Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Static Source NAT

 

Configuring Static Source Translation in IPv4 Networks

To configure the translation type as basic-nat44, you must configure the NAT pool and rule, service set with service interface, and trace options. This topic includes the following tasks:

Configuring the NAT Pool and Rule

To configure the NAT pool, rule, and term:

  1. In configuration mode, go to the [edit services nat] hierarchy level.
  2. Configure the NAT pool with an address.

    In the following example, the pool name is src_pool and the address is 10.10.10.2/32.

  3. Configure the NAT rule and the match direction.

    In the following example, the NAT rule name is rule-basic-nat44 and the match direction is input.

  4. Configure the source address in the from statement.

    In the following example, the term name is t1 and the input condition is source-address 3.1.1.2/32.

  5. Configure the NAT term action and properties of the translated traffic.

    In the following example, the term action is translated and the property of the translated traffic is source-pool src_pool.

  6. Configure the translation type. 

    In the following example, the translation type is basic-nat44.

  7. Verify the configuration by using the show command at the [edit services nat] hierarchy level.
    [edit services]
    user@host# show
Note

If you don’t configure a stateful firewall (SFW) rule for your traffic, then each packet is subjected to the following default stateful firewall rule:

  • Allow any valid packets from inside to outside.

  • Create forward and return flow based on packets 5-tuple.

  • Allow only valid packets matching return flows from outside to inside.

The stateful firewall’s packet validity checks are described in the Stateful Firewall Anomaly Checking in Junos Network Secure Overview. When a packets pass stateful firewall validity checking but are not matched by a NAT rule, they are not translated and may be forwarded if the NAT node has a valid route to the packets’ destination IP addresses.

Note

When you add or delete a parameter in the from statement (NAT rule term match condition) at the [edit services service-set service-set-name nat-rules rule-name term term- name] hierarchy level, this configuration change triggers a deletion and addition of the NAT policy (which is equivalent to the deactivation and activation of a service set) that causes all existing NAT mappings to be deleted. Because the sessions are not closed owing to the change in the NAT policy, this behavior causes the mappings to timeout immediately after the sessions are closed. This behavior is expected and is applicable only with Junos OS Extension-Provider packages installed on a device. When a NAT policy is deleted and readded, only EIM mappings are deleted. This NAT policy change does not deactivate and activate the service set. We recommend that you deactivate and reactivate the service set in such scenarios in Junos OS Release 14.2 and earlier.

Configuring the Service Set for NAT

To configure the service set for NAT:

  1. In configuration mode, go to the [edit services] hierarchy level.
  2. Configure the service set.

    In the following example, the service set name is s1.

  3. For the s1 service set, set the reference to the NAT rules configured at the [edit services nat] hierarchy level.

    In the following example, the rule name is rule-basic-nat44.

  4. Configure the service interface.

    In the following example, the service interface name is ms-1/2/0.

    Note

    If you have a Trio-based line card, you can configure an inline-services interface on that card:

  5. Verify the configuration by using the show command at the [edit services] hierarchy level.
  6. Associate the NAT service set with an xe- interface:
  7. Verify the configuration by using the show command at the [edit interfaces] hierarchy level.

Configuring Trace Options

To configure the trace options:

  1. In configuration mode, go to the [edit services adaptive-services-pics] hierarchy level.
  2. Configure the trace options.

    In the following example, the tracing parameter is all.

  3. Verify the configuration by using the show command at the [edit services] hierarchy level.

Sample Configuration - Static Source NAT Using a Static Pool With An Address Prefix And An Address Range

Sample Configuration - Static Source Nat for One-To-One Mapping Between a Private Subnet and a Public Subnet

Configuring Static Source Translation in IPv6 Networks

To configure the translation type as basic-nat66, you must configure the NAT pool and rule, service set with service interface, and trace options. The basic-nat66 translation type is not available if you are using MS-MPCs or MS-MICs.

This topic includes the following tasks:

Configuring the NAT Pool and Rule

To configure the NAT pool, rule, and term:

  1. In configuration mode, go to the [edit services nat] hierarchy level.
  2. Configure the NAT pool with an address.

    In the following example, the pool name is src_pool and the address is 10.10.10.2/32.

  3. Configure the NAT rule and the match direction.

    In the following example, the rule name is rule-basic-nat66 and the match direction is input.

  4. Configure the source address in the from statement.

    In the following, the term name is t1 and the input condition is source-address 2001:db8:10::0/96.

  5. Configure the NAT term action and properties of the translated traffic.

    In the following example, the term action is translated and the property of the translated traffic is source-pool src_pool.

  6. Configure the translation type.

    In the following example, the translation type is basic-nat66.

  7. Verify the configuration by using the show command at the [edit services] hierarchy level.

Configuring the Service Set for NAT

To configure the service set for NAT: 

  1. In configuration mode, go to the [edit services] hierarchy level.
  2. Configure the service set.

    In the following example, the service set name is s1.

