Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Creating and Managing CGNAT Policy and Filter Instances

 

NAT processing centers on the evaluation of NAT rule sets and rules. A rule set determines the overall direction of the traffic to be processed. For example, a rule set can select traffic from a particular interface or to a specific zone. A rule set can contain multiple rules. Once a rule set is found that matches specific traffic, each rule in the rule set is evaluated for a match. Each rule in the rule set further specifies the traffic to be matched and the action to be taken when traffic matches the rule.

Note

Before you create a policy and filter template for packet filters, SFW, or CGNAT services, you must have previously configured the different elements or attributes of the service, such as service sets, interface sets, rule sets, and syslogs during the creation of the service template. The sections in this procedural topic that describe the creation of such service elements apply during the creation of the service template and not during the creation of the service policy filters, such as CGNAT or SFW policies.

Creating a NAT Policy

To configure a new CGNAT policy or filter rule:

  1. From the View selector, select Gateway View. The View pane displays the devices in the entire network organized by the device type and device models pertaining to each device type.
  2. From the View pane, select the All Network item. Expand the tree to select the device type and device node, which denotes the SDGs in a high availability pair of SDGs or an SDG group.
  3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  4. Select Service Edit > CGNAT from the task pane.

    The CGNAT Policies page is displayed.

  5. Click the plus sign (+) next to Policy and Filter to expand the tree in the task pane and view the list of filter rules.
  6. From the task pane, select CGNAT Policy and Filter to open the CGNAT and Filter page on the right pane.
  7. Click the Add icon above the table of listed rules. The Create Policy and Filter window is displayed.
    Figure 1: Create a CGNAT Rule Window
    Create a CGNAT Rule Window
  8. Enter the name of the group policy in the Name field (limit of 63 alphanumeric characters).
  9. Enter a description for the group policy rules in the Description field. Edge Services Director sends the comments entered in this field to the device (limit of 255 alphanumeric characters).
  10. In the Match Direction list, specify the direction in which the rule match is applied. Select one of the following options:
    • input—Apply the rule match on the input side of the interface.

    • input-output—Apply the rule match bidirectionally.

    • output—Apply the rule match on the output side of the interface.

  11. In the SDG section, do the following:
    • From the SDG drop-down list, select the devices with which the NAT policy must be associated. Alternatively, you can select the high availability pair of SDG devices with which the NAT policy must be associated. All of the devices in the different SDG groups that were previously defined in the database are also listed in the drop-down menu.

  12. Create a NAT rule term that must be added to the NAT policy. For details on configuring a NAT rule term, see Creating a NAT Rule Term.
  13. The list of terms added, and the associated service sets and rule sets, are displayed in a tabular format in the Create Policy and Filter page. Select the check box next to the term you want to attach to the NAT policy.
  14. Click Create to save the NAT policy.
  15. Click Validate to perform validation checks on the configuration planned to be deployed to examine and correct any syntax errors or incompatible settings. You can also validate without deploying the configuration.
Note

In the Create Policy and Filter window, you can also do the following:

  • Click the Create icon displayed beside the terms or attributes to add a new attribute. You can then use the newly defined attribute to add to a policy to cause the same selection for a particular term to be applied across all SDGs or groups.

  • Click the Edit icon displayed beside the terms or attributes to modify an attribute. You can then use the modified attribute to add to a policy to cause the same selection for a particular term to be applied across all SDGs or groups.

  • Select the check box beside the SDGs or SDG groups in the Create NAT Term page to include the devices or the SDG groups in the NAT policy for association. Deselect the check boxes beside the SDGs or groups to exclude the devices in the NAT policy..

  • Click the Copy to All Hosts button to apply the defined term at the system or network level and not at a particular SDG or SDG group level.

Creating a Service Set

A service set is a collection of services to be performed by an Adaptive Services (AS) or Multiservices PIC. To create a service set as a component for the CGNAT rule:

  1. From the View selector, select Gateway View. The View pane displays the devices in the entire network organized by the device type and device models pertaining to each device type.
  2. From the View pane, select the All Network item. Expand the tree to select the device type and device node, which denotes the SDGs in a high availability pair of SDGs or an SDG group.
  3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  4. Select Service Edit > CGNAT from the task pane.

    The Service Edit > CGNAT Policies page is displayed.

