HomeНаука и техникаRelated VideosMore From: Steve Puluka

CJFV-08 - Juniper ScreenOS Network Address Translation

23 ratings | 7416 views
See the full on-line class at: http://puluka.com/classes/course/view.php?id=5 Network Address Translation Scenarios NAT-src (Source NAT) NAT-dst (Destination NAT) VIP Addresses (Virtual IP Addresses) MIP Addresses (Mapped IP Addresses)
Html code for embedding videos on your blog
Text Comments (10)
Carlande Desarme (4 years ago)
Hi Steve, very good tutorials.. thanks for sharing. Actually i have i have one question about NAT and ROUTE param set on the intefaces. In relation to the interfaces of the FW that are in trust and untrust zones.. How do we know or when or which interfaces (trust or untrust) need/should be set to NAT or ROUTE? What is the different/relation when creating Policy and Route based VPN? Please give me your comment on this i am kind of confuse in understanding. Thank you in advanse for comments.
Steve Puluka (3 years ago)
+Carlande Desarme You will need nat for internet access, it is just the nat method preferred over checking the interface nat box is to add nat to your internet access policy.  This is done on the advanced policy tab checking the box for source nat on interface. Also remember that the nat check box on the interface itself will NOT work with custom zone names.  This ONLY works with the default zone names that then egress to the default untrust zone.
Carlande Desarme (4 years ago)
Thank you Steve for your comments on that. So having said that, if i use customed  zones, there is no need to use NAT? i recently had a chat with a friend talking about FWs he said that all trust interfaces should be set to NAT and all untrust interfaces should be set to Route. Maybe beased on your experiences you can better help  me here. Do you know what is the default mode settings of the FW interfaces please? Thank you for comments.-
Steve Puluka (4 years ago)
First, the interface nat/route option is a legacy feature.  The default setting should be route for all interfaces.  Using nat on the interface option should be avoided in configurations if possible. Interface nat option applies only to interfaces in the pre-defined trust and dmz zones.  Other zones with the setting applied will have no effect. And the nat will only occur if the destination zone is the pre-defined untrust zone.
Mohammed Alkhateeb (4 years ago)
Very good tutorial, hope it works with my client tom!
Steve Puluka (6 years ago)
VIP is Juniper terminology for port forwarding. This works well for sharing a single ip address with multiple servers as long as each server uses a different service. The alternative configuration option is to use Policy destination NAT with the required services. The advantage of VIP is that all the forwards for the interface and ip address involved can be seen together and that this is easier to configure than the Policy NAT dst. Policy NAT dst is more flexible.
SpencanProp (6 years ago)
Can you name a couple of pro's and con's for VIP?
Steve Puluka (6 years ago)
Check your ScreenOS version and release number. I'm pretty sure this was a bug in early releases of the 6.x code. Just upgrade to the latest release in your version chain and the issue should be solved.
SpencanProp (6 years ago)
So steve ....while listening to this and checking out my own SSG20, I notice that I have more pports assigned than current sessions. 466ports to 277 active sessions. The ports are being allocated and freed. I ran a debug.
Beyazıt Öztürk (6 years ago)
thanks a lot

Would you like to comment?

Join YouTube for a free account, or sign in if you are already a member.