  3. For the s1 service set, set the reference to the NAT rules configured at the [edit services nat] hierarchy level.

    In the following example, the rule name is rule-basic-nat66.

  4. Configure the service interface.

    In the following example, the service interface name is sp-1/2/0.

  5. Verify the configuration by using the show command at the [edit services] hierarchy level.

Configuring Trace Options

To configure the trace options at the [edit services adaptive-services-pics] hierarchy level:

  1. In configuration mode, go to the [edit services adaptive-services-pics] hierarchy level.
  2. Configure the trace options.

    In the following example, the tracing parameter is all.

  3. Verify the configuration by using the show command at the [edit services] hierarchy level.

The following example configures the translation type as basic-nat66.

Example: Configuring Basic NAT44

This example describes how to implement a basic NAT44 configuration.

Requirements

This example uses the following hardware and software components:

  • An MX Series 5G Universal Routing Platform with a Services DPC or an M Series Multiservice Edge router with a services PIC

  • A domain name server (DNS)

  • Junos OS Release 11.4 or higher

Overview

This example shows a complete CGN NAT44 configuration and advanced options.

Configuring Basic NAT44

Chassis Configuration

Step-by-Step Procedure

To configure the service PIC (FPC 5 Slot 0) with the Layer 3 service package:

  1. Go to the [edit chassis] hierarchy level.
  2. Configure the Layer 3 service package.

Interfaces Configuration

Step-by-Step Procedure

To configure interfaces to the private network and the public Internet:

  1. Define the interface to the private network.
  2. Define the interface to the public Internet.
  3. Define the service interface for NAT processing.

Results

user@host# show interfaces ge-1/3/5
user@host# show interfaces ge-1/3/6
user@host# show interfaces sp-5/0/0

Example: Configuring NAT for Multicast Traffic

Figure 1 illustrates the network setup for the following configuration, which allows IP multicast traffic to be sent to the Multiservices PIC.

Figure 1: Configuring NAT for Multicast Traffic
Configuring NAT for Multicast Traffic

Rendezvous Point Configuration

On the rendezvous point (RP), all incoming traffic from the multicast source at 192.168.254.0/27 is sent to the static NAT pool mcast_pool, where its source is translated to 20.20.20.0/27. The service set nat_ss is a next-hop service set that allows IP multicast traffic to be sent to the Multiservices DPC or Multiservices PIC. The inside interface on the PIC is ms-1/1/0.1 and the outside interface is ms-1/1/0.2.

The Gigabit Ethernet interface ge-0/3/0 carries traffic out of the RP to Router 1. The multiservices interface ms-1/1/0 has two logical interfaces: unit 1 is the inside interface for next-hop services and unit 2 is the outside interface for next-hop services. Multicast source traffic comes in on the Fast Ethernet interface fe-1/2/1, which has the firewall filter fbf applied to incoming traffic.

Multicast packets can only be directed to the Multiservices DPC or the Multiservices PIC using a next-hop service set. In the case of NAT, you must also configure a VPN routing and forwarding instance (VRF). Therefore, the routing instance stage is created as a “dummy” forwarding instance. To direct incoming packets to stage, you configure filter-based forwarding through a firewall filter called fbf, which is applied to the incoming interface fe-1/2/1. A lookup is performed in stage.inet.0, which has a multicast static route that is installed with the next hop pointing to the PIC’s inside interface. All multicast traffic matching this route is sent to the PIC.

The routing instance stage forwards IP multicast traffic to the inside interface ms-1/1/0.1 on the Multiservices DPC or Multiservices PIC:

You enable OSPF and Protocol Independent Multicast (PIM) on the Fast Ethernet and Gigabit Ethernet logical interfaces over which IP multicast traffic enters and leaves the RP. You also enable PIM on the outside interface (ms-1/1/0.2) of the next-hop service set.

As with any filter-based forwarding configuration, in order for the static route in the forwarding instance stage to have a reachable next hop, you must configure routing table groups so that all interface routes are copied from inet.0 to the routing table in the forwarding instance. You configure routing tables inet.0 and stage.inet.0 as members of fbf_rib_group, so that all interface routes are imported into both tables.

Reverse path forwarding (RPF) checking must be disabled for the multicast group on which source NAT is applied. You can disable RPF checking for specific multicast groups by configuring a policy similar to the one in the example that follows. In this case, the no_rpf policy disables RPF check for multicast groups belonging to 224.0.0.0/4.

Router 1 Configuration

The Internet Group Management Protocol (IGMP), OSPF, and PIM configuration on Router 1 is as follows. Because of IGMP static group configuration, traffic is forwarded out fe-3/0/0.0 to the multicast receiver without receiving membership reports from host members.

The routing option creates a static route to the NAT pool, mcast_pool, on the RP.

Release History Table
Release
Description
We recommend that you deactivate and reactivate the service set in such scenarios in Junos OS Release 14.2 and earlier.