Juniper Netscreen - NAT Explained
- Interface Based Source NAT - Allows the traffic to NAT its source IP to the IP address of the egress interface which it leaves. This feature is enabled on the interface via “NAT-Mode”. And can be disabled via using “Route Mode”.
- MIP - Provides a static NAT for the specified host, in which the Source and destination for the host is NAT`d.
- Policy-Based Source NAT - The same as the Interface based Source NAT but this is performed per policy rather then on a per interface basis.
- Interface Modes - There are 2 interface modes. Route and NAT. This will allow you to Hide your source IP behind the outgoing interface IP. A scenario would be if you wanted to NAT the source address of your "Trust" traffic going to "Untrust" behind your "Untrust" IP, you would place you Untrust interface into Route mode and your "Trust" interface into NAT mode.
- VIP - Configured on the interface, VIPs allows you to translate both the destination IP and the destination port.
- MIP - Same as the previously mentioned Source NAT MIP.
- Policy-based Destination NAT - This is the same as `Policy based Source NAT` but based on the destination address rather than source.
- DIP - Allows the creation of a dynamic IP pool for use with destination or source NAT.
- Set Sticky Dip – When the sticky DIP is enabled, the Juniper firewall will ensure that same address is assigned from the DIP pool (to a host) for multiple concurrent sessions
Please Note : When creating policy based destination NAT you will need to add a route so the firewall can determine the zone-to-zone policy lookup. Example : "set vrouter trust-vr route [real IP] 255.255.255.255 interface [Egress Interface]"