Configuring NAT Policies and Services for Enterprise Manager Portal

NAT Policies and Services in the SRC Sample Data

The NAT policy groups and services provided in the sample data are designed to work with Enterprise Manager Portal and require little configuration. Table 11 shows the names of the policy groups and services associated with each type of NAT that the SRC software supports.

The services are located under l=entJunos, o=Scopes, o=umc in the sample data.

The policies are located under ou=entJunos, o=Policies, o=umc in the sample data.

For information about creating NAT policies, including prerequisites on the device running Junos OS, see the SRC PE Services and Policies Guide.

Configuring the dynsrcnat Policy Group

You can modify the precedence settings in the policy rules for the dynsrcnat policy group. Use the following guidelines if you make changes to the precedence settings:

• The precedence settings for the policy rules in the dynsrcnat policy group must be higher than the precedence settings for the policy rules in the staticsrcnat policy group. This distinction allows static source NAT rules to take priority over dynamic source NAT rules.

• The value for this setting must be higher than the precedence of any firewall exception. This distinction ensures that the SAE activates the artificial firewall rule first.

Reviewing the DynSrcNat Service

The DynSrcNat service is predefined in the sample data. Do not modify any settings or substitutions for this service.

Configuring the staticdstnat Policy Group

This policy group contains two policy rules:

• SFWR—Acts as an artificial firewall rule that ensures that the SAE activates a basic firewall service for the access before activating a NAT service; the Junos OS requires that a firewall be active before you implement a NAT rule.

• PR—Defines the policy for the static destination NAT service.

The only setting you can modify for this policy group is the precedence setting for the SFWR policy rule. The value for this setting should be higher than the precedence of any other firewall exception. This distinction ensures that the SAE activates the artificial firewall rule first.

Configuring the StaticDstNat Service

You can modify the following substitutions for the StaticDstNat service; do not modify any other settings for this service.

• staticDestNatMinPriority—Lower limit of the range of precedences available for subscriptions to static destination NAT rules

• staticDestNatMaxPriority—Upper limit of the range of precedences available for subscriptions to static destination NAT rules

Configuring the staticsrcnat Policy Group

This policy group contains two policy rules:

• SFWR—Acts as an artificial firewall rule that ensures that the SAE activates a basic firewall service for the access before activating a NAT service; the Junos OS requires that a firewall be active before you implement a NAT rule.

• PR—Defines the policy for the static source NAT service.

The only setting you can modify for this policy group is the precedence setting for the SFWR policy rule. The value for this setting should be higher than the precedence of any other firewall exception. This distinction ensures that the SAE activates the artificial firewall rule first.

Configuring the StaticSrcNat Service

You can modify the following substitutions for the StaticSrcNat service; do not modify any other settings or substitutions for this service.

• staticSrcNatMinPriority—Lower limit of the range of precedences available for subscriptions to static source NAT rules

• staticSrcNatMaxPriority—Upper limit of the range of precedences available for subscriptions to static source NAT rules

The values for these parameters must be lower than the precedence settings for the policy rules in the dynsrcnat policy group. This distinction allows static source NAT rules to take priority over dynamic source NAT rules.