Configuring Inline Twice Static NAT44 for Next Gen Services
Configuring the Source and Destination Pools for Inline Twice Static NAT44
To configure the source and destination pools for inline twice static NAT44:
- Create a source pool.
user@host# edit services nat source pool nat-pool-name
- Define the addresses or subnets to which source addresses
are translated.
[edit services nat source pool nat-pool-name] user@host# set address address-prefix
or
[edit services nat source pool nat-pool-name] user@host# set address address-prefix to address address-prefix
- Configure a one-to-one static mapping of the original
source addresses to the addresses in the source pool by specifying
the first address from the matching source-address prefix that is
in the source NAT rule.
[edit services nat source pool nat-pool-name] user@host# set host-address-base ip-address
- Create a destination pool. Do not use the same name that
you used for the source pool.
user@host# edit services nat destination pool nat-pool-name
- Define the addresses or subnets to which destination addresses
are translated.
[edit services nat destination pool nat-pool-name] user@host# set address address-prefix
- To allow the IP addresses of a NAT pool to overlap with
IP addresses in pools used in other service sets, configure
allow-overlapping-pools
.[edit services nat] user@host# set allow-overlapping-pools
Configuring the NAT Rules for Inline Twice Static NAT44
To configure the source and destination NAT rules for twice static NAT44:
- Configure the source NAT rule name.
[edit services nat source] user@host# set rule-set rule-set-name rule rule-name
- Specify the traffic direction to which the source NAT
rule set applies.
[edit services nat source rule-set rule-set-name] user@host# set match-direction (in | out)
- Specify the addresses that are translated by the source
NAT rule.
To specify one address or prefix value:
[edit services nat source rule-set rule-set-name rule rule-name] user@host# set match source-address address
To specify a range of addresses, configure an address book global address with the desired address range, and assign the global address to the NAT rule:
[edit services address-book global] user@host# set address address-name range-address lower-limit to upper-limit [edit services nat source rule-set rule-set-name rule rule-name] user@host# set match source-address-name address-name
- Specify the source NAT pool that contains the addresses
for translated traffic.
[edit services nat source rule-set rule-set-name rule rule-name] user@host# set then source-nat pool nat-pool-name
- Configure the generation of a syslog when traffic matches
the source NAT rule conditions.
[edit services nat source rule-set rule-set-name rule rule-name then] user@host# set syslog
- Configure the destination NAT rule name.
[edit services nat destination] user@host# set rule-set rule-set-name rule rule-name
- Specify the traffic direction to which the destination
NAT rule set applies.
[edit services nat destination rule-set rule-set-name] user@host# set match-direction (in | out | in-out)
- Specify the destination addresses of traffic that the
destination NAT rule applies to.
[edit services nat destination rule-set rule-set-name rule rule-name] user@host# set match destination-address address
To specify a range of addresses, configure an address book global address with the desired address range, and assign the global address to the NAT rule:
[edit services address-book global] user@host# set address address-name range-address lower-limit to upper-limit [edit services nat destination rule-set rule-set-name rule rule-name] user@host# set match destination-address-name address-name
To specify any unicast address:
[edit services nat destination rule-set rule-set-name rule rule-name] user@host# set match destination-address any-unicast
- Specify the destination NAT pool that contains the destination
addresses for translated traffic.
[edit services nat destination rule-set rule-set-name rule rule-name] user@host# set then destination-nat pool nat-pool-name
- Configure the generation of a syslog when traffic matches
the destination NAT rule match conditions.
[edit services nat destination rule-set rule-set-name rule rule-name then] user@host# set syslog
Configuring the Service Set for Inline Twice Static NAT44
To configure the service set for inline static NAT44:
- Define the service set.
[edit services] user@host# edit service-set service-set-name
- Configure either an interface service set, which requires
a single service interface, or a next-hop service set, which requires
an inside and outside service interface.
To configure an interface service set:
[edit services service-set service-set-name] user@host# set interface-service service-interface si-slot-number/pic-number/0.logical-unit-number
To configure a next-hop service set:
[edit services service-set service-set-name] [edit services service-set service-set-name] user@host# set next-hop-service inside-service-interface si-slot-number/pic-number/0.logical-unit-number outside-service-interface vms-slot-number/pic-number/0.logical-unit-number
- Specify the NAT rule sets to be used with the service
set.
[edit services service-set service-set-name] user@host# set nat-rule-sets rule-set-name
Configuring Inline Services and an Inline Services Interface
To enable inline services and an inline services interface:
- Enable inline services for the FPC and PIC slot, and define
the amount of bandwidth to dedicate to inline services.
[edit chassis fpc slot-number pic number] user@host# set inline-services bandwidth (1g | 10g | 20g | 30g | 40g | 100g)
- Configure the inline services logical interface or interfaces.
If you are using an interface service set, configure one logical unit:
[edit interfaces si-slot-number/pic-number/0 user@host# set unit logical-unit-number family family
If you are using a next-hop service set, configure two logical units and define the inside and outside interfaces:
[edit interfaces si-slot-number/pic-number/0 user@host# set unit logical-unit-number family family user@host# set unit logical-unit-number service-domain inside user@host# set unit logical-unit-number family family user@host# set unit logical-unit-number service-domain outside