JN0-231 Network Address Translation
Network Address Translation
Detailed list of JN0-231 knowledge points
Network Address Translation Detailed Explanation
Network Address Translation (NAT) is a critical function in networking, enabling multiple devices on a private network to access external networks like the Internet or allowing external users to access internal resources. NAT is often used to conserve IP addresses, enhance security, and facilitate connectivity.
1. NAT Types
1.1 Source NAT
What it does:
- Translates internal (private) source IP addresses to public IP addresses.
- Allows devices on a private network to access external networks (e.g., the Internet).
Use case:
- A company network (e.g.,
10.0.0.0/24) wants to allow its employees to browse the Internet. The private IPs are translated to a public IP before leaving the network.
How it works:
- Internal devices send requests with their private IP.
- The SRX device replaces the source IP with its public IP and forwards the request to the destination.
- The reverse translation occurs for incoming responses.
1.2 Destination NAT
What it does:
- Translates public destination IP addresses to private internal IPs.
- Commonly used to make internal servers accessible from the Internet.
Use case:
- A web server hosted on a private IP (
192.168.1.10) needs to be accessible via a public IP (203.0.113.10).
How it works:
- External users send requests to the public IP.
- The SRX device replaces the destination IP with the internal server’s private IP.
1.3 Static NAT
What it does:
- Provides a one-to-one mapping between an internal IP and an external IP.
- Unlike Source NAT or Destination NAT, the mapping is constant and bidirectional.
Use case:
- A device needs a permanent, fixed external IP address (e.g., for remote access or licensing).
How it works:
- Traffic to and from the internal IP always maps to the same external IP.
1.4 Port Address Translation (PAT)
What it does:
- Extends Source NAT by mapping multiple internal IPs to a single external IP using different port numbers.
- Also known as "Many-to-One NAT."
Use case:
- Multiple users on a private network share a single public IP for Internet access.
How it works:
- The SRX device assigns unique source port numbers to outgoing traffic, enabling differentiation between sessions.
Summary of NAT Types
| NAT Type | Function | Use Case |
|---|---|---|
| Source NAT | Translates private source IPs to public IPs | Outbound Internet traffic |
| Destination NAT | Translates public destination IPs to private IPs | Hosting internal servers |
| Static NAT | One-to-one mapping of internal and external IPs | Devices requiring fixed external IPs |
| PAT | Maps multiple internal IPs to a single external IP | Conserving public IPs for many users |
2. NAT Rule Configuration
2.1 Source NAT Configuration
Scenario
Allow devices in the trust zone (subnet 10.0.0.0/24) to access the Internet through the untrust zone using the SRX device’s interface IP.
Configuration Steps
Define the Source NAT Rule Set:
set security nat source rule-set source-nat-rule-set from zone trust set security nat source rule-set source-nat-rule-set to zone untrustDefine the Rule to Match the Source Subnet:
set security nat source rule-set source-nat-rule-set rule source-nat-rule match source-address 10.0.0.0/24Specify the NAT Translation (Interface NAT):
set security nat source rule-set source-nat-rule-set rule source-nat-rule then source-nat interfaceCommit the Configuration:
commit
Verification
Check the Source NAT configuration:
show configuration security nat sourceMonitor active NAT sessions:
show security flow sessionTest Internet access from a device in the
trustzone.
2.2 Destination NAT Configuration
Scenario
Host a web server with a private IP (192.168.1.10) behind the SRX device. External users access the server via a public IP (203.0.113.10) in the untrust zone.
Configuration Steps
Define the Destination NAT Rule Set:
set security nat destination rule-set dest-nat-rule-set from zone untrustDefine the Rule to Match the Public IP:
set security nat destination rule-set dest-nat-rule-set rule web-server match destination-address 203.0.113.10Specify the NAT Translation:
set security nat destination rule-set dest-nat-rule-set rule web-server then destination-nat pool web-server-poolCreate a Destination NAT Pool:
set security nat destination pool web-server-pool address 192.168.1.10Commit the Configuration:
commit
Verification
Check the Destination NAT configuration:
show configuration security nat destinationTest access to the web server by browsing to
http://203.0.113.10from an external network.