  5. Click the Add icon. The Create a CGNAT Policy and Filter Template window appears.
  6. Enter the name of the rule, a description, and the direction in which the rule match must be applied in the respective fields. Also, select the SDG or SDG pair for which the syslog needs to be defined for the service set.
  7. In the Create Policy and Filter page, click Associate Service Sets/Rule Sets. The Associate Service Sets/Rule Sets section is displayed. The SDGs and SDG groups that are part of the NAT policy filter rule term are shown in one column. Under the Association column, either the Configure or Edit icon appears. If you already created and mapped a service set with the particular SDG or group, the Edit icon shows.
  8. Click the Configure or Edit icon. The Configure Service Sets/Rule Sets dialog box is displayed.
  9. From the Type drop-down list, select Service Set to map a service set with the policy filter rule.
  10. If you selected Service Set from the Type list, select a service set previously configured in the Service Designer workspace from the Value list.
  11. Click the green plus sign next to the Value drop-down list. The Addition of Service Sets dialog box appears.Note

    If a green plus sign mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red minus mark shows that you can delete that particular attribute for that component.

  12. In the Name field, enter the name to identify the service set. Rules are combined into rule sets, and are associated with a service set for each application such as firewall or CGNAT.
  13. In the Sampling Service Choices section, do one of the following:
    • Click Interface Services to configure an interface-style service set. An interface service set is used as an action modifier across an entire interface

      • In the Service Interfaces field, specify the name for the adaptive services interface associated with an interface-wide service set.

        When you have defined and grouped the service rules by configuring the service-set definition, you can apply services to one or more interfaces installed on the router. When you apply the service set to an interface, it automatically ensures that packets are directed to the PIC.

      • From the Load Balancing Options section, configure the high availability (HA) options.

        The following hash keys can be configured in the egress direction: destination-ip (Use the destination IP address of the flow to compute the hash used in load balancing.) and source-ip (Use the source IP address of the flow to compute the hash used in load balancing.)

      • Click the green tick park beside the Egress Key element to configure the hash keys to be used in the egress flow direction. The configuration is mandatory if you are using AMS for Network Address Translation (NAT). This configuration is not mandatory if you are using AMS for stateful firewall; if the hash keys are not xconfigured, then the defaults are chosen.

      • Click the green tick park beside the Ingress Key element to configure the hash keys to be used in the ingress flow direction. The configuration is mandatory if you are using AMS for Network Address Translation (NAT). This configuration is not mandatory if you are using AMS for stateful firewall; if the hash keys are not configured, then the defaults are chosen.

      Configure the hash keys used for load balancing in aggregated multiservices (AMS) for service applications (Network Address Translation [NAT], stateful firewall, application-level gateway [ALG], HTTP header enrichment, and mobility). The hash keys supported in the ingress and egress direction are the source IP address and destination IP address.

      Hash keys are used to define the load-balancing behavior among the various members in the AMS group. For example, if hash-keys is configured as source-ip, then the hashing would be performed based on the source IP address of the packet. Therefore, all packets with the same source IP address land on the same member. Hash keys must be configured with respect to the traffic direction: ingress or egress. For example, if hash-keys is configured as source-ip in the ingress direction, then it should be configured as destination-ip in the egress direction. This is required to ensure that the packets of the same flow reach the same member of the AMS group.

      The configuration of the ingress and egress hash keys is mandatory if you are using AMS for NAT. This configuration is not mandatory if you are using AMS for stateful firewall; if the hash keys are not configured, then the defaults are chosen. Refer to Table 1 for the supported hash keys.

      The resource-triggered option enables anchor session PICs to use the load or resource information from the anchor services PICs to select the AMS member will anchor the services for the subscriber for load balancing among AMS members. In addition, for mobile subscriber-aware services (such as HTTP header enrichment), you must configure the resource-triggered statement, which means that the load balancing is not done using the ingress and egress keys.

      Table 1: Hash Keys Supported for AMS for Service Applications

      Service Set at Ingress Interface

      Service Set at Egress Interface

      Hash Keys for NAT

      NAT Type

      Ingress hash key

      Egress hash key

      Ingress hash key

      Egress hash key

      source static

      Destination IP address

      Source IP address

      Source IP address

      Destination IP address

      source dynamic

      Source IP address

      Destination IP address

      Destination IP address

      Source IP address

      Network Address Port Translation (NAPT)

      Source IP address

      Destination IP address

      Destination IP address

      Source IP address

      destination static

      Source IP address

      Destination IP address

      Destination IP address

      Source IP address

      Hash Keys for Stateful Firewall

      Stateful Firewall

      Destination IP address

      Source IP address

      Destination IP address

      Source IP address

      Stateful Firewall

      Source IP address

      Destination IP address

      Source IP address

      Destination IP address

      Note

      If NAT is used in the service set (along with stateful firewall and ALG), then the hash keys should be based on the NAT type; otherwise, the hash keys of the stateful firewall should be used.

