NAT for Tenant Systems
Learn about NAT and how to configure NAT for the tenant system.
Network Address Translation (NAT) modifies or translates network address information in packet headers. It can change source, destination, or both addresses in a packet. For more information, see the following topics:
Network Address Translation for Tenant systems
A tenant administrator can configure and view the source NAT, destination NAT, and static NAT for the tenant systems. The primary administrator can view the statistics or information of the source NAT, destination NAT, and static NAT for any tenant systems.
For the tenant system, the primary administrator can configure the maximum and reserved numbers for the following NAT resources:
Source NAT pools and destination NAT pools
IP addresses in the source NAT pools with and without port address translation
Rules for source, destination, and static NAT
Prefix list for rule matching
NAT cone binding
IP addresses that support port overloading
The reserved numbers allocated guarantees that the specified resource amount is constantly
available to the tenant systems. The tenant administrator can use the show
system security-profile command with a NAT option to view the NAT resources
allocated to the tenant system.
Example: Configure NAT for the Tenant Systems
This example shows how to configure source NAT, destination NAT and static NAT for a given tenant systems.
Requirements
This example uses the following hardware and software components:
Security device with Junos OS Release 18.3R1 or later.
Create tenant system, see Example: Creating Tenant Systems, Tenant System Administrators, and an Interconnect VPLS Switch.
Configure network interfaces, see Configure Routing Instance for Tenant System.
Overview
In this example, first configure the trust security zone for the private address space and then configure the untrust security zone for the public address space.
Devices in the untrust zone access a specific host in the trust zone, with the destination IP address 203.0.113.200/24. This example configures the NAT described in Table 1.
Feature |
Name |
Configuration Parameters |
|---|---|---|
Static, source and destination NAT rule set |
r1 |
|
Source pool |
pat |
Address 192.0.2.1 to 192.0.2.24. |
Destination pool |
h1 |
Address 192.168.1.200. |
Proxy ARP |
arp |
Address 192.0.2.1 to 192.0.2.24. |
NAT interfaces for traffic direction. |
ge-0/0/0 and ge-0/0/1. |
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set tenants tn1 security nat source pool pat address 192.0.2.1 to 192.0.2.24 set tenants tn1 security nat source rule-set from_intf from interface ge-0/0/0.0 set tenants tn1 security nat source rule-set from_intf to interface ge-0/0/1.0 set tenants tn1 security nat source rule-set from_intf rule r1 match source-address 192.0.2.0/24 set tenants tn1 security nat source rule-set from_intf rule r1 match destination-address 203.0.113.200/24 set tenants tn1 security nat source rule-set from_intf rule r1 then source-nat pool pat set tenants tn1 security nat static rule-set from_zone from zone trust set tenants tn1 security nat static rule-set from_zone rule r1 match source-address 192.0.2.0/24 set tenants tn1 security nat static rule-set from_zone rule r1 match destination-address 203.0.113.203/24 set tenants tn1 security nat static rule-set from_zone rule r1 then static-nat prefix 192.168.1.203/24 set tenants tn1 security nat destination pool h1 address 192.168.1.200 set tenants tn1 security nat destination rule-set from_zone from zone trust set tenants tn1 security nat destination rule-set from_zone rule r1 match source-address 192.0.2.0/24 set tenants tn1 security nat destination rule-set from_zone rule r1 match destination-address 203.0.113.202/24 set tenants tn1 security nat destination rule-set from_zone rule r1 then destination-nat pool h1 set tenants tn1 security nat proxy-arp interface ge-0/0/1.0 address 192.0.2.1 to 192.0.2.24
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure NAT in the tenant system:
Create a security NAT source pool and rule set for the tenant system.
[edit tenant tn1 security nat source] user@host# set tenants tn1 security nat source pool pat address 192.0.2.1 to 192.0.2.24 user@host# set tenants tn1 security nat source rule-set from_intf from interface ge-0/0/0.0 user@host# set tenants tn1 security nat source rule-set from_intf to interface ge-0/0/1.0 user@host# set tenants tn1 security nat source rule-set from_intf rule r1 match source-address 192.0.2.0/24 user@host# set tenants tn1 security nat source rule-set from_intf rule r1 match destination-address 203.0.113.200/24 user@host# set tenants tn1 security nat source rule-set from_intf rule r1 then source-nat pool pat
Create a security NAT static rule set for the tenant system.
[edit tenants tn1 security nat static] user@host# set tenants tn1 security nat static rule-set from_zone from zone trust user@host# set tenants tn1 security nat static rule-set from_zone rule r1 match source-address 192.0.2.0/24 user@host# set tenants tn1 security nat static rule-set from_zone rule r1 match destination-address 203.0.113.203/24 user@host# set tenants tn1 security nat static rule-set from_zone rule r1 then static-nat prefix 192.168.1.203/24
Create a security NAT destination pool and rule set for the tenant system.