3. Verifying and Monitoring NAT
Check NAT Rules:
show security nat source show security nat destinationMonitor Active NAT Sessions:
show security flow sessionInspect Translations:
show security nat source-translation show security nat destination-translation
3. Advanced NAT Configurations
3.1 Port Address Translation (PAT) Configuration
Scenario
Enable multiple devices on the trust zone (subnet 192.168.1.0/24) to access the Internet using a single public IP address from the untrust zone. PAT will use unique source port numbers to differentiate traffic.
Configuration Steps
Define the Source NAT Rule Set:
set security nat source rule-set pat-rule-set from zone trust set security nat source rule-set pat-rule-set to zone untrustDefine the Rule to Match the Source Subnet:
set security nat source rule-set pat-rule-set rule pat-rule match source-address 192.168.1.0/24Specify the NAT Translation (Interface PAT):
set security nat source rule-set pat-rule-set rule pat-rule then source-nat interfaceCommit the Configuration:
commit
Verification
Test Internet access from devices in the
trustzone.Check NAT session details:
show security flow session
3.2 Static NAT Configuration
Scenario
Assign a one-to-one mapping between a private IP (192.168.1.100) and a public IP (203.0.113.20). This allows bidirectional communication between the private device and external networks.
Configuration Steps
Define a Static NAT Rule:
set security nat static rule-set static-rule-set from zone untrust set security nat static rule-set static-rule-set rule static-rule match destination-address 203.0.113.20 set security nat static rule-set static-rule-set rule static-rule then static-nat prefix 192.168.1.100Commit the Configuration:
commit
Verification
Test access to the internal device from an external network using the public IP.
Verify static NAT mappings:
show security nat static
3.3 Advanced Destination NAT with Port Translation
Scenario
You have an internal web server on IP 192.168.1.50 running on port 8080. External users should access it via the public IP 203.0.113.10 on port 80.
Configuration Steps
Define the Destination NAT Rule Set:
set security nat destination rule-set advanced-dnat from zone untrustMatch the Public IP and Port:
set security nat destination rule-set advanced-dnat rule web-server-dnat match destination-address 203.0.113.10 set security nat destination rule-set advanced-dnat rule web-server-dnat match destination-port 80Configure Port Translation to Internal Server:
set security nat destination rule-set advanced-dnat rule web-server-dnat then destination-nat pool web-server-poolCreate a NAT Pool:
set security nat destination pool web-server-pool address 192.168.1.50 port 8080Commit the Configuration:
commit
Verification
Test access to the web server by browsing to
http://203.0.113.10.Monitor NAT translations:
show security nat destination-translation
4. Best Practices for NAT Deployment
4.1 Organize NAT Rules
- Group similar rules into logical rule sets.
- Use descriptive names for rule sets and pools to improve readability.
4.2 Avoid Overlapping Rules
- Ensure NAT rules do not overlap in matching criteria to avoid unexpected behavior.
4.3 Use Logging
Enable logging for critical NAT rules to monitor traffic and troubleshoot issues:
set security nat source rule-set source-nat-rule-set rule source-nat-rule then log session-init
4.4 Test Changes Thoroughly
- After modifying NAT configurations, test both inbound and outbound traffic to ensure rules are functioning as expected.
4.5 Secure NAT Rules
- Restrict NAT rules to specific source/destination IPs or subnets to minimize security risks.
- Example: Allow only specific IPs to access a server via Destination NAT.
5. Troubleshooting NAT
5.1 Common Issues and Their Solutions
a. NAT Translation Fails
Possible Causes:
- Rule mismatch or misconfiguration.
- Missing NAT policies.
