7/28/2019 Static NAT Configuration Overview

1/2

Static NAT Configuration Overview

The main configuration tasks for static NAT are as follows:

Configure static NAT rules that align with your network and security requirements. Configure NAT proxy ARP entries for IP addresses in the same subnet of the ingress interface.

Static NAT Rules

Static NAT rules specify two layers of match conditions:

Traffic directionAllows you to specify from interface, from zone, orfrom routing-

instance.

Packet informationDestination IP address.

If multiple static NAT rules overlap in the match conditions, the most specific rule is chosen. For example,if rules A and B specify the same source and destination IP addresses, but rule A specifies traffic from

zone 1 and rule B specifies traffic from interface ge-0/0/0, rule B is used to perform static NAT. An

interface match is considered to be more specific than a zone match, which is more specific than arouting instance match.

For the static NAT rule action, specify the translated address and (optionally) the routing instance.

In NAT lookup, static NAT rules take precedence over destination NAT rules and reverse mapping ofstatic NAT rules takes precedence over source NAT rules.

In this example, you perform the following tasks:

Define a static NAT rule for traffic from zone red to address 20.1.1.100. Translate the destinationIP to 10.0.0.200 and routing-instance ri-green.

Define a static NAT rule for traffic from zone red to address 20.1.1.101. Translate the destinationIP to 10.0.1.200 and routing-instance ri-blue.

Define a static NAT rule for traffic from interface ge-0/0/0.0 to address 30.1.1.3. Translate thedestination IP to 10.0.2.200.

Define a static NAT rule for traffic from routing-instance ri-red to address subnet 30.1.1.0/24.Translate the destination address subnet to 172.16.0.0/24.

CLI Configuration

user@host# set security nat static rule-set rs3 from zone reduser@host# set security nat static rule-set rs3 rule r1 match destination-address 20.1.1.100user@host# set security nat static rule-set rs3 rule r1 then static-nat

prefix 10.0.0.200

7/28/2019 Static NAT Configuration Overview

2/2

user@host# set security nat static rule-set rs3 rule r1 then static-natprefix 10.0.0.200 routing-instance ri-greenuser@host# set security nat static rule-set rs3 from zone reduser@host# set security nat static rule-set rs3 rule r2 match destination-address 20.1.1.101user@host# set security nat static rule-set rs3 rule r2 then static-nat

prefix 10.0.1.200user@host# set security nat static rule-set rs3 rule r2 then static-nat

prefix 10.0.1.200 routing-instance ri-blueuser@host#set security nat static rule-set rs3 from interface ge-0/0/0.0user@host#set security nat static rule-set rs3 rule r3 match destinationaddress 30.1.1.3user@host#set security nat static rule-set rs3 rule r3 then static-nat prefix10.0.2.200user@host#set security nat static rule-set rs4 from routing-instance ri-reduser@host#set security nat static rule-set rs4 rule r3 match destination-address 30.1.1.0/24user@host#set security nat static rule-set rs4 rule r3 then static-nat prefix172.16.0.0/24