    • Click Next Hop Services to configure a next-hop style service set. A next-hop service set is a route-based method of applying a particular service. Only packets destined for a specific next hop are serviced by the creation of explicit static routes.

      • In the Inside Interface list, specify the interface type of the service interface associated with the service set applied inside the network. For inline IP reassembly, set the interface type to local. Also, specify the name and logical unit number of the service interface associated with the service set applied inside the network.

        When a next-hop service is configured, the AS or Multiservices PIC is considered to be a two-legged module with one leg configured to be the inside interface (inside the network) and the other configured as the outside interface (outside the network).

      • In the Outside Interface list, specify the interface type of the service interface associated with the service set applied outside the network. For inline IP reassembly, set the interface type to local. Also, specify the name and logical unit number of the service interface associated with the service set applied outside the network.

      • In the Service Interface Pool list, select the name of the pool of logical interfaces configured at the [edit services service-interface-pools pool pool-name] hierarchy level. You can configure a service interface pool only if the service set has a PGCP rule configured. The service set cannot contain any other type of rule.

    • Click Sampling Services to configure a sampling service set.

      • In the Service Interface field, specify the service interface, which is the interface the sampling is taken from. In the case of a sampling service set, the service interface must be a Multiservices PIC interface with a subunit number of 0 (zero). The subunit number defaults to 0. The reverse-flow statement is not mandatory. All sampled traffic is considered to be forward traffic. If you set the reverse-flow statement, it is ignored.

    • Select the Replication Service check box to configure the services replication options for inter-chassis high availability on MS-MIC and MS-MPC.

      • In the Replication Threshold field, specify the number of seconds for the replication threshold. When a flow has been active for more than the number of seconds specified as a threshold, flow state information is replicated to the backup device. Make sure that the replication-threshold value is than the open-timeout value(the timeout period for establishing a TCP connection). The default value of the replication threshold is 180 seconds. This value is also the minimum.

      • Select the Stateful Firewall check box to replicate stateful firewall state information.

      • Select the NAT check box to replicate NAPT44 information.

  14. In the CGNAT Rule Sets section, select the rule set you want to associate with the service set from the Available column and click the right arrow to move to the Selected column.
  15. In the CGNAT Rules section, select the rule you want to associate with the service set from the Available column and click the right arrow to move to the Selected column.
  16. In the CGNAT Syslogs section, select the syslog you want to associate with the service set from the Available column and click the right arrow to move to the Selected column.
  17. Click Save to save the service rule configuration. Else, click Close to discard the changes to the rule.

Creating a Syslog

You can enable system logging. The system log information from the Adaptive Services or Multiservices PIC is passed to the kernel for logging in the /var/log directory. This setting overrides any syslog statement setting included in the service set or interface default configuration.

To create a syslog for the CGNAT rule:

  1. From the View selector, select Gateway View. The View pane displays the devices in the entire network organized by the device type and device models pertaining to each device type.
  2. From the View pane, select the All Network item. Expand the tree to select the device type and device node, which denotes the SDGs in a high availability pair of SDGs or an SDG group.
  3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  4. Select Service Edit > CGNAT from the task pane.

    The Service Edit > CGNAT Policies page is displayed.

  5. Click the Add icon. The Create a CGNAT Policy and Filter Template window appears.
  6. Enter the name of the rule, a description, and the direction in which the rule match must be applied in the respective fields. Also, select the SDG or SDG pair for which the syslog needs to be defined for the service set.
  7. In the Create Policy and Filter page, click Associate Service Sets/Rule Sets. The Associate Service Sets/Rule Sets section is displayed. The SDGs and SDG groups that are part of the NAT policy filter rule term are shown in one column. Under the Association column, either the Configure or Edit icon appears. If you already created and mapped a service set with the particular SDG or group, the Edit icon shows.
  8. Click the Configure or Edit icon. The Configure Service Sets/Rule Sets dialog box is displayed.
  9. From the Type drop-down list, select Service Set to map a service set with the policy filter rule.
  10. If you selected Service Set from the Type list, select a service set previously configured in the Service Designer workspace from the Value list.
  11. Click the green plus sign next to the Value drop-down list. The Addition of Service Sets dialog box appears.Note

    If a green plus sign mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red minus mark shows that you can delete that particular attribute for that component.

