ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Posts: 8
Registered: ‎10-28-2008
0 Kudos
Accepted Solution

Trust zone, NAT or Route mode?

I have a design question for enterprise deployment, on 6.1 going to 6.2 version. Reading the ScreenOS cookbook, it say's that all zones should be configured on "Route mode". I know the Trust zone is configured for "NAT mode" by default. If you ever have a copy of O'Reilly book, on pg. 16 it addresses this topic; however, it didn't fully explain why.

From an enterprise deployment, has anyone deployed "NAT mode" on the Trust zone? If so, what is the difference, aside from tightly administering NAT. Also, has anyone changed the mode from NAT to Route on the Trust zone and encounter any problems?

Super Contributor
Posts: 287
Registered: ‎10-21-2008
0 Kudos

Re: Trust zone, NAT or Route mode?

It is just deafult setting that Trust zone is always in NAT Mode and Untrust zone on ROute Mode and have default policy  from Trust to Untrust zone.

The idea is just to have thePrivate Network  should be on Trust Zone and can be NAtted to Public IP for Outgoing traffic.


Any Zone can be configured as either NAT or Route mode. You can configure Trust zone as the NAT mode and UNtrust zone as a Route mode.  ALso you can have all the Zones( even Custom Zones) in ROute/NAT mode. It all depends on your network topology.


Juniper higher platfrom like ISG1000/2000 doesnot have any default setting. Administrator has decide as per his topology. This defaulf setting is just in lower platforms.




Recognized Expert
Posts: 156
Registered: ‎04-29-2008
0 Kudos

Re: Trust zone, NAT or Route mode?

[ Edited ]

Your network architecture and your business requirements define the requirements to the type of NAT you require.  Going from nat mode to route mode on the interface is painless and easy.  As long as you remember, when you change the interface from nat to route you need to nat as part of a policy then.  


In my configurations I really never use interface based nat.  I like to define it in the policies.  My reasoning is that it gives me greater flexibility and control over my internet based traffic.  For instance, I may have an application that doesn't work well with port address translation ( hiding an entire network behind a single egress IP address ).   I can then define more IPs for that application to use via a policy and a DIP Pool.  


But in the end, it depends on your setup.  If you have a simple setup, and have just web browsing traffic.  Then Nat mode on the interface will work just fine and will provide an easy solution.  If you need more granular control.  Then set the interface to route mode, and define your NAT requirements in the individual policies then.   

Message Edited by shadow on 06-23-2009 11:17 AM
Juniper Ambassador

**If this worked for you please flag my post as an Accepted Solution so others can benefit.**
Posts: 8
Registered: ‎10-28-2008
0 Kudos

Re: Trust zone, NAT or Route mode?

Very good. I appreciate the examples as well. Thanks!