NAT for Tenant Systems
NAT is a method for modifying or translating network address information in packet headers. Either or both source and destination addresses in a packet may be translated. For more information, see the following topics:
Understanding Network Address Translation for Tenant systems
Starting in Junos OS Release 18.3R1, the network address translation including source NAT, destination NAT, and static NAT supported on logical systems is supported on tenant systems.
A tenant system has an administrator (tenant administrator) who can configure source NAT, destination NAT, and static NAT for the tenant systems. The tenant administrator can view the details of the source NAT, destination NAT, and static NAT of the tenant system. The primary administrator can view the statistics or information of the source NAT, destination NAT, and static NAT for any tenant systems.
For the tenant system, the primary administrator can configure the maximum and reserved numbers for the following NAT resources:
Source NAT pools and destination NAT pools
IP addresses in the source NAT pools with and without port address translation
Rules for source, destination, and static NAT
Prefix list for rule matching
NAT cone binding
IP addresses that support port overloading
The reserved numbers allocated guarantees that the specified
resource amount is constantly available to the tenant systems. The
administrator for tenant systems can use the show system security-profile
command with a NAT option to view the NAT resources allocated to
the tenant system.
See Also
Example: Configuring Network Address Translation for the Tenant Systems
This example shows how to configure source NAT, destination NAT and static NAT for a given tenant systems.
Requirements
This example uses the following hardware and software components:
SRX Series Firewall with Junos OS Release 18.3R1 or later. This configuration example is tested for Junos OS Release 18.3R1.
Create tenant system. See : Example: Creating Tenant Systems, Tenant System Administrators, and an Interconnect VPLS Switch
Configure network interfaces. See : Configuring a Routing Instance for a Tenant System.
Overview
In this example, first you configure the trust security zone for the private address space and then you configure the untrust security zone for the public address space.
Devices in the untrust zone access a specific host in the trust zone, with the destination IP address 203.0.113.200/24. This example configures the NAT described in Table 1: Tenant System NAT Configuration.
Feature |
Name |
Configuration Parameters |
---|---|---|
Static, source and destination NAT rule set |
r1 |
|
Source pool |
pat |
Address 192.0.2.1 to 192.0.2.24. |
Destination pool |
h1 |
Address 192.168.1.200. |
Proxy ARP |
arp |
Address 192.0.2.1 to 192.0.2.24. |
NAT interfaces for traffic direction. |
ge-0/0/0 and ge-0/0/1. |
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit]
hierarchy
level, and then enter commit
from configuration mode.
set tenants tn1 security nat source pool pat address 192.0.2.1 to 192.0.2.24 set tenants tn1 security nat source rule-set from_intf from interface ge-0/0/0.0 set tenants tn1 security nat source rule-set from_intf to interface ge-0/0/1.0 set tenants tn1 security nat source rule-set from_intf rule r1 match source-address 192.0.2.0/24 set tenants tn1 security nat source rule-set from_intf rule r1 match destination-address 203.0.113.200/24 set tenants tn1 security nat source rule-set from_intf rule r1 then source-nat pool pat set tenants tn1 security nat static rule-set from_zone from zone trust set tenants tn1 security nat static rule-set from_zone rule r1 match source-address 192.0.2.0/24 set tenants tn1 security nat static rule-set from_zone rule r1 match destination-address 203.0.113.203/24 set tenants tn1 security nat static rule-set from_zone rule r1 then static-nat prefix 192.168.1.203/24 set tenants tn1 security nat destination pool h1 address 192.168.1.200 set tenants tn1 security nat destination rule-set from_zone from zone trust set tenants tn1 security nat destination rule-set from_zone rule r1 match source-address 192.0.2.0/24 set tenants tn1 security nat destination rule-set from_zone rule r1 match destination-address 203.0.113.202/24 set tenants tn1 security nat destination rule-set from_zone rule r1 then destination-nat pool h1 set tenants tn1 security nat proxy-arp interface ge-0/0/1.0 address 192.0.2.1 to 192.0.2.24
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure NAT in the tenant system:
Create a security NAT source pool and rule set for the tenant system.
[edit tenant tn1 security nat source] user@host# set tenants tn1 security nat source pool pat address 192.0.2.1 to 192.0.2.24 user@host# set tenants tn1 security nat source rule-set from_intf from interface ge-0/0/0.0 user@host# set tenants tn1 security nat source rule-set from_intf to interface ge-0/0/1.0 user@host# set tenants tn1 security nat source rule-set from_intf rule r1 match source-address 192.0.2.0/24 user@host# set tenants tn1 security nat source rule-set from_intf rule r1 match destination-address 203.0.113.200/24 user@host# set tenants tn1 security nat source rule-set from_intf rule r1 then source-nat pool pat
Create a security NAT static rule set for the tenant system.