  12. Click the green plus sign next to the Syslog Settings field. The Addition of Service Sets dialog box appears.
  13. In the Name field, enter the name for the syslog component. Specify the fully qualified domain name or IP address for the syslog server.
  14. In the Services list, specify the system logging severity level. It assigns a severity level to the facility. Valid entries include:
    • alert—Conditions that should be corrected immediately.

    • any—Matches any level.

    • critical—Critical conditions.

    • emergency—Panic conditions.

    • error—Error conditions.

    • info—Informational messages.

    • notice—Conditions that require special handling.

    • warning—Warning messages.

  15. From the Facility Override list, select the override for the default facility for system log reporting. Valid values include:
    • authorization

    • daemon

    • ftp

    • kernel

    • local0 through local7

    • user

  16. In the Log Prefix field, set the system logging prefix value for all logging to the system log host.
  17. In the Port field, specify the port number to be used for connection with the remote syslog server.
  18. In the Class section, set the class of applications to be logged to the system log.
    • alg-logs—Log application-level gateway events.

    • ids-logs—Log intrusion detection system events.

    • nat-logs—Log Network Address Translation events.

    • packet-logs—Log general packet-related events.

    • session-logs—Log session open and close events.

    • session-logs open—Log session open events only.

    • session-logs close—Log session close events.

    • stateful-firewall-logs—Log stateful firewall events.

  19. In the Source Address field, specify a source address to record in system log messages that are directed to a remote machine specified in the hostname statement. The supported interfaces are ms, rms, and mams interfaces. If you do not specify the interface parameter, the command loops on all supported interfaces. This field is available only if you selected the Junos OS 14.1 version.
  20. Click Save to save the service rule configuration. Else, click Close to discard the changes to the rule.

Creating a Rule

To create a rule for the CGNAT service:

  1. From the View selector, select Gateway View. The View pane displays the devices in the entire network organized by the device type and device models pertaining to each device type.
  2. From the View pane, select the All Network item. Expand the tree to select the device type and device node, which denotes the SDGs in a high availability pair of SDGs or an SDG group.
  3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  4. From the task pane, select Service Edit. The Service Edit page is displayed.
  5. Click the CGNAT button. The list of CGNAT policies is displayed.
  6. Click the Add icon. The Create a CGNAT Policy window appears.
  7. Enter the name of the template and the service instance in the respective fields.
  8. Click the green plus sign in the Rules box. The Addition of Rules dialog box appears.Note

    If a green tick mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red cross mark shows that you can delete that particular attribute for that component.

  9. From the Rule list, select one of the previously configured rules. The rules that you configured in the Service Templates workspace for CGNAT, packet filter, or CGNAT are displayed.
  10. Click Save to save the service template configuration. Else, click Close to discard the changes to the template.

Creating a Rule Set

The rule-set statement defines a collection of stateful firewall rules that determine what actions the router software performs on packets in the data stream. You define each rule by specifying a rule name and configuring terms. Then, you specify the order of the rules by including the rule-set statement at the [edit services stateful-firewall] hierarchy level with a rule statement for each rule.

The router software processes the rules in the order in which you specify them in the configuration. If a term in a rule matches the packet, the router performs the corresponding action and the rule processing stops. If no term in a rule matches the packet, processing continues to the next rule in the rule set. If none of the rules matches the packet, the packet is dropped by default.

To create a rule set for the CGNAT policy:

  1. From the View selector, select Gateway View. The View pane displays the devices in the entire network organized by the device type and device models pertaining to each device type.
  2. From the View pane, select the All Network item. Expand the tree to select the device type and device node, which denotes the SDGs in a high availability pair of SDGs or an SDG group.
  3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  4. Select Service Edit > CGNAT from the task pane.

    The Service Edit > CGNAT Policies page is displayed.

  5. Click the Add icon. The Create a CGNAT Policy and Filter Template window appears.
  6. Enter the name of the rule, a description, and the direction in which the rule match must be applied in the respective fields. Also, select the SDG or SDG pair for which the syslog needs to be defined for the service set.
  7. In the Create Policy and Filter page, click Associate Service Sets/Rule Sets. The Associate Service Sets/Rule Sets section is displayed. The SDGs and SDG groups that are part of the NAT policy filter rule term are shown in one column. Under the Association column, either the Configure or Edit icon appears. If you already created and mapped a service set with the particular SDG or group, the Edit icon shows.
  8. Click the Configure or Edit icon. The Configure Service Sets/Rule Sets dialog box is displayed.
  9. From the Type drop-down list, select Service Set to map a service set with the policy filter rule.
  10. If you selected Service Set from the Type list, select a service set previously configured in the Service Designer workspace from the Value list.
  11. Click the green plus sign next to the Value drop-down list. The Addition of Service Sets dialog box appears.Note

    If a green plus sign mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red minus mark shows that you can delete that particular attribute for that component.

