Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Juniper Service Framework – Network Address Translation Package, Rules, and Services Set

    Network Address Translation (NAT) is a mechanism for concealing a set of host addresses on a private network behind a pool of public addresses. It can be used as a security measure to protect the host addresses from direct targeting in network attacks. The Junos operating system (Junos OS) supports NAT on IPv4 networks. To use Junos Services Framework (JSF) to run NAT, you must configure the jservices-nat package at the hierarchy level. In addition, you must configure NAT rules and a service set with a Multiservice interface. This topic includes the following tasks:

    1. Configuring the JSF NAT Package
    2. Configuring the NAT Rule and NAT Pool
    3. Configuring the Services Set for NAT

    Configuring the JSF NAT Package

    To configure the JSF-NAT package:

    1. In configuration mode, go to the following hierarchy level:
      user@host# edit chassis
    2. In the hierarchy level, configure the FPC and PIC.
      [edit chassis]user@host# edit fpc slot pic slot

      In this example, the FPC is in slot 1 and the PIC is in slot 0:

      [edit chassis]user@host# edit fpc 1 pic 0
    3. Configure the number of cores dedicated to run control functionality.
      [edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider control-cores control-cores

      In this example, the number of control cores is 1.

      [edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider control-cores 1
    4. Configure the number of processing cores dedicated to data.
      [edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider data-cores data-cores

      In this example, the number of data cores is 7.

      [edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider data-cores 7
    5. Configure the size of the object cache in megabytes (MB). Only values in increments of 128 MB are allowed and the maximum value of the object cache can be 1280 MB.
      [edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider object-cache-size object-cache-size

      In this example, the size of the object cache is 512 MB.

      [edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider object-cache-size 512
    6. Configure the size of the policy database in megabytes (MB).
      [edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider policy-db-size policy-db-size

      In this example, the size of the policy database is 64 MB.

      [edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider policy-db-size 64
    7. Configure the package.
      [edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider package package

      In this example, the package is jservices-nat.

      [edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider package jservices-nat
    8. Configure the extension provider system log, to enable PIC system logging to record or view system log messages:
      [edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider syslog syslog

      In this example, the system log is set to daemon any and external any:

      [edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider syslog daemon any [edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider syslog external any
    9. Verify the configuration.
      [edit chassis]
user@host# show chassis 
fpc 1 {
    pic 0 {
        adaptive-services {
            service-package {
                extension-provider {
                    control-cores 1;
                    data-cores 7;
                    object-cache-size 512;
                    policy-db-size 64;
                    package jservices-nat;
                    syslog {
                        daemon any;
                        external any;
                    }
                }
            }
        }
    }
}

    Configuring the NAT Rule and NAT Pool

    To configure the NAT pool and NAT rule:

    1. In configuration mode, go to the following hierarchy level:
      user@host# edit services
    2. Configure the NAT pool.
      [edit services]user@host# set nat pool pool

      In this example, the NAT pool is p1.

      [edit services]user@host# set nat pool p1
    3. Configure the NAT pool address.
      [edit services]user@host# set nat pool p1 address address

      In this example, the NAT pool address is 20.1.1.10/32.

      [edit services]user@host# set nat pool p1 address 20.1.1.10/32;
    4. Configure the NAT pool port.
      [edit services]user@host# set nat pool p1 port port;

      In this example, the NAT pool port is automatic.

      [edit services]user@host# set nat pool p1 port automatic;
    5. Configure the rule.
      [edit services]user@host# set nat rule rule

      In this example, the rule is r1.

      [edit services]user@host# set nat rule r1
    6. Configure the match direction.
      [edit services]user@host# set nat rule r1 match-direction match-direction

      In this example, the match direction is input.

      [edit services]user@host# set nat rule r1 match-direction input
    7. Configure the term.
      [edit services]user@host# set nat rule r1 term term

      In this example, the term is t1.

      [edit services]user@host# set nat rule r1 term t1
    8. Configure the input conditions for the NAT term.
      [edit services]user@host# set nat rule r1 term t1 from from

      In this example, the input conditions are applications junos-tftp and applications junos-rsh.

      [edit services]user@host# set nat rule r1 term t1 from applications junos-tftp [edit services]user@host# set nat rule r1 term t1 from applications junos-rsh
    9. Configure the NAT term action.
      [edit services]user@host# set nat rule r1 term then then

      In this example, the term action is translated.

      [edit services]user@host# set nat rule r1 term t1 then translated
    10. Configure the properties for translated traffic.
      [edit services]user@host# set nat rule r1 term then translated translated

      In this example, the property for the translated traffic is source-pool p1.

      [edit services]user@host# set nat rule r1 term t1 then translated source-pool p1
    11. Configure the properties for translated traffic transaction type.
      [edit services]user@host# set nat rule r1 term then translated translation-type translation type

      In this example, the property for the translated traffic is dynamic-nat44.

      [edit services]user@host# set nat rule r1 term t1 then translated translation-type dynamic-nat44
    12. Verify the configuration:
      [edit services]
user@host# show 
}
nat {
    pool p1 {
        address 20.1.1.10/32;
        port {
            automatic;
        }
    }
    rule r1 {
        match-direction input;
        term t1 {
            from {
                applications [ junos-tftp junos-rsh ];
            }
            then {
                translated {
                    source-pool p1;
                    translation-type dynamic-nat44;
                                    }
            }
        }
    }
}

    Configuring the Services Set for NAT

    To configure the services set for NAT:

    1. In configuration mode, go to the following hierarchy level:
      user@host# edit services
    2. Configure the service set with a rule.
      [edit services]user@host# edit service-set service-set

      In this example, the service set with rule is nat-ss.

      [edit services]user@host# edit service-set nat-ss
    3. Configure the service set message rate limit.
      [edit services service-set nat ss]user@host# edit syslog syslog

      In this example, the service set message rate limit is set to syslog, which is the maximum number of system log messages per second allowed from this interface.

      [edit services service-set nat-ss]user@host# edit syslog
    4. Configure the host attributes.
      [edit services service-set nat ss syslog]user@host# edit host host

      In this example, the host is host-local.

      [edit services service-set nat-ss syslog]user@host# edit host host-local
    5. Configure the services with services attributes.
      [edit services service-set nat-ss syslog host host-local]user@host# set services services

      In this example, the services attributes is any.

      [edit services service-set nat-ss syslog host host-local]user@host# set services any
    6. Configure the service set with NAT rules.
      [edit services service-set nat ss]user@host# edit nat-rules nat-rules

      In this example, the NAT rules is r1.

      [edit services service-set nat-ss]user@host# edit nat-rules r1
    7. Configure the interface.
      [edit services service-set nat ss]user@host# edit interface interface

      In this example, the interface is interface-service.

      [edit services service-set nat-ss]user@host# edit interface interface-service
    8. Configure the service interface.
      [edit services service-set nat-ss interface-service]user@host# set service-interfaceservice-interface

      In this example, the interface is ms-1/0/0.

      [edit services service-set nat-ss interface-service]user@host# set service-interface ms-1/0/0
    9. Verify the configuration.
      [edit services]
user@host# show services 
service-set nat-ss {
            syslog {
                host local {
                    services any;
                }
            }
            nat-rules r1;
            interface-service {
                service-interface ms-1/0/0;
            }
        }
    }

    Published: 2012-07-02

    Previous Page Next Page