Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

NAT for Tenant Systems

NAT is a method for modifying or translating network address information in packet headers. Either or both source and destination addresses in a packet may be translated. For more information, see the following topics:

Understanding Network Address Translation for Tenant systems

Starting in Junos OS Release 18.3R1, the network address translation including source NAT, destination NAT, and static NAT supported on logical systems is supported on tenant systems.

A tenant system has an administrator (tenant administrator) who can configure source NAT, destination NAT, and static NAT for the tenant systems. The tenant administrator can view the details of the source NAT, destination NAT, and static NAT of the tenant system. The primary administrator can view the statistics or information of the source NAT, destination NAT, and static NAT for any tenant systems.

For the tenant system, the primary administrator can configure the maximum and reserved numbers for the following NAT resources:

  • Source NAT pools and destination NAT pools

  • IP addresses in the source NAT pools with and without port address translation

  • Rules for source, destination, and static NAT

  • Prefix list for rule matching

  • NAT cone binding

  • IP addresses that support port overloading

The reserved numbers allocated guarantees that the specified resource amount is constantly available to the tenant systems. The administrator for tenant systems can use the show system security-profile command with a NAT option to view the NAT resources allocated to the tenant system.

See Also

Example: Configuring Network Address Translation for the Tenant Systems

This example shows how to configure source NAT, destination NAT and static NAT for a given tenant systems.

Requirements

This example uses the following hardware and software components:

Overview

In this example, first you configure the trust security zone for the private address space and then you configure the untrust security zone for the public address space.

Devices in the untrust zone access a specific host in the trust zone, with the destination IP address 203.0.113.200/24. This example configures the NAT described in Table 1: Tenant System NAT Configuration.

Table 1: Tenant System NAT Configuration

Feature

Name

Configuration Parameters

Static, source and destination NAT rule set

r1

  • Rule r1 to match packets from untrust zone with destination address.

  • Destination IP address in matching packets is translated.

Source pool

pat

Address 192.0.2.1 to 192.0.2.24.

Destination pool

h1

Address 192.168.1.200.

Proxy ARP

arp

Address 192.0.2.1 to 192.0.2.24.

NAT interfaces for traffic direction.

ge-0/0/0 and ge-0/0/1.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure NAT in the tenant system:

  1. Create a security NAT source pool and rule set for the tenant system.

  2. Create a security NAT static rule set for the tenant system.

  3. Create a security NAT destination pool and rule set for the tenant system.

  4. Configure proxy Address Resolution Protocol (ARP).

Results

From configuration mode, confirm your configuration by entering the show tenants tn1 security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Static NAT Configuration

Purpose

To verify that there is traffic matching the static NAT rule set.

Action

From operational mode, enter the show security nat static rule all tenant tn1 command. View the Translation hits field to check for traffic that matches the rule.

Sample Output
command-name
Meaning

The command output displays the static NAT rule. View the Translation hits field to check for traffic that matches the static rule.

Verifying Destination NAT Configuration

Purpose

To verify that there is traffic matching the destination NAT rule set.

Action

From operational mode, enter the show security nat destination rule all tenant tn1 command. View the Translation hits field to check for traffic that matches the rule.

Sample Output
command-name
Meaning

The command output displays the destination NAT rule. View the Translation hits field to check for traffic that matches the destination rule.

Verifying Source NAT Configuration

Purpose

To verify that there is traffic matching the source NAT rule set.

Action

From operational mode, enter the show security nat source rule all tenant tn1 command. View the Translation hits field to check for traffic that matches the rule.

Sample Output
command-name
Meaning

The command output displays the source NAT rule. View the Translation hits field to check for traffic that matches the source rule.

Related Documentation