Verifying NAT Configuration

NAT is configured independently and with stateful firewall filters. Some show commands used for verification are common for the stateful firewall filters and NAT. For verifying NAT configured with stateful firewall filters, see Verifying Stateful Firewall Filter Configuration.

To verify a NAT configuration, perform these tasks:

Purpose

Verify NAT configuration.

Action

From the J-Web interface, select Configuration> View and Edit> View Configuration Text.

Alternatively, from configuration mode in the CLI perform the following tasks:

• Enter the show services command to display the complete NAT configuration.
• Enter the show interfaces command to display the interface configuration.

The sample output in this section displays the NAT configurations provided in Configuring Basic Source Static NAT.

What it Means

Verify that the output shows the intended NAT and interface configurations. For more information about the format of a configuration file, see the J-series Services Router Basic LAN and WAN Access Configuration Guide.

Purpose

Verify the NAT configured in Configuring Basic Source Static NAT.

Action

Take the following actions:

• To verify that the network address is translated as configured, create a traffic flow between two routers—an internal router r1 and an external router r2. On r1, configure NAT as shown in Configuring Basic Source Static NAT and apply the defined nat-service-set on an interface. Configure loopback address 10.0.1.2 on r1 and loopback address 24.40.80.2 on r2.

  You are configuring loopback addresses in this example for verification purposes only. If you have the network set up and the source address 10.0.1.2 is configured on a host, ping an external router from the host. In this case, you do not need to configure the loopback address.

• Use the ping command to verify that a connection is established between the two routers used in this sample.
• From the CLI, enter the show services stateful-firewall conversations command to display the flow conversations.

PING 24.40.80.2 (24.40.80.2): 56 data bytes
64 bytes from 24.40.80.2: icmp_seq=0 ttl=64 time=6.669 ms
64 bytes from 24.40.80.2: icmp_seq=1 ttl=64 time=40.441 ms
...

Interface: sp-0/0/0, Service set: nat-service-set

Conversation: ALG protocol: icmp
  Number of initiators: 1, Number of responders: 1
Flow                                                    State  Dir  Frm count
ICMP        10.0.1.2:52499 -> 24.40.80.2            Watch   O     2
     NAT source       10.0.1.2:52499  ->  121.0.1.2:52499   
 Byte count: 84
 Flow role: Master, Timeout: 30, Protocol detail: echo request

ICMP       24.40.80.2:52499 ->  121.0.1.2           Watch   I     2
     NAT dest         121.0.1.2:52499 ->  10.0.1.2:0       
 Byte count: 84
 Flow role: Responder, Timeout: 30, Protocol detail: echo reply

What it Means

Verify the following information:

• A ping request from r1 returns a ping response from r2. The sample ping command output shows a series of replies, indicating that the connection is working and traffic is transmitted between the two routers. If there is no connection, a “host unreachable” message is displayed.
• The source address is translated to an address from the configured NAT address pool. The sample output shows the flow from r1 to r2 and its response. In the flow from r1 to r2, the source address 10.0.1.2 is translated to address 121.0.1.2 from the configured NAT address pool (121.0.1.0/24). The response flow correctly shows reverse translation from 121.0.1.2 to 10.0.1.2.

Alternatively, you can use the show services stateful-firewall flows command to display the NAT flows. The show services stateful-firewall conversations command is easier to use for verification because it displays corresponding NAT flows together instead of a random listing of all flows. For more information, see the JUNOS System Basics and Services Command Reference.

For information about using the J-Web interface to ping a host, see the J-series Services Router Administration Guide.