To use destination address translation, the size of the
pool address space must be greater than or equal to the destination
address space. You must specify a name for the destination-pool
statement, which can contain multiple addresses, ranges, or prefixes,
as long as the number of NAT addresses in the pool is larger than
the number of destination addresses in the from
statement.
To configure destination address translation in IPv4
networks:
- In configuration mode, go to the
[edit services]
hierarchy level.[edit]
user@host# edit services
- Configure the service set and the NAT rule.
[edit services]
user@host# set service-set service-set-name nat-rules rule-name
In the following example, the name of the service set is s1 and the name of the NAT rule is rule-dnat44.
[edit services]
user@host# set service-set s1 nat-rules rule-dnat44
- Go to the
[interface-service]
hierarchy level
of the service set.[edit services]
user@host# edit service-set s1 interface-service
- Configure the service interface.
[edit services service-set s1 interface-service]
user@host# set service-interface service-interface-name
In the following example, the name of the service interface
is ms-0/1/0.
Note: If the service interface is not present in the router,
or the specified interface is not functional, the following command
can result in an error.
[edit services service-set s1 interface-service]
user@host# set service-interface ms-0/1/0
- Go to the
[edit services nat]
hierarchy level.
Issue the following command from the top of the services hierarchy,
or use the top keyword. [edit services service-set s1]
user@host# top editservices nat
- Configure the NAT pool with an address.
[edit services nat]
user@host# set pool pool-name address address
In the following example, dest-pool is used as the
pool name and 4.1.1.2 as the address.
user@host# set pool dest-pool address 4.1.1.2
- Configure the rule, match direction, term, and destination
address.
[edit services nat]
user@host# set rule rule-name match-direction match-direction term term-name from destination-address address
In the following example, the name of the rule is rule-dnat44, the match direction is input, the name of the term is t1, and the address is 20.20.20.20.
[edit services nat]
user@host# set rule rule-dnat44 match-direction input term t1 from destination-address 20.20.20.20
- Go to the
[edit services nat rule rule-dnat44 term
t1]
hierarchy level.[edit services nat]
user@host# edit rule rule-dnat44 term t1
- Configure the destination pool and the translation type.
[edit services nat rule rule-dnat44 term t1]
user@host# set then translated destination-pool dest-pool-name translation-type translation-type
In the following example, the destination pool name is dest-pool, and the translation type is dnat-44.
[edit services nat rule rule-dnat44 term t1]
user@host# set then translated destination-pool dest-pool translation-type dnat-44
- Go to the
[edit services adaptive-services-pics]
hierarchy level. In the following command, the top keyword
ensures that the command is run from the top of the hierarchy. [edit services nat rule rule-dnat44 term t1]
user@host# top edit services adaptive-services-pics
- Configure the trace options.
[edit services adaptive-services-pics]
user@host# set traceoptions flag tracing parameter
In the following example, the tracing parameter is configured
as all.
[edit services adaptive-services-pics]
user@host# set traceoptions flag all
- Verify the configuration by using the
show
command
at the [edit services]
hierarchy level.[edit services]
user@host# show
service-set s1 {
nat-rules rule-dnat44;
interface-service {
service-interface ms-0/1/0;
}
}
nat {
pool dest-pool {
address 4.1.1.2/32;
}
rule rule-dnat44 {
match-direction input;
term t1 {
from {
destination-address {
20.20.20.20/32;
}
}
then {
translated {
destination-pool dest-pool;
translation-type {
dnat-44;
}
}
}
}
}
}
adaptive-services-pics {
traceoptions {
flag all;
}
}
The following example configures the translation type as dnat-44.
[edit services]
user@host# show
service-set s1 {
nat-rules rule-dnat44;
interface-service {
service-interface ms-0/1/0;
}
}
nat {
pool dest-pool {
address 4.1.1.2/32;
}
rule rule-dnat44 {
match-direction input;
term t1 {
from {
destination-address {
20.20.20.20/32;
}
}
then {
translated {
destination-pool dest-pool;
translation-type {
dnat-44;
}
}
}
}
}
}
adaptive-services-pics {
traceoptions {
flag all;
}
}
In the following configuration, term1 configures source
address translation for traffic from any private address to any public
address. The translation is applied for all services. term2 performs destination address translation for Hypertext Transfer
Protocol (HTTP) traffic from any public address to the server’s
virtual IP address. The virtual server IP address is translated to
an internal IP address.
[edit services nat]
rule my-nat-rule {
match-direction input;
term my-term1 {
from {
source-address private;
destination-address public;
}
then {
translated {
source-pool my-pool; # pick address from a pool
translation-type napt-44; # dynamic NAT with port translation
}
}
}
}
rule my-nat-rule2 {
match-direction input;
term my-term2 {
from {
destination-address 192.168.137.3; # my server’s virtual address
application http;
}
then {
translated {
destination-pool nat-pool-name;
translation-type dnat-44; # static destination NAT
}
}
}
}
}
The following configuration performs NAT using the destination
prefix 20.20.10.0/32 without defining a pool.
[edit services nat]
rule src-nat {
match-direction input;
term t1 {
from {
destination-address 10.10.10.10/32;
then {
translation-type dnat44;
destination-prefix 20.20.10.0/24;
}
}
}
}