  12. In the Name field, specify a name for the rule set the router uses when applying this service.
  13. In the Rules section, select the rules that need to be added to the rule set in the from the Available column and click the right arrow to move these rules to the Selected column. All the rules that you previously configured during the creation or modification of the service rule are displayed.
  14. Click Save to save the rule set configuration. Else, click Close to discard the changes to the rule.

Creating Addresses

To create an address:

  1. In the Source and Destination Address Selector dialog box, to create a new address. click the plus sign (+).

    The Create Address page appears.

  2. In the Object Type section, click the Address radio button to create an address.
  3. In the Name field, enter a name for the new address.
  4. In the Description field, enter a description for the new address.
  5. Direct Edge Services Director to resolve an IP address to a hostname or resolve a hostname to an IP address.
    • To specify an IP address as the address type, select Host from the drop-down menu and enter the IP address in the IP field.

    • To specify a hostname as the address type, select Host from the drop-down menu and enter the hostname in the Host Name field.

    • To specify an IP address range, select Range from the drop-down menu and enter the IP ranges in the Start IP and End IP fields.

    • To specify a network as an address type, select Network from the drop-down menu and enter the network address in the IP and Netmask fields.

    • To specify an IP address with a wildcard mask, select Wildcard from the drop-down menu and enter the IP address in the IP field and wildcard mask in the Wildcard Mask fields.

    • To specify a DNS name as an address type, select DNS Host from the drop-down menu and enter the DNS name in the DNS Name field.

    Note

    You can resolve an IP address to a hostname and a hostname to an IP address using the green arrows next to the IP and Host Name fields.

    Note

    The host and network address types support both IPv4 and IPv6 address types. These address types also supports multicast addresses. However, the range address type supports only IPv4 addresses. NAT and IPsec VPNs do not support IPv6 addressing and wildcard addresses.

    Note

    Ensure that the first 8 bits of the address are not 0 and the highest bit of the mask is 1 when you are using the wildcard address type.

  6. Click Create to create an address.

    The new address appears in the Manage Address page.

Creating Address Groups

To create an address group:

  1. In the Source and Destination Address Selector dialog box, to create a new address group. click the plus sign (+).

    The Create Address Group page appears.

  2. Select the Object Type as Address Group.
  3. In the Name field, enter a name for the new address group.
  4. In the Description field, enter a description for the new address group.
  5. In the Addresses field, from the Available dialog box, select the address that you want to group, and click the right arrow to add to the Selected column.

    Click All to move all the addresses to the Selected column. The address you have selected appears in the Selected section of the dialog box.

  6. Click Create.

    The address group appears on the Address page.

Address and Address Groups Overview

You can use the Address Creation Wizard to create an address object that specifies an IP address or a hostname. You can specify a hostname and use the address resolution option to resolve it to an IP address. You can also resolve an IP address to the corresponding hostname.



You can group address objects to form an address group using the Address Group Creation Wizard. Junos Space creates an object in the Junos Space database to represent an address or an address group.

Creating a NAT Rule Term

To add rules to a NAT policy:

  1. In the Create Policy and Filter window, the list of rule terms already added, if any, to the NAT policy are displayed.
  2. Next to the Terms field, click the + icon to add rules, and select the type of rule you want to add.
  3. In the Term Name field, specify the name of the rule.

    The list of SDGs with which you associated the NAT policy in the Create Policy window are displayed with the form and then sections or clauses. If you selected SDG groups to associate with the NAT policy, the SDG group names are displayed.

    Note
    • Click the Copy to All Hosts button to apply the defined term at the system or network level and not at a particular SDG or SDG group level.

    • When you create a rule or filter term, and define the name of the filter, for SDGs that are part of a high availability pair of devices, the names of the SDGs are displayed as tabs and check boxes beside the hostnames of the SDGs are displayed. If you want the policy or filter term definition to apply to both the SDGs, select the check boxes next to the SDG names.

      Otherwise, when the click the SDG name tab for the SDG for which you did not select the check box, a blue highlight overlays the entire dialog box to indicate the settings are not enabled for configuration for that specific SDG.

