Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring Inline Network Address Translation Hairpinning

 

This configuration example illustrates how to configure inline network address translation (NAT) hairpinning on MX Series devices using si- (service-inline) interfaces with a next-hop style service set.

This topic covers:

Requirements

This example uses the following hardware and software components:

  • MX Series router with a Modular Port Concentrator (MPC) line card

Overview and Topology

MPC line cards can perform some services without the need of a dedicated services card, such as an MS-MPC. Inline services generally provide better performance than using a services card.

This example shows hairpinning for inline basic NAT44. Generally, a source host in a subnetwork might not recognize that traffic is intended for a destination host within the same subnetwork because the source host identifies the destination host only by its public IP address. NAT hairpinning analyzes the IP packets and routes the traffic back to the correct destination host instead of passing the traffic through to the public network.

The topology for this scenario is shown in Figure 1.

Figure 1: Inline NAT Hairpinning With MX Series
 Inline NAT Hairpinning
With MX Series

As shown in Figure 1, host H1 and H2 are in the subnet 192.168.20.0/24. H1 sends traffic towards the public address of host H2, 192.0.2.4. The MX Series device performs NAT to translate the destination address of 192.0.2.4 to 192.168.20.4, the private IP address of H2, and sends the traffic to host H2.

The following configuration elements are used in this scenario:

  • Inline service interface—a virtual interface that resides on the Packet Forwarding Engine of the MPC. To access services, traffic flows in and out of these si- (service-inline) interfaces.

  • Service set—defines the service(s) to be performed, and identifies which si- inline interfaces will feed traffic into and out of the service set. This example uses a next-hop-style service set, where static routes are used to forward packets with a specific destination through the inline service. In this example, the 0.0.0.0/0 destination is used, so all traffic from the subnet is forwarded to the inline service.

  • NAT rule—uses an if-then structure to define matching conditions and then apply address translation to the matching traffic.

  • NAT pool—a user-defined set of IP addresses that are used by the NAT rule for translation.

  • Routing instance—a collection of routing tables, interfaces, and routing protocol parameters that run separate from the main (default) routing instance.

Configuration

To configure inline NAT using a next-hop-style service set, perform these tasks:

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Configure Physical Interfaces

Step-by-Step Procedure

  1. Configure the physical interfaces.

Enable Inline Services and Create an Inline Interface

Step-by-Step Procedure

  1. Enable inline services for the relevant FPC slot and PIC slot, and define the amount of bandwidth to dedicate for inline services.

    The FPC and PIC settings here will create and map to an si- interface.

  2. On the si- interface, create two logical units. For each unit, specify the protocol family (or families) that will need NAT services, and the ’inside’ or ’outside’ interfaces for the service domain.

Configure Routing Instance and Identify Traffic to Send Through Inline NAT Service

Step-by-Step Procedure

  1. Configure a routing instance that includes the 'ínside' physical and si- interfaces, as well as a static route that forwards all traffic into the inline NAT service through the si- interface.

Configure NAT Rule and Pool

Step-by-Step Procedure

  1. Configure a NAT rule that matches on traffic arriving at the MX device from subnet 192.168.20.0/24, translates it using basic IPv4 NAT, and uses an IP address from pool source_pool_1.
  2. Configure the NAT pool.

Configure the (Next-hop-style) Service Set

Step-by-Step Procedure

  • Configure a service set that uses the inline NAT service (nat-rules), and the inline interfaces defined above. Use the next-hop-service parameter to specify that this is a next-hop-style service set, and assign the si- interfaces as ’inside’ and ’outside’ based on their settings above.

    Traffic will flow into and out of the si- interfaces to access the inline NAT service.

Verification

Verifying That si Interface Comes Up

Purpose

Verify that the si interface comes up.

Action

On the MX Series router, verify that the si interface and logical units that you configured come up.

user@host> show interfaces terse si-5/1/0

Verifying NAT Pools Are Configured on the si Interface

Purpose

Verify that the NAT pools are configured on the si interface.

Action

On the MX Series router, verify that the NAT pools are configured correctly on the si interface.

user@host> show services inline nat pool

Verifying Address Translation

Purpose

Verify that the si interface is properly translating IP addresses.

Action

On the MX Series router, verify that IP addresses are being translated.

user@host> show services inline nat statistics