Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Network Address Translation Overview on ACX Series

 

Network Address Translation Overview on ACX Series

Network Address Translation (NAT) is a method for modifying or translating network address information in packet headers. Either or both source and destination addresses in a packet may be translated. NAT can include the translation of port numbers as well as IP addresses.

NAT is described in RFC 1631 to solve IP (version 4) address depletion problems. NAT has been found to be a useful tool for firewalls, traffic redirect, load sharing, network migrations, and so on.

Note

In ACX Series routers, NAT is supported only on the ACX1100 AC-powered router and ACX500 routers for inline NAT and inline IPsec services. ACX1100 AC-powered router supports only source NAT for IPv4 packets. Static and dynamic NAT types are currently not supported. Service chaining (GRE, NAT, and IPSec) on ACX1100-AC and ACX500 routers is not supported.

A license is required for enabling inline services on ACX500 routers.

Note

ACX5048 and ACX5096 routers do not support NAT configurations.

Source NAT is the translation of the source IP address of a packet leaving the router. Source NAT is used to allow hosts with private IP addresses to access a public network.

Source NAT allows connections to be initiated only for outgoing network connections—for example, from a private network to the Internet. Source NAT is commonly used to:

  • Translate a single IP address to another address (for example, to provide a single device in a private network with access to the Internet).

  • Translate a contiguous block of addresses to another block of addresses of the same size.

  • Translate a contiguous block of addresses to another block of addresses of smaller size.

  • Translate a contiguous block of addresses to a single IP address or a smaller block of addresses using port translation.

  • Translate a contiguous block of addresses to the address of the egress interface.

Network Address Port Translation Overview

Network Address Port Translation (NAPT) is a method by which many network addresses and their TCP/UDP ports are translated into a single network address and its TCP/UDP ports. This translation can be configured in both IPv4 and IPv6 networks.

In ACX Series routers, you can have up to 4096 network address translations at a time.

Network Address Translation Address Overload in ACX Series

The NAT services on ACX Series routers allows Junos OS interface addresses to be shared with a NAPT pool. This feature of sharing the same address/port between the NAPT pool and Junos OS is termed as address overloading.

To achieve address overloading, the available IPv4 address or port range of 1 to 65,536 addresses is partitioned between Junos OS and NAT as shown below:

  • Junos OS—1 to 49,159 addresses.

  • NAPT pool—49,160 through 53,255 addresses.

  • Junos OS—53,255 through 65,535 addresses.

The number of ports reserved for NAPT pool with address overload feature is 4096.

To enable address-overloading, include the address-overload statement and the interface statement at the [edit services nat pool nat-pool-name] hierarchy level.

The address-overload statement enables sharing of IPv4 address between Junos OS and the NAT pool. Along with the address-overload statement, you must also specify the interface statement so that the first available IPv4 address or port of the interface is picked up for the NAT pool.

You can configure the address overload feature the following ways:

  • Configure an interface along with the address-overload statement as shown in the following example.

    In this case, the primary address on the interface is picked for the NAT pool.

  • Directly configure a /32 address as shown in the following example:

The interface statement enables sharing of IPv4 interface address with the NAT pool along with the port range specified in the pool.

Network Address Translation Constraints on ACX

You should consider the following constraints while configuring Network Address Translation (NAT) on ACX Series routers:

  • When a port is defined in a NAT pool, you can configure only one address or one address range in the pool.

  • ACX Series routers support nat-rules with match-direction as input. match-direction as output is not supported.

  • When you specify an address range or an address prefix in a NAT pool, the maximum number of addresses supported is 65,535. ACX Series routers supports up to 4096 network address translations at a time.

  • The maximum number of service sets that can be configured is 2.

  • In a NAT rule term, the from clause can contain a maximum of 4 matching addresses.

  • The maximum terms per NAT rule allowed is 4.

  • The maximum NAT rules per service set allowed is 2.

Enabling Inline Services Interface on ACX Series

The inline services interface is a virtual interface that resides on the Packet Forwarding Engine. The si- interface makes it possible to provide NAT and IPsec services without using a special services PIC.

To configure inline services interface, you define the service interface as type si- (service-inline) interface. You must also reserve adequate bandwidth for the inline services interface. This enables you to configure both interface or next-hop service sets used for NAT and IPsec services.

Note

In ACX Series routers, you can configure only one inline services interface as an anchor interface for NAT and IPsec sessions: si-0/0/0.

Note

In ACX Series routers, only ACX1100-AC and ACX500 routers support IPsec services. ACX Series routers support only basic NAT.

To enable inline services interface:

  1. Access an FPC-managed slot and the PIC where the interface is to be enabled.
  2. Enable the interface and specify the amount of bandwidth reserved on each Packet Forwarding Engine for tunnel traffic that uses inline services.