  4. In the From section, do the following to specify input conditions or match criteria for the NAT term :
    • In the Source Address field, click the down arrow in the list. The address selector dialog box appears. Select the source addresses that need to be added to the NAT policy in the from the Available column and click the right arrow to move these devices to the Selected column.

      Click OK to confirm the selection. Click Cancel to discard your changes and return to the Create Policy and Filter window.

      To create an address or address group from the address selector dialog box, see Creating Addresses and Creating Address Groups.

    • In the Destination Address field, click the down arrow in the list. The address selector dialog box appears. Select the destination addresses that need to be added to the NAT policy in the from the Available column and click the right arrow to move these devices to the Selected column.

      Click OK to confirm the selection. Click Cancel to discard your changes and return to the Create Policy and Filter window.

      To create an address or address group from the address selector dialog box, see Creating Addresses and Creating Address Groups.

    • Specify a destination port to match the rule in the Destination Port field. You can configure a range of ports by specifying the upper limit and lower limit of the ports in the Start Value and End Value fields.

    • Select the application protocol or name to which the NAT services apply from the Application drop-down menu. When you click the down arrow in the list, the application selector dialog box appears. Select the application name that needs to be added to the NAT policy.

      To create a new application name or application set, see Creating Applications and Application Sets.

    • Select the name of the target application set from the Application Sets drop-down menu.

  5. In the To section, do the following to specify actions or modifiers to be performed for the NAT term :
    • In the Translation Type drop-down list, select the NAT translation type.

      • basic-nat44—Translate the source address statically (IPv4 to IPv4).

      • basic-nat66—Translate the source address statically (IPv6 to IPv6).

      • basic-nat-pt—Translate the addresses of IPv6 hosts as they originate sessions to the IPv4 hosts in the external domain. The basic-nat-pt option is always implemented with DNS ALG.

      • deterministic-napt44—Translate as napt-44, and use deterministic port block allocation for port translation.

      • dnat-44—Translate the destination address statically (IPv4 to IPv4).

      • dynamic-nat44—Translate only the source address by dynamically choosing the NAT address from the source address pool.

      • napt-44—Translate the transport identifier of the IPv4 private network to a single IPv4 external address.

      • napt-66—Translate the transport identifier of the IPv6 private network to a single IPv6 external address.

      • napt-pt—Bind addresses in an IPv6 network with addresses in an IPv4 network and vice versa to provide transparent routing for the datagrams traversing between the address realms.

      • stateful-nat64—Implement dynamic address and port translation for source IP addresses (IPv6-to-IPv4) and prefix removal translation for the destination IP addresses (IPv6-to-IPv4).

      • twice-basic-nat-44—Translate the source and destination addresses statically (IPv4 to IPv4).

      • twice-dynamic-nat-44—Translate the source address by dynamically choosing the NAT address from the source address pool. Translate the destination address statically.

      • twice-dynamic-napt-44—Translate the transport identifier of the IPv4 private network to a single IPv4 external address. Translate the destination address statically.

    • In the Source Pool field, click the down arrow in the list. The NAT pool selector dialog box appears. Select the source pools that need to be added to the NAT policy in the from the Available column and click the right arrow to move these pools to the Selected column.

      Click OK to confirm the selection. Click Cancel to discard your changes and return to the Create Policy and Filter window.

      To create a NAT pool from the source and destination pool selector dialog box, see Creating a NAT Pool.

    • In the Destination Pool field, click the down arrow in the list. The NAT pool selector dialog box appears. Select the destination pools that need to be added to the NAT policy in the from the Available column and click the right arrow to move these pools to the Selected column.

      Click OK to confirm the selection. Click Cancel to discard your changes and return to the Create Policy and Filter window.

      To create a NAT pool from the source and destination pool selector dialog box, see Creating a NAT Pool.

    • Select the No Translation option to specify that traffic is not to be translated.

    • Select the NAT address pooling behavior as Paired. Only paired address pooling is supported. Address pooling, or address pooling paired (APP) ensures assignment of the same external IP address for all sessions originating from the same internal host. You can use this feature when assigning external IP addresses from a pool. This option does not affect port utilization

    • In the Destination Prefix field, click the down arrow in the list to specify the destination prefix for translated traffic. The address selector dialog box appears. Select the destination addresses that need to be added to the NAT policy in the from the Available column and click the right arrow to move these devices to the Selected column.

      Click OK to confirm the selection. Click Cancel to discard your changes and return to the Create Policy and Filter window.

