Each rule must include a match-direction statement that specifies the direction in which the match is applied. To configure where the match is applied, include the match-direction statement at the [edit services nat rule rule-name] hierarchy level:
-
match-direction (input | output);
The match direction is used with respect to the traffic flow through the AS or MultiServices PIC. When a packet is sent to the PIC, direction information is carried along with it.
With an interface service set, packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied.
With a next-hop service set, packet direction is determined by the interface used to route the packet to the AS or MultiServices PIC. If the inside interface is used to route the packet, the packet direction is input. If the outside interface is used to direct the packet to the PIC, the packet direction is output. For more information on inside and outside interfaces, see Configuring Services Interfaces.
On the AS or MultiServices PIC, a flow lookup is performed. If no flow is found, rule processing is performed. All rules in the service set are considered. During rule processing, the packet direction is compared against rule directions. Only rules with direction information that matches the packet direction are considered.