Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

NAT for VRF group

Overview

In SD-WAN network, NAT is used when you convert the private IP to global IP pool in a VRF group. An SRX device can be configured using the following VRF group NAT to translate the given IPs belonging to a given VRF group to different IPs belonging to different VRF instances:

  • VRF group destination NAT

  • VRF group source NAT

  • VRF group static NAT

Example: Configuring Source NAT to convert the private IP address of a VRF Group to the private IP address of different VRF instance

This example describes how to configure a source NAT between two MPLS networks.

Requirements

Overview

Source NAT is the translation of the source IP address of a packet leaving the Juniper Networks device. Source NAT is used to allow hosts with private IP addresses to access a public network.

In Figure 1, SRX Series device is configured with VRF group vpn-A and vpn-B, which are connected to the interfaces ge-0/0/1.0 and ge-0/0/1.1 on SRX Series device. In the hub SRX Series device, the source IP addresses 192.168.1.200 and 192.168.1.201 from VRF group vpn-A and vpn-B are translated to 203.0.113.200 and 203.0.113.201.

Figure 1: Source NAT using VRF groupSource NAT using VRF group

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy.

To configure source NAT mapping:

  1. In Layer 3 VPNs create a VRF group vpn-A with VRF instances A1 and A2.

  2. Create another VRF group vpn-B with VRF instances B1 and B2.

  3. Create a source NAT pool.

  4. Create a source NAT rule set.

  5. Configure a rule that matches packets and translates the source IP address to an IP address in the source NAT pool.

Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Source NAT Rule Usage
Purpose

Verify that there is traffic matching the source NAT rule.

Action

From operational mode, enter the show security nat source rule all command. In the Translation hits field, verify whether there is traffic that matches the source NAT rule.

Example: Configuring Destination NAT to Convert Public IP Address of a VRF Group to the private IP address of different VRF instance

This example describes how to configure the destination NAT mapping of a public IP address of a VRF group to the single VRF’s private address for directing the packets to the correct VRF instance.

Requirements

Overview

Destination NAT is the translation of the destination IP address of a packet entering the Juniper Networks device. Destination NAT is used to redirect traffic destined to a virtual host (identified by the original destination IP address) to the real host (identified by the translated destination IP address).

In Figure 7, the SRX Series device is configured destination NAT to convert from IP’s that belong to different VRF groups, to different set of IP’s with routing instance pointing to different VRF. After the destination NAT rule search, NAT updates the destination routing table to point to right VRF instance for flow to do destination route look-up in right table.

Figure 7: Destination NAT using VRF GroupDestination NAT using VRF Group

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy.

To configure destination NAT mapping for a single VRF:

  1. In Layer 3 VPNs create a VRF group vpn-A with VRF instances A1 and A2.

  2. Create another VRF group vpn-B with VRF instances B1 and B2.

  3. Specify a destination NAT IP address pool.

  4. Assign the routing instance to the destination pool.

  5. Create a destination NAT rule set.

  6. Configure a rule that matches packets and translates the destination IP address to an IP address in the destination NAT IP address pool.

Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Destination NAT Rule Usage

Purpose

Verify that there is traffic matching the destination NAT rule.

Action

From operational mode, enter the show security nat destination rule all command. In the Translation hits field, verify whether there is traffic that matches the destination NAT rule.