[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring NAT Match Conditions

To configure NAT match conditions, include the from statement at the [edit services nat rule rule-name term term-name] hierarchy level:




from {

applications [ application-names ];

application-sets [ set-names ];

destination-address (address | any-unicast) <except>;

destination-address-range low minimum-value high maximum-value <except>;

destination-prefix-list list-name <except>;

source-address (address | any-unicast) <except>;

source-address-range low minimum-value high maximum-value <except>;

source-prefix-list list-name <except>;
}

To configure traditional NAT and twice NAT, you can use the destination address, a range of destination addresses, the source address, or a range of source addresses as a match condition, in the same way that you would configure a firewall filter; for more information, see the JUNOS Policy Framework Configuration Guide.

Alternatively, you can specify a list of source or destination prefixes by configuring the prefix-list statement at the [edit policy-options] hierarchy level and then including either the destination-prefix-list or source-prefix-list statement in the NAT rule. For an example, see Examples: Configuring Stateful Firewall Properties.

You can include application protocol definitions that you have configured at the [edit applications] hierarchy level; for more information, see Applications Configuration Guidelines:

To apply one or more specific application protocol definitions, include the applications statement at the [edit services nat rule rule-name term term-name from] hierarchy level.
To apply one or more sets of application protocol definitions that you have defined, include the application-sets statement at the [edit services nat rule rule-name term term-name from] hierarchy level.

Note: If you include one of the statements that specifies application protocols, the router derives port and protocol information from the corresponding configuration at the [edit applications] hierarchy level; you cannot specify these properties as match conditions.

You can configure ALGs for ICMP and trace route under stateful firewall, NAT, or class of service (CoS) rules when twice NAT is configured in the same service set. Twice NAT does not support any other ALGs.

By default, the twice NAT feature can affect IP, TCP, and UDP headers embedded in the payload of ICMP error messages. You can include the protocol tcp and protocol udp statements with the application statement for twice NAT configurations.

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]