      To create an address or address group from the address selector dialog box, see Creating Addresses and Creating Address Groups.

    • Specify the (NAT) pool for destination translation from the DNS ALG Pool list.

    • Set the Domain Name System (DNS) application-level gateway (ALG) 96-bit prefix for mapping IPv4 addresses to IPv6 addresses from the DNS ALG Prefix list.

    • Select the Endpoint Independent check box for the Filtering Type field to specify the NAT filtering behavior for sessions initiated from outside to inside as endpoint-independent filtering (EIF).

    • Select the Endpoint Independent check box for the Mapping Type field to specify the source NAT mapping type.

    • In the Source Prefix field, click the down arrow in the list to specify the destination prefix for translated traffic. The address selector dialog box appears. Select the source addresses that need to be added to the NAT policy in the from the Available column and click the right arrow to move these devices to the Selected column.

      Click OK to confirm the selection. Click Cancel to discard your changes and return to the Create Policy and Filter window.

      To create an address or address group from the address selector dialog box, see Creating Addresses and Creating Address Groups.

    • Select the Syslog check box to enable system logging. The system log information from the Multiservices PIC is passed to the kernel for logging in the /var/log directory. This field is available only if you selected the Junos OS 14.1 version to create the service template.

  6. Click Save to create the rule. Alternatively, click Validate in the Create Rule page to perform validation checks on the configuration planned to be deployed to examine and correct any syntax errors or incompatible settings.
  7. A new rule is added in the last row depending on the type of rule you have added. The newly added rules blink with a different color for few seconds. The behavior is same if you add a new rule before or after a rule, clone a rule, or paste a rule.

    The rule is assigned a serial number based on the number of rules already added to the policy.

Associating an Application and Application Set with a NAT Rule

To associate an application and an application set for a NAT rule term:

  1. In the Add Term page, in the Application or Application Set sections, the application set selector dialog box is displayed. Select the applications or application sets that need to be added to the NAT rule term in the from the Available column and click the right arrow to move these applications or application sets to the Selected column.

Creating a NAT Pool

A Network Address Translation (NAT) pool is a continuous range of IP addresses that you can use to create a NAT policy. NAT policies perform address translation by translating internal IP addresses to the addresses in these pools.

To create a NAT pool:

  1. In the Add Term page, click the down arrow of the Source Pool or Destination Pool drop-down lists. The source and destination NAT pool selector dialog box is displayed.
  2. Select a NAT pool to function as the source or destination pool from the Select NAT Pool pop-up dialog box. Click OK to add the selected NAT pool to the source or destination pool drop-down list in the Add Term page.
  3. If a NAT address pool has not been previously created, click the plus sign (+) to create a new NAT pool. The Create NAT Pool page appears.
  4. Enter the name of the NAT pool in the Name field.
  5. Select the type of NAT pool as source or destination from the Pool Type menu.
  6. In the Pool Address field, do one of the following
    • Select the Range radio button and enter the network address in the Prefix and Netmask fields for IPv4 or IPv6.

    • Select the Address Prefix radio button and enter the IP ranges in the Start IP and End IP fields.

  7. Select the Round Robin check box beside the Address Allocation field if you want to use round-robin technology. When you use round-robin allocation, one port is allocated from each address in a range before repeating the process for each address in the next range. After ports have been allocated for all addresses in the last range, the allocation process wraps around and allocates the next unused port for addresses in the first range.
  8. In the Auto Port Allocation field, do one of the following to specify the NAT pool port or range. You can configure an automatically assigned port or specify a range with minimum and maximum values. :
    • Select the Automatic radio button to use a router-assigned port.

    • Select the Random Allocation radio button to allocate ports within a specified range randomly. Select the Range check box and specify the starting and ending values for the port range in the Low and High fields.

  9. Click Create to save the NAT address pool. The pool is now populated in the Select NAT Pool dialog box in the drop-down list. You can select the created pool as the source or destination address pool while creating a NAT rule term.

Associating Service Sets and Rule Sets With a NAT Rule

To associate a service set and a rule set with a NAT policy filter rule term:

  1. In the Create Policy and Filter page, click Associate Service Sets/Rule Sets. The Associate Service Sets/Rule Sets section is displayed. The SDGs and SDG groups that are part of the NAT policy filter rule term are shown in one column. Under the Association column, either the Configure or Edit icon appears. If you already created and mapped a service set with the particular SDG or group, the Edit icon shows.
  2. Click the Configure or Edit icon. The Configure Service Sets/Rule Sets dialog box is displayed.
  3. From the Type drop-down list, do either of the following:
    • Select Service Set to map a service set with the policy filter rule.

