Juniper Networks 5000 SERIES Manuale Utente
Chapter 3 Configuring the Device
22
User’s Guide
O
PERATIONAL
M
ODES
A NetScreen-5000 Series device supports two operational modes: Transparent and Route.
The default mode is Route.
The default mode is Route.
Transparent Mode
In Transparent mode, a NetScreen-5000 Series device operates as a Layer-2 bridge.
Because the device cannot translate packet IP addresses, it cannot perform Network
Address Translation (NAT). Consequently, for the device to access the Internet, any IP
address in your trusted (local) networks must be routable and accessible from untrusted
(external) networks.
Because the device cannot translate packet IP addresses, it cannot perform Network
Address Translation (NAT). Consequently, for the device to access the Internet, any IP
address in your trusted (local) networks must be routable and accessible from untrusted
(external) networks.
In Transparent mode, the IP addresses for the Layer-2 Trust and Untrust zones are
0.0.0.0, thus making the NetScreen-5000 Series device invisible to the network. However,
the device can still perform firewall, VPN, and traffic management according to
configured security policies.
0.0.0.0, thus making the NetScreen-5000 Series device invisible to the network. However,
the device can still perform firewall, VPN, and traffic management according to
configured security policies.
Route Mode
In Route mode, a NetScreen-5000 Series device operates at Layer 3. Because you can
configure each interface using an IP address and subnet mask, you can configure
individual interfaces to perform NAT.
configure each interface using an IP address and subnet mask, you can configure
individual interfaces to perform NAT.
•
When the interface performs NAT services, the NetScreen-5000 Series device
translates the source IP address of each outgoing packet into the IP address of
the untrusted interface. It also replaces the source port number with a
randomly-generated value.
translates the source IP address of each outgoing packet into the IP address of
the untrusted interface. It also replaces the source port number with a
randomly-generated value.
•
When the interface does not perform NAT services, the source IP address and
port number in each packet header remain unchanged. Therefore, to reach the
Internet your local hosts must have routable IP addresses.
port number in each packet header remain unchanged. Therefore, to reach the
Internet your local hosts must have routable IP addresses.
For more information on NAT, see the NetScreen Concepts & Examples ScreenOS
Reference Guide.
Reference Guide.