Static NAT Configuration Overview

The main configuration tasks for static NAT are as follows: Configure static NAT rules that align with your network and security requirements. Configure NAT proxy ARP entries for IP addresses in the same subnet of the ingress interface.

Static NAT Rules

Static NAT rules specify two layers of match conditions: Traffic directionAllows you to specify from interface, from zone, or from routinginstance. Packet informationDestination IP address.

If multiple static NAT rules overlap in the match conditions, the most specific rule is chosen. For example, if rules A and B specify the same source and destination IP addresses, but rule A specifies traffic from zone 1 and rule B specifies traffic from interface ge-0/0/0, rule B is used to perform static NAT. An interface match is considered to be more specific than a zone match, which is more specific than a routing instance match. For the static NAT rule action, specify the translated address and (optionally) the routing instance. In NAT lookup, static NAT rules take precedence over destination NAT rules and reverse mapping of static NAT rules takes precedence over source NAT rules.

In this example, you perform the following tasks: Define a static NAT rule for traffic from zone red to address 20.1.1.100. Translate the destination IP to 10.0.0.200 and routing-instance ri-green. Define a static NAT rule for traffic from zone red to address 20.1.1.101. Translate the destination IP to 10.0.1.200 and routing-instance ri-blue. Define a static NAT rule for traffic from interface ge-0/0/0.0 to address 30.1.1.3. Translate the destination IP to 10.0.2.200. Define a static NAT rule for traffic from routing-instance ri-red to address subnet 30.1.1.0/24. Translate the destination address subnet to 172.16.0.0/24.

CLI Configuration
user@host# set security nat static rule-set rs3 from zone red user@host# set security nat static rule-set rs3 rule r1 match destinationaddress 20.1.1.100 user@host# set security nat static rule-set rs3 rule r1 then static-nat prefix 10.0.0.200

user@host# set security nat static rule-set rs3 rule r1 then static-nat prefix 10.0.0.200 routing-instance ri-green user@host# set security nat static rule-set rs3 from zone red user@host# set security nat static rule-set rs3 rule r2 match destinationaddress 20.1.1.101 user@host# set security nat static rule-set rs3 rule r2 then static-nat prefix 10.0.1.200 user@host# set security nat static rule-set rs3 rule r2 then static-nat prefix 10.0.1.200 routing-instance ri-blue user@host#set security nat static rule-set rs3 from interface ge-0/0/0.0 user@host#set security nat static rule-set rs3 rule r3 match destination address 30.1.1.3 user@host#set security nat static rule-set rs3 rule r3 then static-nat prefix 10.0.2.200 user@host#set security nat static rule-set rs4 from routing-instance ri-red user@host#set security nat static rule-set rs4 rule r3 match destinationaddress 30.1.1.0/24 user@host#set security nat static rule-set rs4 rule r3 then static-nat prefix 172.16.0.0/24