Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

NAT for Tenant Systems

Learn about NAT and how to configure NAT for the tenant system.

Network Address Translation (NAT) modifies or translates network address information in packet headers. It can change source, destination, or both addresses in a packet. For more information, see the following topics:

Network Address Translation for Tenant systems

A tenant administrator can configure and view the source NAT, destination NAT, and static NAT for the tenant systems. The primary administrator can view the statistics or information of the source NAT, destination NAT, and static NAT for any tenant systems.

For the tenant system, the primary administrator can configure the maximum and reserved numbers for the following NAT resources:

  • Source NAT pools and destination NAT pools

  • IP addresses in the source NAT pools with and without port address translation

  • Rules for source, destination, and static NAT

  • Prefix list for rule matching

  • NAT cone binding

  • IP addresses that support port overloading

The reserved numbers allocated guarantees that the specified resource amount is constantly available to the tenant systems. The tenant administrator can use the show system security-profile command with a NAT option to view the NAT resources allocated to the tenant system.

Example: Configure NAT for the Tenant Systems

This example shows how to configure source NAT, destination NAT and static NAT for a given tenant systems.

Requirements

This example uses the following hardware and software components:

Overview

In this example, first configure the trust security zone for the private address space and then configure the untrust security zone for the public address space.

Devices in the untrust zone access a specific host in the trust zone, with the destination IP address 203.0.113.200/24. This example configures the NAT described in Table 1.

Table 1: Tenant System NAT Configuration

Feature

Name

Configuration Parameters

Static, source and destination NAT rule set

r1

  • Rule r1 to match packets from untrust zone with destination address.

  • Destination IP address in matching packets is translated.

Source pool

pat

Address 192.0.2.1 to 192.0.2.24.

Destination pool

h1

Address 192.168.1.200.

Proxy ARP

arp

Address 192.0.2.1 to 192.0.2.24.

NAT interfaces for traffic direction.

ge-0/0/0 and ge-0/0/1.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure NAT in the tenant system:

  1. Create a security NAT source pool and rule set for the tenant system.

  2. Create a security NAT static rule set for the tenant system.

  3. Create a security NAT destination pool and rule set for the tenant system.

  4. Configure proxy Address Resolution Protocol (ARP).

Results

From configuration mode, confirm your configuration by entering the show tenants tn1 security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verify Static NAT Configuration

Purpose

To verify that there is traffic matching the static NAT rule set.

Action

From operational mode, enter the show security nat static rule all tenant tn1 command. View the Translation hits field to check for traffic that matches the rule.

Sample Output
Meaning

The command output displays the static NAT rule. View the Translation hits field to check for traffic that matches the static rule.

Verify Destination NAT Configuration

Purpose

To verify that there is traffic matching the destination NAT rule set.

Action

From operational mode, enter the show security nat destination rule all tenant tn1 command. View the Translation hits field to check for traffic that matches the rule.

Sample Output
Meaning

The command output displays the destination NAT rule. View the Translation hits field to check for traffic that matches the destination rule.

Verify Source NAT Configuration

Purpose

To verify that there is traffic matching the source NAT rule set.

Action

From operational mode, enter the show security nat source rule all tenant tn1 command. View the Translation hits field to check for traffic that matches the rule.

Sample Output
Meaning

The command output displays the source NAT rule. View the Translation hits field to check for traffic that matches the source rule.