Reddit mentions of Juniper SRX Series: A Comprehensive Guide to Security Services on the SRX Series

Other books I can recommend from O'Reilly are JunOS Enterprise Routing, JunOS Enterprise Switching, and Juniper SRX Series. I bought them all as epubs when O'Reilly was still selling them directly and I have found them very useful for my day to day work with Juniper gear.

> Virtually any router/firewall can do full cone, that's basically the easiest form of NAT developed which just means 1:1 IP/port mapping

This is not my understanding of the term, though it's not the first time I've seen the assertion that "full cone" means 1:1 NAT.

I think that RFC 3489 meant a dynamic NAT when describing the NAT types, but didn't explicitly say so. Other parts of the document refer to NAT bindings associated with client requests, binding timeouts, "overload", etc...

The usage I'm more familiar with (and the one these devs want) is a dynamic (overload) NAT with sloppy matching of reply traffic so that any external IP:port combination can generate traffic toward the dynamic mapping and it will be accepted.

At any rate, the feature they're asking for is not generally available on the sort of router/firewall boxes with which I'm familiar.

edit: This except makes clear that "full cone" is a dynamic, overload (source) NAT which allows any internet host to use the dynamically created pinhole/mapping, and is a different animal than 1:1

> Source NAT is a many:1 NAT that can map many IP addresses to one or more addresses, but not in a 1:1 fashion like static NAT. This NAT is dynamically allocated in real time based on the available IP addresses and ports in the pool. Unlike static NAT, there is no reverse entry so to speak (well, there is one exception with full cone NAT, but that is outside the scope of this book).

"cone" as a term doesn't make much sense when talking about a 1:1 NAT, but does (sort of) describe the situation where one outbound packet can allow replies from anywhere on the internet.