    • Select Rule Set to map a rule set with the policy filter rule.

    Depending on the option selected in the Type list as service set or rule set for association with the policy filter rule, the options that are displayed in the Value list beneath the Type list varies.

  4. If you selected Service Set from the Type list, select a service set previously configured in the Service Designer workspace from the Value list. If you selected Rule Set from the Type list, select a rule set previously configured in the Service Designer workspace from the Value list. Click Add to map the service set or rule set with the NAT policy filter rule.
  5. Click Save to save the settings. Alternatively, click Cancel to abort the changes.
  6. Click Copy to All Hosts in the Associate Service Sets dialog box to apply the defined term at the system or network level and not at a particular SDG or SDG group level. You are returned to the Add Term window.

Modifying NAT Policies

Before you can edit the policy, you must lock it by clicking the lock icon, which is available in the policy tabular view. You can hold more than one policy lock at a given time. You can unlock the policy by clicking the unlock icon next to the lock icon in the policy tabular view. If you attempt to lock a policy that is already locked by another user, a message is displayed stating that the lock is acquired by another user.

If the Edge Services Director administrator releases the lock, you will receive the a warning message stating that the lock has been released.

The Manage Policy Locks page appears showing only those locks that can be managed by the current user. The page contains the following fields:

  • Instance or Rule name

  • User (IP Address)

  • Lock acquired time

  • Service Gateway

The policy is locked and released for the following policy operations. Also, these operations are disabled for a policy, if the policy is locked by some other user.

  • Modify

  • Assign devices

  • Rollback

  • Delete

Note
  • You can unlock your policies even if they are not edited.

  • If the browser crashes when the policy is still locked, the policy is unlocked only after the timeout interval expires.

  • Policy lock is not released under the following scenario:

    • If you save or discard you changes to the locked policy.

    • if you do not make any changes to the locked policy and navigate to another policy.

To modify an existing CGNAT policy or filter rule:

  1. From the View selector, select Gateway View. The View pane displays the devices in the entire network organized by the device type and device models pertaining to each device type.
  2. From the View pane, select the All Network item. Expand the tree to select the device type and device node, which denotes the SDGs in a high availability pair of SDGs or an SDG group.
  3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  4. Select Service Edit from the task pane. The Service Templates page is displayed.
  5. Click the plus sign (+) next to Policy and Filter to expand the tree in the task pane and view the list of filter rules.
  6. From the task pane, select CGNAT Policy and Filter to open the CGNAT and Filter page on the right pane.
  7. Select a policy, and click the Lock icon above the table of listed policies.
  8. Click the Modify icon above the table of listed templates. The Modify Policy and Filter window is displayed.
  9. Modify the attributes that are needed and save the updated settings.

Creating a Deployment Plan

You must have previously defined service templates and policy or filter templates before you can create a deployment plan.

To create a deployment plan and assigning devices to it:

  1. From the View selector, select Gateway View. The View pane displays the devices in the entire network organized by the device type and device models pertaining to each device type.
  2. From the View pane, select the All Network item. Expand the tree to select the SDG in an SDG group.
  3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  4. Select Service Edit from the task pane. The Service Edit page is displayed.
  5. Click the right arrow next to Service Edit to expand the tree in the task pane and view the list of filter instances.
  6. From the task pane, select CGNAT Policy and Filter to open the SFW Policy and Filter page on the right pane.
  7. In the Service Edit page, from the tree that lists the SDGs, select All Service Gateways, or the SDG or SDG pair for which you want to view the previously configured policy or filter instances. This step is applicable only if you selected Gateway View. You can drill-down to the SDG or pair of SDGs for which you want to process policies or filters.
  8. Select a rule corresponding to an SDG, and click the Lock icon above the table of listed policy filters.
  9. Click the down arrow in the Actions menu and select Send for Deployment to create a deployment plan for the particular service template and save the plan.

    The Deployment Plan Summary dialog box appears, with the service name, type, and status listed.

    Click Send to create a deployment plan.

    A deploy plan is created for the service template with the devices that are assigned to it when you view the Deployment Plans page.

  10. Alternatively, you can select Discard changes from the Actions menu to ignore the modifications done to a policy or filter template.
  11. From the Deployment plans page, you can select Reject or Approve from the Actions drop-down list to reject or approve the deployment plan and make it available for commissioning to the devices.