NAPT Example

Figure 6 illustrates a NAPT configuration for a private network with two inside subnetworks, a field office, and a corporate office.

Both offices use private addresses. The corporate office has a dual T-3 link and a public FTP server that has a global address (that is, it does not need translation).

Figure 6: NAPT Example

The address pool consists of three addresses (the number of addresses is small, because NAPT is used). Addresses matching the private address spaces of the corporate and field subnetworks are translated to global addresses from the pool through NAPT.

To configure this example:

1. Enter the correct virtual router context.

   host1(config)#virtual-router blue

2. Mark the inside interfaces.
   1. Mark the field office:

      host1:blue(config)#interface serial 2/1:1/1

      host1:blue(config-interface)#ip nat inside

      host1:blue(config-interface)#exit

   2. Mark the two corporate T-3 links:

      host1:blue(config)#interface serial 1/1

      host1:blue(config-interface)#ip nat inside

      host1:blue(config-interface)#exit

      host1:blue(config)#interface serial 1/2

      host1:blue(config-interface)#ip nat inside

      host1:blue(config-interface)#exit

3. Mark the outside interface.

   host1:blue(config)#interface gigabitEthernet 3/0.1

   host1:blue(config-interface)#ip nat outside

   host1:blue(config-interface)#exit

4. Create a static nil-translation for the FTP server on the corporate network.

   host1:blue(config)#ip nat inside source static tcp 190.22.8.18 21 190.22.8.18 21

5. Create the address pool for dynamic translations.

   host1:blue(config)#ip nat pool corpxyz 192.32.6.4 192.32.6.7 prefix-length 24

6. Create the access list for addresses eligible for dynamic translation.

   host1:blue(config)#access-list justcorp permit 10.10.1.0 0.0.0.255

   host1:blue(config)#access-list justcorp permit 10.10.2.0 0.0.0.255

7. Create the NAPT dynamic translation rule.

   host1:blue(config)#ip nat inside source list justcorp pool corpxyz overload

8. Configure a default route to the outside interface.

   host1:blue(config)#ip route 0.0.0.0 0.0.0.0 gigabitEthernet 3/0.1

9. Configure a null route for the inside global addresses to prevent routing loops when no matching translation exists.

   host1:blue(config)#ip route 192.32.6.0 255.255.255.248 null 0

   Note: Null route applies to 192.32.6.0–192.32.6.3, which do not exist in the address pool

All hosts that use private addresses in both the field office and the corporate office must have their addresses translated to one of the three addresses in the pool. Because this example uses NAPT, the interface can use only one pool address, depending on the number of inside hosts attempting to access the outside at any given time.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.