06-21-2009 03:11 PM
I have a design question for enterprise deployment, on 6.1 going to 6.2 version. Reading the ScreenOS cookbook, it say's that all zones should be configured on "Route mode". I know the Trust zone is configured for "NAT mode" by default. If you ever have a copy of O'Reilly book, on pg. 16 it addresses this topic; however, it didn't fully explain why.
From an enterprise deployment, has anyone deployed "NAT mode" on the Trust zone? If so, what is the difference, aside from tightly administering NAT. Also, has anyone changed the mode from NAT to Route on the Trust zone and encounter any problems?
Solved! Go to Solution.
06-21-2009 04:13 PM
It is just deafult setting that Trust zone is always in NAT Mode and Untrust zone on ROute Mode and have default policy from Trust to Untrust zone.
The idea is just to have thePrivate Network should be on Trust Zone and can be NAtted to Public IP for Outgoing traffic.
Any Zone can be configured as either NAT or Route mode. You can configure Trust zone as the NAT mode and UNtrust zone as a Route mode. ALso you can have all the Zones( even Custom Zones) in ROute/NAT mode. It all depends on your network topology.
Juniper higher platfrom like ISG1000/2000 doesnot have any default setting. Administrator has decide as per his topology. This defaulf setting is just in lower platforms.
06-23-2009 09:14 AM - edited 06-23-2009 09:17 AM
Your network architecture and your business requirements define the requirements to the type of NAT you require. Going from nat mode to route mode on the interface is painless and easy. As long as you remember, when you change the interface from nat to route you need to nat as part of a policy then.
In my configurations I really never use interface based nat. I like to define it in the policies. My reasoning is that it gives me greater flexibility and control over my internet based traffic. For instance, I may have an application that doesn't work well with port address translation ( hiding an entire network behind a single egress IP address ). I can then define more IPs for that application to use via a policy and a DIP Pool.
But in the end, it depends on your setup. If you have a simple setup, and have just web browsing traffic. Then Nat mode on the interface will work just fine and will provide an easy solution. If you need more granular control. Then set the interface to route mode, and define your NAT requirements in the individual policies then.