Troubleshooting Steps:
Verify the NAT configuration:
show configuration security natCheck active sessions:
show security flow sessionInspect the NAT translation:
show security nat source-translation
b. Incorrect Traffic Routing
Possible Causes:
- Routing table doesn’t direct traffic to the NATed address.
- Missing or incorrect static routes.
Troubleshooting Steps:
Check the routing table:
show routeAdd missing routes if necessary:
set routing-options static route 203.0.113.0/24 next-hop 192.168.1.1
c. NATed Traffic Blocked by Security Policies
Possible Causes:
- No matching security policy for translated traffic.
- Security policy misconfiguration.
Troubleshooting Steps:
Verify security policies:
show configuration security policiesEnsure policies account for NATed traffic (e.g., public IP for destination NAT).
5.2 Debugging Tools
Real-Time Monitoring
Monitor NAT activity in real time:
monitor traffic interface ge-0/0/0 matching "host 203.0.113.10"
Flow Trace
Enable trace options for debugging:
set security flow traceoptions flag basic-datapath
set security flow traceoptions file flow-log
View the logs:
show log flow-log
Network Address Translation (Additional Content)
1. NAT and Security Policy Interaction
This is one of the most tested concepts in the JNCIA-SEC exam and an easy source of confusion.
Key Concept: Security Policies Always Match the ORIGINAL (Pre-NAT) Addresses
Security policy evaluation occurs before NAT translation.
This means that policies reference the original source/destination IPs, not the translated ones.
Example Scenario – Destination NAT
A destination NAT rule is configured:
203.0.113.10 → 192.168.1.10
A security policy must match the original destination (203.0.113.10), not the internal IP (192.168.1.10):
set security address-book global address public-web-ip 203.0.113.10
set security policies from-zone untrust to-zone trust policy allow-web match destination-address public-web-ip
→ If you mistakenly configure the policy using the translated address (e.g., 192.168.1.10), the policy will not match and traffic will be denied by default.
Exam Tip
Expect a question like:
“After configuring destination NAT, which address must be used in the security policy match clause?”
→ Correct answer: “The original (pre-NAT) destination address.”
2. Source NAT: Interface vs. Address Pool
Juniper SRX offers two primary methods for Source NAT. While both are functionally similar, their configuration and use cases differ.
| Method | Description | Use Case |
|---|---|---|
| Interface NAT | Uses the IP address of the egress interface for translation | Simplest, commonly used for internet access |
| Pool NAT | Uses a predefined address or address range (called a pool) | When you want more control, load balancing, or IP preservation |
Interface NAT Configuration Example
set security nat source rule-set internet-nat from zone trust
set security nat source rule-set internet-nat to zone untrust
set security nat source rule-set internet-nat rule rule1 match source-address 192.168.1.0/24
set security nat source rule-set internet-nat rule rule1 then source-nat interface
→ Translates to the IP of ge-0/0/0 (or whatever the egress interface is).
Pool NAT Configuration Example
set security nat source pool public-pool address 203.0.113.5/32
set security nat source rule-set internet-nat rule rule2 then source-nat pool public-pool
→ Uses the defined public IP from the pool for translation.
Key Differences
| Feature | Interface NAT | Pool NAT |
|---|---|---|
| IP Source | Egress interface | User-defined address |
| Flexibility | Low | High (supports ranges) |
| Scalability | Not suited for many users | Good for high-traffic environments |
| Exam Coverage | Moderate | Low |
| Real-world Use | High (especially SMB) | High (in data centers, ISPs) |
3. NAT Show Command Differences
Understanding the different show commands is useful for both troubleshooting and the exam.
| Command | Description |
|---|---|
show security nat static |
Shows the configuration of static NAT rules |
show security nat static-translation |
Shows the runtime translation table, i.e., what NAT mappings are active |
The same pattern applies for other NAT types:
show security nat sourceshow security nat source-translationshow security nat destinationshow security nat destination-translation
Sample Use Case
You’ve configured a static NAT rule but your server isn’t reachable.
Use:
show security nat static-translation
To confirm whether a translation entry is being created when the connection is attempted.