[edit tenants tn1 security nat destination] user@host# set tenants tn1 security nat destination pool h1 address 192.168.1.200 user@host# set tenants tn1 security nat destination rule-set from_zone from zone trust user@host# set tenants tn1 security nat destination rule-set from_zone rule r1 match source-address 192.0.2.0/24 user@host# set tenants tn1 security nat destination rule-set from_zone rule r1 match destination-address 203.0.113.202/24 user@host# set tenants tn1 security nat destination rule-set from_zone rule r1 then destination-nat pool h1
Configure proxy Address Resolution Protocol (ARP).
[edit tenant tn1 security nat] user@host# set tenants tn1 security nat proxy-arp interface ge-0/0/1.0 address 192.0.2.1 to 192.0.2.24
Results
From configuration mode, confirm your configuration by entering the show tenants tn1 security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
source {
pool pat {
address {
192.0.2.1 to 192.0.2.24;
}
}
rule-set from_intf {
from interface ge-0/0/0.0;
to interface ge-0/0/1.0;
rule r1 {
match {
source-address 192.168.1.0/24;
destination-address [203.0.113.200/24 ];
}
then {
source-nat {
pool {
pat;
}
}
}
}
}
}
destination {
pool h1 {
address 192.168.1.200;
}
rule-set from_zone {
from zone untrust;
rule r1 {
match {
source-address 192.0.2.0/24;
destination-address 203.0.113.202/24;
}
then {
destination-nat {
pool {
h1;
}
}
}
}
}
}
static {
rule-set from_zone {
from zone untrust;
rule r1 {
match {
source-address 192.0.2.0/24;
destination-address 203.0.113.203/24;
}
then {
static-nat {
prefix {
192.168.1.203/24;
}
}
}
}
}
}
proxy-arp {
interface ge-0/0/1.0 {
address {
192.0.2.1 to 192.0.2.24;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
- Verify Static NAT Configuration
- Verify Destination NAT Configuration
- Verify Source NAT Configuration
Verify Static NAT Configuration
Purpose
To verify that there is traffic matching the static NAT rule set.
Action
From operational mode, enter the show security nat static rule all tenant tn1 command. View the Translation hits field to check for traffic that matches the rule.
user@host> show security nat static rule all tenant tn1
Sample Output
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
Static NAT rule: r1 Rule-set: from_zone
Rule-Id : 1
Rule position : 1
From zone : untrust
Source addresses : 192.0.2.0 - 192.0.2.255
Destination addresses : 203.0.113.203
Host addresses : 192.168.1.203
Netmask : 32
Host routing-instance : N/A
Translation hits : 0
Successful sessions : 0
Failed sessions : 0
Number of sessions : 0
Meaning
The command output displays the static NAT rule. View the Translation hits field to check for traffic that matches the static rule.
Verify Destination NAT Configuration
Purpose
To verify that there is traffic matching the destination NAT rule set.
Action
From operational mode, enter the show security nat destination rule all tenant tn1 command. View the Translation hits field to check for traffic that matches the rule.
user@host> show security nat destination rule all tenant tn1
Sample Output
Total destination-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
Destination NAT rule: r1 Rule-set: from_zone
Rule-Id : 1
Rule position : 1
From zone : untrust
Match
Source addresses : 192.0.2.0 - 192.0.2.255
Destination addresses : 203.0.113.202 - 203.0.113.202
Action : h1
Translation hits : 0
Successful sessions : 0
Failed sessions : 0
Number of sessions : 0
Meaning
The command output displays the destination NAT rule. View the Translation hits field to check for traffic that matches the destination rule.
Verify Source NAT Configuration
Purpose
To verify that there is traffic matching the source NAT rule set.
Action
From operational mode, enter the show security nat source rule all tenant tn1 command. View the Translation hits field to check for traffic that matches the rule.
user@host> show security nat source rule all tenant tn1
Sample Output
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
source NAT rule: r1 Rule-set: from_intf
Rule-Id : 1
Rule position : 1
From interface : ge-0/0/0.0
To interface : ge-0/0/1.0
Match
Source addresses : 192.168.1.0 - 192.168.1.255
Destination addresses : 203.0.113.200 - 203.0.113.200
Action : pat
Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 0
Max session number : 0
Translation hits : 0
Successful sessions : 0
Failed sessions : 0
Number of sessions : 0
Meaning
The command output displays the source NAT rule. View the Translation hits field to check for traffic that matches the source rule.