.
  • Policy-Based Source NAT - The same as the Interface based Source NAT but this is performed per policy rather then on a per interface basis.
  • Interface Modes - There are 2 interface modes. Route and NAT. This will allow you to Hide your source IP behind the outgoing interface IP. A scenario would be if you wanted to NAT the source address of your "Trust" traffic going to "Untrust" behind your "Untrust" IP, you would place you Untrust interface into Route mode and your "Trust" interface into NAT mode.

Destination NAT

  • VIP - Configured on the interface, VIPs allows you to translate both the destination IP and the destination port.
  • MIP - Same as the previously mentioned Source NAT MIP.
  • Policy-based Destination NAT - This is the same as `Policy based Source NAT` but based on the destination address rather than source.


  • DIP - Allows the creation of a dynamic IP pool for use with destination or source NAT.
  • Set Sticky Dip – When the sticky DIP is enabled, the Juniper firewall will ensure that same address is assigned from the DIP pool (to a host) for multiple concurrent sessions

Please Note : When creating policy based destination NAT you will need to add a route so the firewall can determine the zone-to-zone policy lookup. Example : "set vrouter trust-vr route [real IP] interface [Egress Interface]"



Tags: Netscreen

About the Author


R Donato

Rick Donato is the Founder and Chief Editor of He currently works as an SDN/NFV Solutions Architect and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001