[edit tenants tn1 security nat static] user@host# set tenants tn1 security nat static rule-set from_zone from zone trust user@host# set tenants tn1 security nat static rule-set from_zone rule r1 match source-address 192.0.2.0/24 user@host# set tenants tn1 security nat static rule-set from_zone rule r1 match destination-address 203.0.113.203/24 user@host# set tenants tn1 security nat static rule-set from_zone rule r1 then static-nat prefix 192.168.1.203/24
Create a security NAT destination pool and rule set for the tenant system.
[edit tenants tn1 security nat destination] user@host# set tenants tn1 security nat destination pool h1 address 192.168.1.200 user@host# set tenants tn1 security nat destination rule-set from_zone from zone trust user@host# set tenants tn1 security nat destination rule-set from_zone rule r1 match source-address 192.0.2.0/24 user@host# set tenants tn1 security nat destination rule-set from_zone rule r1 match destination-address 203.0.113.202/24 user@host# set tenants tn1 security nat destination rule-set from_zone rule r1 then destination-nat pool h1
Configure proxy Address Resolution Protocol (ARP).
[edit tenant tn1 security nat] user@host# set tenants tn1 security nat proxy-arp interface ge-0/0/1.0 address 192.0.2.1 to 192.0.2.24
Results
From configuration mode, confirm your configuration
by entering the show tenants tn1 security nat
command.
If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
source { pool pat { address { 192.0.2.1 to 192.0.2.24; } } rule-set from_intf { from interface ge-0/0/0.0; to interface ge-0/0/1.0; rule r1 { match { source-address 192.168.1.0/24; destination-address [203.0.113.200/24 ]; } then { source-nat { pool { pat; } } } } } } destination { pool h1 { address 192.168.1.200; } rule-set from_zone { from zone untrust; rule r1 { match { source-address 192.0.2.0/24; destination-address 203.0.113.202/24; } then { destination-nat { pool { h1; } } } } } } static { rule-set from_zone { from zone untrust; rule r1 { match { source-address 192.0.2.0/24; destination-address 203.0.113.203/24; } then { static-nat { prefix { 192.168.1.203/24; } } } } } } proxy-arp { interface ge-0/0/1.0 { address { 192.0.2.1 to 192.0.2.24; } } }
If you are done configuring the device, enter commit
from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
- Verifying Static NAT Configuration
- Verifying Destination NAT Configuration
- Verifying Source NAT Configuration
Verifying Static NAT Configuration
Purpose
To verify that there is traffic matching the static NAT rule set.
Action
From operational mode, enter the show security
nat static rule all tenant tn1
command. View the Translation
hits
field to check for traffic that matches the rule.
user@host> show security nat static rule all tenant tn1
Sample Output
command-name
Total static-nat rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 2/0 Static NAT rule: r1 Rule-set: from_zone Rule-Id : 1 Rule position : 1 From zone : untrust Source addresses : 192.0.2.0 - 192.0.2.255 Destination addresses : 203.0.113.203 Host addresses : 192.168.1.203 Netmask : 32 Host routing-instance : N/A Translation hits : 0 Successful sessions : 0 Failed sessions : 0 Number of sessions : 0
Meaning
The command output displays the static NAT rule. View
the Translation hits
field to check for traffic that matches
the static rule.
Verifying Destination NAT Configuration
Purpose
To verify that there is traffic matching the destination NAT rule set.
Action
From operational mode, enter the show security
nat destination rule all tenant tn1
command. View the Translation
hits
field to check for traffic that matches the rule.
user@host> show security nat destination rule all tenant tn1
Sample Output
command-name
Total destination-nat rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 2/0 Destination NAT rule: r1 Rule-set: from_zone Rule-Id : 1 Rule position : 1 From zone : untrust Match Source addresses : 192.0.2.0 - 192.0.2.255 Destination addresses : 203.0.113.202 - 203.0.113.202 Action : h1 Translation hits : 0 Successful sessions : 0 Failed sessions : 0 Number of sessions : 0
Meaning
The command output displays the destination NAT rule.
View the Translation hits
field to check for traffic that
matches the destination rule.
Verifying Source NAT Configuration
Purpose
To verify that there is traffic matching the source NAT rule set.
Action
From operational mode, enter the show security
nat source rule all tenant tn1
command. View the Translation
hits
field to check for traffic that matches the rule.
user@host> show security nat source rule all tenant tn1
Sample Output
command-name
Total rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 2/0 source NAT rule: r1 Rule-set: from_intf Rule-Id : 1 Rule position : 1 From interface : ge-0/0/0.0 To interface : ge-0/0/1.0 Match Source addresses : 192.168.1.0 - 192.168.1.255 Destination addresses : 203.0.113.200 - 203.0.113.200 Action : pat Persistent NAT type : N/A Persistent NAT mapping type : address-port-mapping Inactivity timeout : 0 Max session number : 0 Translation hits : 0 Successful sessions : 0 Failed sessions : 0 Number of sessions : 0
Meaning
The command output displays the source NAT rule. View
the Translation hits
field to check for traffic that matches
the source rule.