Configuring NAT Rules
To configure a NAT rule, include the rule rule-name statement at the [edit services nat] hierarchy level:
Each NAT rule consists of a set of terms, similar to a firewall filter. A term consists of the following:
- from statement—Specifies the match conditions and applications that are included and excluded.
- then statement—Specifies the actions and action modifiers to be performed by the router software.
The following sections explain how to configure the components of NAT rules:
Configuring Match Direction for NAT Rules
Each rule must include a match-direction statement that specifies the direction in which the match is applied. To configure where the match is applied, include the match-direction statement at the [edit services nat rule rule-name] hierarchy level:
The match direction is used with respect to the traffic flow through the AS or Multiservices PIC. When a packet is sent to the PIC, direction information is carried along with it.
With an interface service set, packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied.
With a next-hop service set, packet direction is determined by the interface used to route the packet to the AS or Multiservices PIC. If the inside interface is used to route the packet, the packet direction is input. If the outside interface is used to direct the packet to the PIC, the packet direction is output. For more information on inside and outside interfaces, see Configuring Service Sets to be Applied to Services Interfaces.
On the AS or Multiservices PIC, a flow lookup is performed. If no flow is found, rule processing is performed. All rules in the service set are considered. During rule processing, the packet direction is compared against rule directions. Only rules with direction information that matches the packet direction are considered.
Configuring Match Conditions in NAT Rules
To configure NAT match conditions, include the from statement at the [edit services nat rule rule-name term term-name] hierarchy level:
To configure traditional NAT and twice NAT, you can use the destination address, a range of destination addresses, the source address, or a range of source addresses as a match condition, in the same way that you would configure a firewall filter; for more information, see the Junos Policy Framework Configuration Guide.
Alternatively, you can specify a list of source or destination prefixes by including the prefix-list statement at the [edit policy-options] hierarchy level and then including either the destination-prefix-list or source-prefix-list statement in the NAT rule. For an example, see Examples: Configuring Stateful Firewall Rules.
You can include application protocol definitions that you have configured at the [edit applications] hierarchy level; for more information, see Configuring Application Protocol Properties:
- To apply one or more specific application protocol definitions, include the applications statement at the [edit services nat rule rule-name term term-name from] hierarchy level.
- To apply one or more sets of application protocol definitions that you have defined, include the application-sets statement at the [edit services nat rule rule-name term term-name from] hierarchy level.
 | Note: If you include one of the statements that specifies application protocols, the router derives port and protocol information from the corresponding configuration at the [edit applications] hierarchy level; you cannot specify these properties as match conditions. When matched rules include more than one ALG, the more specific ALG takes effect; for example, if the stateful firewall rule includes TCP and the NAT rule includes FTP, the NAT rule takes precedence. You can configure ALGs for ICMP and trace route under stateful firewall, NAT, or class of service (CoS) rules when twice NAT is configured in the same service set. Twice NAT does not support any other ALGs. By default, NAT can restore IP, TCP, and UDP headers embedded in the payload of ICMP error messages. You can include the protocol tcp and protocol udp statements with the application statement for NAT configurations. |
Configuring Actions in NAT Rules
To configure NAT actions, include the then statement at the [edit services nat rule rule-name term term-name] hierarchy level:
The no-translation statement allows you to specify addresses that you want to be excluded from NAT.
The destination-pool, destination-prefix, source-pool, and source-prefix statements specify addressing information that you define by including the pool statement at the [edit services nat] hierarchy level; for more information, see Configuring Addresses and Ports for Use in NAT Rules.
The overload-pool and overload-prefix statements specify a pool of addresses or an address prefix that can be used if the source pool becomes exhausted. If all the addresses in the source pool are in use, additional NAT sessions are supported using the overload pool. You can configure the overload pool only when the primary pool is used for address-only source dynamic NAT; it cannot be used with destination NAT or source NAPT.
The syslog statement enables you to record an alert in the system logging facility.
The translation-type statement specifies what type of network address translation is used for source or destination traffic. Choices are source dynamic, source static, or destination static. For more information, see Network Address Translation Overview.
- destination static—Implement address translation for destination traffic without port mapping. The size of the address range specified in the from destination-address statement must be the same or smaller than the destination pool. You must specify either a destination-pool or a destination-prefix. The referenced pool can contain multiple addresses but no port configuration.
- source dynamic—There are two types of source
dynamic translation: network address port translation (NAPT) and address-only
translation. You must specify a source-pool name. The referenced
pool must include either a port configuration (for NAPT)
or an address configuration (for address-only translation).
If you specify port automatic or a port range, NAPT is used. If a port is not defined, the port value defaults to 1.
The source dynamic address-only option supports translating a large range of addresses to a smaller size pool. The requests from the source address range are assigned to the addresses in the pool until the pool is used up, and any additional requests are rejected. A NAT address assigned to a host is used for all concurrent sessions from that host. The address is released to the pool only after all the sessions for that host expire. This feature enables the router to share a few public IP addresses between several private hosts. Since all the private hosts might not simultaneously create sessions, they can share a few public IP addresses.
- source static—Implement address translation for source traffic without port mapping. The size of the pool address space must be greater than or equal to the source address space. You must specify a source-pool name. The referenced pool can contain multiple addresses, ranges, or prefixes, as long as the number of NAT addresses in the pool is larger than the number of source addresses in the from statement. You must include exactly one source-address value at the [edit services nat rule rule-name term term-name from] hierarchy level; if it is a prefix, the size must be less than or equal to the pool prefix size. Any addresses in the pool that are not matched in the source-address value remain unused, because a pool cannot be shared among multiple terms or rules.
For traditional NAT, you can configure either translation-type destination or translation-type source, but not both. To configure twice NAT, you specify both a translation-type destination and a translation-type source.
| Note: Overlapping static and dynamic NAT pools are allowed. The overlapping addresses are used for static NAT only. This capability enables you to advertise one subnet that represents the NAT pool and use an address within that subnet for static rules. Statically assigned addresses are not reused for dynamic assignment. Statically assigned addresses from a dynamic pool can only be used for source static NAT and not for destination static NAT. |
| Note: When configuring NAT, if any traffic is destined for the following addresses and does not match a NAT flow or NAT rule, the traffic is dropped:
|
For more information on NAT methods, see RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations.
For compliance with RFC 4787, NAT Behavioral Requirements for Unicast UDP, you must configure the following statements:
- address-pooling—Specifies the NAT address-pooling behavior. Currently the only valid setting is paired.
- filtering-type—Specifies the NAT filtering behavior. By default, NAT uses address and port-dependent filtering. Setting endpoint-independent enables acceptance of connections originating from any outside host to an existing mapping to an internal host.
- mapping-type—Specifies the NAT mapping behavior. Currently the only valid setting is endpoint-independent.
By default, when you configure source static NAT and source address-only dynamic NAT, the behavior is the same as that specified by these statement settings, so there is no net effect. Compliance with RFC 4787 is supported only with source NAT.
