Configuring Service Sets for Network Address Translation
When configuring a service set for NAT processing, make sure you have defined:
Service interface(s) for handling inbound and outbound traffic
Note Prior to Junos OS Release 11.4R3, you could only use a source NAT pool in a single service set. As of Junos OS Release 11.4R3 and subsequent releases, you can reuse a source or destination NAT pool in multiple service sets, provided that the service interfaces associated with the service sets are in different virtual routing and forwarding (VRF) instances.
For interface style service sets, when a NAT pool is reused in multiple service sets, the service interfaces used in the interface-service service-interface option of each service set must be in different VRFs.
For next-hop style service sets, when a NAT pool is reused in multiple service sets, the service interfaces used in the outside-interface option of each service set must be in different VRFs.
Not adhering to these service interface restrictions will cause multiple routes to be installed in the same VRF for the same NAT addresses, causing reverse traffic to be processed incorrectly.
To enable sharing of source NAT pools, include the allow-overlapping-nat-pools statement at the [edit services nat] hierarchy level.
A NAT rule or ruleset
To configure an MS-DPC interface to be used exclusively for carrier-grade NAT (CGN) or related services (intrusion detection, stateful firewall, and softwire), include the cgn-pic statement at the [edit interfaces interface-name services-options] hierarchy level. This allows CGN to access all of the available memory on the MS-DPC.
To configure a NAT service set:
- At the [edit services] hierarchy level, define
the service set.[edit services]user@host# edit service-set service-set-name
- Configure either an interface service, which requires
a single service interface, or a next-hop service, which requires
an inside and outside service interface.[edit services service-set service-set-name]user@host# set interface-service service-interface interface-name
Or
[edit services service-set service-set-name]user@host# set next-hop-service inside-service-interface interface-name outside-service-interface interface-nameNote On ACX series routers, or if you have a Trio-based line card (MPC/MIC), you can use an inline-services interface that was configured on that card, as shown in this example:
[edit]user@host# set interfaces si-0/0/0[edit services service-set s1]user@host# set interface-service service-interface si-0/0/0For more information on interface service and next-hop service, see “Configuring Service Sets to be Applied to Services Interfaces.”
- Configure a reference to the NAT rules or ruleset to be
used with the service set.[edit services service-set service-set-name]user@host set nat-rules rule-or-ruleset-name
- (Optional) For NAT64, specify that the don’t fragment
(DF) bit for IPv4 packet headers is cleared when packet length is
less than 1280 bytes.[edit services service-set service-set-name]user@host# set nat-options stateful-nat64 clear-dont-fragment-bit