Configuring Static Destination NAT for Next Gen Services
Configuring the Destination Pool for Static Destination NAT
To configure the destination pool for static destination NAT:
- Create a destination pool.
user@host# edit services nat destination pool nat-pool-name
- Define the addresses or subnets to which destination addresses
are translated.
[edit services nat destination pool nat-pool-name] user@host# set address address-prefix
- To allow the IP addresses of a NAT destination pool to
overlap with IP addresses in pools used in other service sets, configure
allow-overlapping-pools.[edit services nat] user@host# set allow-overlapping-pools
Configuring the NAT Rule for Static Destination NAT
To configure the NAT rule for static destination NAT:
- Configure the NAT rule name.
[edit services nat destination] user@host# set rule-set rule-set-name rule rule-name
- Specify the traffic direction to which the destination
NAT rule set applies.
[edit services nat destination rule-set rule-set-name] user@host# set match-direction (in | out | in-out)
- Specify the source addresses of traffic that the NAT rule
applies to.
To specify one address or prefix value:
[edit services nat destination rule-set rule-set-name rule rule-name] user@host# set match source-address address
To specify a range of addresses, configure an address book global address with the desired address range, and assign the global address to the NAT rule:
[edit services address-book global] user@host# set address address-name range-address lower-limit to upper-limit [edit services nat destination rule-set rule-set-name rule rule-name] user@host# set match source-address-name address-name
To specify any unicast address:
[edit services nat destination rule-set rule-set-name rule rule-name] user@host# set match source-address any-unicast
- Specify the destination addresses that the NAT rule applies
to.
[edit services nat destination rule-set rule-set-name rule rule-name] user@host# set match destination-address address
To specify a range of addresses, configure an address book global address with the desired address range, and assign the global address to the NAT rule:
[edit services address-book global] user@host# set address address-name range-address lower-limit to upper-limit [edit services nat destination rule-set rule-set-name rule rule-name] user@host# set match destination-address-name address-name
To specify any unicast address:
[edit services nat destination rule-set rule-set-name rule rule-name] user@host# set match destination-address any-unicast
- Specify one or more application protocols to which the
destination NAT rule applies. The number of applications listed in
the rule must not exceed 3072.
[edit services nat source rule-set rule-set-name rule rule-name] user@host# set match application [application-name]
- Specify the NAT pool that contains the destination addresses
for translated traffic.
[edit services nat destination rule-set rule-set-name rule rule-name] user@host# set then destination-nat pool nat-pool-name
- Configure the generation of a syslog when traffic matches
the destination NAT rule match conditions.
[edit services nat destination rule-set rule-set-name rule rule-name then] user@host# set syslog
Configuring the Service Set for Static Destination NAT
To configure the service set for static destination NAT:
- Define the service set.
[edit services] user@host# edit service-set service-set-name
- Configure either an interface service, which requires
a single service interface, or a next-hop service, which requires
an inside and outside service interface.
[edit services service-set service-set-name] user@host# set interface-service service-interface interface-name
or
[edit services service-set service-set-name] user@host# set next-hop-service inside-service-interface interface-name outside-service-interface interface-name
- Specify the NAT rule sets to be used with the service
set.
[edit services service-set service-set-name] user@host# set nat-rule-sets rule-set-name