Interfaces can operate in three different modes: Network Address Translation (NAT), Route, and Transparent modes. You select an operational mode when you configure an interface.
When an interface is in a Transparent mode, the NetScreen device filters packets traversing the firewall without modifying any of the source or destination information in the IP packet header. All interfaces behave as though they are part of the same network, with the NetScreen device acting much like a layer-2 switch or bridge. In Transparent mode, the IP addresses of interfaces are set at 0.0.0.0, making the presence of the NetScreen device invisible, or “transparent,” to users.
Transparent mode is a convenient means for protecting Web servers, or any other kind of server that mainly receives traffic from untrusted sources. Using Transparent mode offers the following benefits:
No need to reconfigure the IP settings of routers or protected servers
No need to create Mapped or Virtual IP addresses for incoming traffic to reach protected servers
Interfaces in transparent mode can only be managed through the VLAN1 interface. For more information on the VLAN1 interface, see the Interface Configuration page.
When an interface is in Network Address Translation (NAT) mode, the NetScreen device, acting like a layer-3 switch (or router), translates two components in the header of an outgoing IP packet traversing the firewall across an interface in NAT mode: its source IP address and source port number. The NetScreen device replaces the source IP address of the host that sent the packet with the IP address of the interface of the destination zone. Also, it replaces the source port number with another random port number generated by the NetScreen device.
When the reply packet arrives at the NetScreen device, the device translates two components in the IP header of the incoming packet: the destination address and port number, which are translated back to the original numbers. The packet is then forwarded to its destination.
NAT adds a level of security not provided in Transparent mode: The addresses of hosts connected to the trusted port are never exposed to the network in the Untrust or DMZ zones.
Also, NAT preserves the use of Internet-routable IP addresses. With only one public, Internet-routable IP address— that of the interface in the Untrust zone—the LAN in the Trust zone, or any other zone using NAT services, can have a vast number of hosts with private IP addresses. The following IP address ranges are reserved for private IP networks and must not get routed on the Internet:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
A host in a zone sending traffic through an interface in NAT mode can initiate outbound traffic to another zone if an access policy permits it, but it cannot receive traffic from another zone unless a Mapped IP (MIP), Virtual IP (VIP), or VPN tunnel is set up for it.
When an interface is in Route mode, the NetScreen device routes traffic between different zones without performing NAT; that is, the source address and port number in the IP packet header remain unchanged as it traverses the NetScreen device. Unlike NAT, you do not need to establish Mapped and Virtual IP addresses on an interface in Route mode to allow inbound sessions to reach hosts. Unlike Transparent mode, the interfaces in the Trust zone and the interfaces in the Untrust zone are on different subnets.
You can apply NAT at the interface level so that all source addresses initiating outgoing traffic get translated to the IP address of the destination interface. When an interface operates in Route mode, you can apply NAT selectively at the policy level. You can determine which network and VPN traffic to route and on which traffic to perform NAT by creating access policies that enable NAT for specified source addresses on either incoming or outgoing traffic. For network traffic, you can perform NAT using the IP address or addresses of the destination zone interface from a Dynamic IP (DIP) pool, which is in the same subnet as the destination zone interface. For VPN traffic, you can perform NAT using the destination zone interface IP address or an address from its associated DIP pool, or a tunnel interface IP address or an address from its associated DIP pool.
Note: To see examples for each operational mode, refer to the NetScreen Concepts & Examples ScreenOS Reference Guide available on the documentation CD-ROM that shipped with your NetScreen device, or on our Web site at http://www.juniper.net/techpubs/software/index_mibs.html.