Summary Table
| Concept | Key Takeaway |
|---|---|
| Policy address matching | Always uses original (pre-NAT) addresses for both source and destination |
| Interface vs Pool NAT | Interface NAT = egress IP; Pool NAT = custom address(es) |
| Show commands | show security nat = config; -translation = runtime mapping |
Frequently Asked Questions
Why might a static NAT configuration fail when traffic is sent through an IPsec VPN tunnel on an SRX device?
Because NAT translation may occur before VPN encryption, causing the wrong IP to enter the tunnel.
On SRX devices, packet processing order matters. If static NAT translates the internal address to a public address before the packet is matched by the IPsec VPN policy, the encrypted packet may contain the translated public IP instead of the private address expected by the remote network. This mismatch can break routing or security policies on the remote side. Engineers often encounter this when migrating from other firewall platforms where NAT order differs. The solution usually involves adjusting NAT rules, VPN proxy identities, or implementing NAT exemption for VPN traffic. Understanding Junos packet flow is critical because NAT and security policy evaluation occurs before traffic is forwarded to the VPN tunnel interface.
Demand Score: 92
Exam Relevance Score: 95
Why does return traffic fail when configuring source NAT behind an SRX firewall that connects to a VPN device?
Because the NAT rule may translate the source address in a way that breaks the return routing path.
When traffic leaves the SRX firewall and passes through another device that establishes the IPsec tunnel, NAT can modify the source IP address before the packet reaches the VPN endpoint. The remote network then sends return traffic to the translated address rather than the original internal host. If routing or security policies do not match that translated address, the packet will be dropped. Engineers often misunderstand how NAT and VPN interact when they are implemented on different devices. The correct design may involve static NAT, NAT exemptions, or moving the VPN termination directly onto the SRX so that NAT and VPN policies can be coordinated within the same firewall processing pipeline.
Demand Score: 88
Exam Relevance Score: 90
Why might destination NAT fail when trying to access a server through a VPN tunnel?
Because destination NAT rules may not match the VPN traffic’s zone or routing path.
Destination NAT depends on the traffic matching specific rule conditions such as destination zone, address, and interface. When traffic comes from a VPN tunnel interface (such as st0), it may belong to a different security zone than expected. If the NAT rule is configured for the Internet-facing interface instead of the VPN zone, the packet will bypass the rule and no translation will occur. This results in failed access to internal servers even though the VPN tunnel is operational. Correct troubleshooting involves verifying the zone assignment of the tunnel interface, checking rule-set order, and confirming that the NAT rule includes the correct destination zone and address match conditions.
Demand Score: 84
Exam Relevance Score: 91
How can overlapping IP address spaces be handled between two sites connected by an IPsec VPN?
By implementing NAT translation on one or both sides of the VPN.
Overlapping private networks (for example both sites using 10.0.0.0/8) prevent proper routing across the VPN because each side cannot distinguish the remote subnet from its local one. A common solution is to translate one network to a different address range using static or policy NAT before sending the traffic through the VPN tunnel. This allows both networks to communicate without changing internal addressing. Engineers frequently encounter this in mergers or partner integrations where renumbering networks is not feasible. Junos SRX devices support this design by applying NAT rules to traffic entering the VPN tunnel interface.
Demand Score: 82
Exam Relevance Score: 88
Why might NAT rules not apply when traffic originates directly from the firewall itself?
Because locally generated traffic does not always follow the same NAT processing path as transit traffic.
When administrators test connectivity using commands like ping from the SRX device itself, the traffic originates from the control plane rather than passing through the forwarding path. NAT rules are typically designed for transit traffic entering and exiting interfaces. As a result, packets generated by the firewall may bypass NAT rule sets and appear to ignore configured translations. This often leads engineers to believe their NAT configuration is incorrect. Proper testing should be done using hosts behind the firewall or by analyzing session tables to confirm how packets are processed through the security flow engine.
Demand Score: 79
Exam Relevance Score: 85
