Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

NAT For MX80

0

0

Article ID: KB27333 KB Last Updated: 17 Jul 2013Version: 1.0
Summary:
This article explains why NAT in MX80 is not supported in all versions since it does not have sevice Pic.

Inline service NAT was introduced for use with MX80 starting 11.4 Junos version.

Symptoms:
Configuring NAT on MX80

Cause:

Solution:
Below is a snapshot of step by step configuration and topology

M7i-5(ge-0/2/0)------------------(ge-1/0/6)MX80-3(ge-1/0/8)-------------------(ge-0/3/1)M7i-6

Following is interfaces configuration

[edit]
lab@m7i-5# show interfaces ge-0/2/0
unit 0 {
    family inet {
        address 10.5.5.1/24;
    }
}

[edit]
lab@m7i-5#

[edit]
lab@MX80-3# show interfaces ge-1/0/6
unit 0 {
    family inet {
        service {
            input {
                service-set SS1;
            }
            output {
                service-set SS1;
            }
        }
        address 10.5.5.254/24;
    }
}

[edit]
lab@MX80-3# show interfaces ge-1/0/8
unit 0 {
    family inet {
        address 19.19.19.1/24;
    }
}

[edit]
lab@MX80-3#

[edit]
lab@m7i-6# show interfaces ge-0/3/1
unit 0 {
    family inet {
        address 19.19.19.2/24;
    }
}

[edit]
lab@m7i-6# show interfaces lo0
unit 0 {
    family inet {
        address 22.22.22.22/32;
    }
}

[edit]
lab@m7i-6#



1. Enable inline services

[edit]
lab@MX80-3# show chassis
fpc 1 {
    pic 1 {
        inline-services {
            bandwidth 1g;
        }
    }
}

[edit]
lab@MX80-3#

2. Enable services

[edit]
lab@MX80-3# show services | no-more
nat {
    pool PublicIPs {
        address 213.152.244.0/24;
    }
    rule PrivateToPublic {
        match-direction input;
        term term1 {
            from {
                source-address {
                    10.5.5.0/24;
                }
            }
            then {
                translated {
                    source-pool PublicIPs;
                    translation-type {
                        basic-nat44;
                    }
                }
            }
        }
    }
}
service-set SS1 {
    nat-rules PrivateToPublic;
    interface-service {
        service-interface si-1/1/0.1;
    }
}

[edit]
lab@MX80-3#

3. Configure inline service interface

[edit]
lab@MX80-3# show interfaces si-1/1/0
unit 1 {
    family inet;
}

[edit]
lab@MX80-3#

Testing NAT functionality:

We initiate a basic ping from M7i-5 to M7i-6 loopback and check NAT translation on MX80-3

[edit]
lab@m7i-5# run ping 22.22.22.22 count 5
PING 22.22.22.22 (22.22.22.22): 56 data bytes
64 bytes from 22.22.22.22: icmp_seq=0 ttl=63 time=1.092 ms
64 bytes from 22.22.22.22: icmp_seq=1 ttl=63 time=1.050 ms
64 bytes from 22.22.22.22: icmp_seq=2 ttl=63 time=1.112 ms
64 bytes from 22.22.22.22: icmp_seq=3 ttl=63 time=1.113 ms
64 bytes from 22.22.22.22: icmp_seq=4 ttl=63 time=1.083 ms

--- 22.22.22.22 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.050/1.090/1.113/0.023 ms

[edit]
lab@m7i-5#

From MX80-3

[edit]
lab@MX80-3# run show services inline nat pool
Interface: si-1/1/0, Service set: SS1
NAT pool: PublicIPs, Translation type: BASIC NAT44
Address range: 213.152.244.0-213.152.244.255
NATed packets: 5, deNATed packets: 5, Errors: 0

We see 5 packets that were sucessfully NATTED, further on checking M7i-6 we see that the ICMP request packets come in have their source address Natted

[edit]
lab@m7i-6# run monitor traffic interface ge-0/3/1 size 9999
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/3/1, capture size 9999 bytes

Reverse lookup for 224.0.0.5 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

23:50:51.605898 In IP 19.19.19.1 > 224.0.0.5: OSPFv2, Hello, length 60
23:50:56.103592 Out IP 19.19.19.2 > 224.0.0.5: OSPFv2, Hello, length 60
23:50:56.520655 In IP 213.152.244.1 > 22.22.22.22: ICMP echo request, id 1240, seq 0, length 64
23:50:56.520691 Out IP 22.22.22.22 > 213.152.244.1: ICMP echo reply, id 1240, seq 0, length 64
23:50:57.521571 In IP 213.152.244.1 > 22.22.22.22: ICMP echo request, id 1240, seq 1, length 64
23:50:57.521613 Out IP 22.22.22.22 > 213.152.244.1: ICMP echo reply, id 1240, seq 1, length 64
23:50:58.522468 In IP 213.152.244.1 > 22.22.22.22: ICMP echo request, id 1240, seq 2, length 64
23:50:58.522516 Out IP 22.22.22.22 > 213.152.244.1: ICMP echo reply, id 1240, seq 2, length 64
23:50:59.523328 In IP 213.152.244.1 > 22.22.22.22: ICMP echo request, id 1240, seq 3, length 64
23:50:59.523374 Out IP 22.22.22.22 > 213.152.244.1: ICMP echo reply, id 1240, seq 3, length 64
23:51:00.524404 In IP 213.152.244.1 > 22.22.22.22: ICMP echo request, id 1240, seq 4, length 64
23:51:00.524443 Out IP 22.22.22.22 > 213.152.244.1: ICMP echo reply, id 1240, seq 4, length 64
23:51:00.972417 In IP 19.19.19.1 > 224.0.0.5: OSPFv2, Hello, length 60
^C
13 packets received by filter
0 packets dropped by kernel



Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search