Example: Configuring Network Address Translation for a User Logical System
This example shows how to configure static NAT for a user logical system.
Requirements
Before you begin:
- Log in to the user logical system as the logical system administrator. See User Logical System Configuration Overview.
- Use the show system security-profile nat-static-rule command to see the static NAT resources allocated to the logical
system. See the Junos OS CLI Reference
. - Configure security policies. See Example: Configuring Security Policies in a User Logical System.
Overview
This example configures the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.
Devices in the ls-product-design-untrust zone access a specific host in the ls-product-design-trust zone by way of the address 12.1.1.200/32. For packets that enter the ls-product-design logical system from the ls-product-design-untrust zone with the destination IP address 12.1.1.200/32, the destination IP address is translated to the 12.1.1.100/32. This example configures the static NAT described in Table 1.
Table 1: User Logical System Static NAT Configuration
Feature | Name | Configuration Parameters |
|---|---|---|
Static NAT rule set | rs1 |
|
Proxy ARP | Address 12.1.1.200 on interface lt-0/0/0.3. |
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Step-by-Step Procedure
The following example requires you to navigate various levels
in the configuration hierarchy. For instructions on how to do that,
see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .
To configure NAT in a user logical system:
- Log in to the user logical system as the logical system
administrator and enter configuration mode.lsdesignadmin1@host:ls-product-design> configurelsdesignadmin1@host:ls-product-design#
- Configure a static NAT rule set.[edit security nat static]lsdesignadmin1@host:ls-product-design# set rule-set rs1 from zone ls-product-design-untrust
- Configure a rule that matches packets and translates the
destination address in the packets.[edit security nat static]lsdesignadmin1@host:ls-product-design# set rule-set rs1 rule r1 match destination-address 12.1.1.200/32lsdesignadmin1@host:ls-product-design# set rule-set rs1 rule r1 then static-nat prefix 12.1.1.100/32
- Configure proxy ARP.[edit security nat]lsdesignadmin1@host:ls-product-design# set proxy-arp interface lt-0/0/0.3 address 12.1.1.200/32
Results
From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying Static NAT Configuration
Purpose
Verify that there is traffic matching the static NAT rule set.
Action
From operational mode, enter the show security nat static rule command. View the Translation hits field to check for traffic that matches the rule.
Verifying NAT Application to Traffic
Purpose
Verify that NAT is being applied to the specified traffic.
Action
From operational mode, enter the show security flow session command.
