Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Example - Configuring for performing basic-nat44 and dnat-44 via the same service set

0

0

Article ID: KB29708 KB Last Updated: 06 Feb 2015Version: 1.0
Summary:

This article provides a working configuration for performing basic-nat44 and dnat-44 over the same service set.

This scenario will be useful when the customer wants to simultaneously perform:

  • Source NAT for traffic originated from internal LAN traffic
  • Destination NAT for traffic originated from external public IPs
Symptoms:

Topology:



10.1.1.10-----------ge-3/1/2-(LAN)------MX----ge-3/1/0(Internet)--------------172.16.1.9

Interface Configuration:

MX# show interfaces ge-3/1/0
unit 0 {
    family inet {
        address 172.16.1.8/24;
    }
}


MX# show interfaces ge-3/1/2
unit 0 {
    family inet {
        service {
            input {
                service-set SNAT1;
            }
            output {
                service-set SNAT1;
            }
        }
        address 10.1.1.1/24;
    }
}

MX# show interfaces sp-1/0/0
unit 0 {
    family inet;
}

Service Set Configuration:


MX# show services service-set SNAT1
nat-rules SNAT1; <<<<<
nat-rules DNAT; <<<<<<
interface-service {
    service-interface sp-1/0/0;
}

NAT Services Configuration:

MX# show services | no-more
service-set SNAT1 {
    nat-rules SNAT1; <<<<<<
    nat-rules DNAT; <<<<<<<<
    interface-service {
        service-interface sp-1/0/0;
    }
}

nat {
    pool snat-pool {
        address 172.16.1.10/32;
    }
    pool dnat-pool2 {
        address 10.1.1.10/32;
    }
    rule SNAT1 {
        match-direction input;
        term 1 {
            from {
                source-address {
                    10.1.1.10/32;
                }
                destination-address {
                    172.16.1.0/24;
                }
            }
            then {
                translated {
                    source-pool snat-pool;
                    translation-type {
                        basic-nat44; <<<<<<<<<<<<<<< Source NAT                     }
                }
            }
        }
    }
    rule DNAT {
        match-direction output;
        term 1 {
            from {
                source-address {
                    172.16.1.9/32;
                }
                destination-address {
                    172.16.1.10/32;
                }
            }
            then {
                translated {
                    destination-pool dnat-pool2;
                    translation-type {
                        dnat-44; <<<<<<<<<<<<<<< Destination NAT                     }
                }
            }
        }
    }
}

Verification:

  • When traffic is initiated from 10.1.1.10 to 172.16.1.9, source NATshould kick in, and the translated IP should be derived from the pool defined in snat-pool (172.16.1.10).
  • When traffic is initiated from 172.16.1.9 to 172.16.1.10, traffic should use the dnat-pool2(10.1.1.10), the traffic should get translated to 10.1.1.10, and the respective traffic flows need to be created.

Use the following commands to verify the flows:

  • show services stateful firewall flows
  • show services stateful-firewall conversations
  • show services stateful-firewall conversations <protocol>

Commands:

MX# run show services stateful-firewall flows
Interface: sp-1/0/0, Service set: SNAT1
Flow                                                State    Dir       Frm count

ICMP        172.16.1.9       ->    172.16.1.10       Watch    O              52
    NAT dest       172.16.1.10         ->       10.1.1.10
ICMP         10.1.1.10       ->     172.16.1.9       Watch    I              52
    NAT source       10.1.1.10         ->     172.16.1.10


[edit]
MX# run show services stateful-firewall flows
Interface: sp-1/0/0, Service set: SNAT1
Flow                                                State    Dir       Frm count
ICMP        172.16.1.9       ->    172.16.1.10       Watch    O            1000
    NAT dest       172.16.1.10         ->       10.1.1.10
ICMP        172.16.1.9       ->    172.16.1.10       Watch    O            1000
    NAT dest       172.16.1.10         ->       10.1.1.10
ICMP         10.1.1.10       ->     172.16.1.9       Watch    I            1000
    NAT source       10.1.1.10         ->     172.16.1.10
ICMP         10.1.1.10       ->     172.16.1.9       Watch    I            1000
    NAT source       10.1.1.10         ->     172.16.1.10
ICMP         10.1.1.10       ->     172.16.1.9       Watch    I            1000
    NAT source       10.1.1.10         ->     172.16.1.10
ICMP        172.16.1.9       ->    172.16.1.10       Watch    O            1000
    NAT dest       172.16.1.10         ->       10.1.1.10


MX# run show services stateful-firewall conversations protocol icmp
Interface: sp-1/0/0, Service set: SNAT1

Conversation: ALG protocol: icmp
  Number of initiators: 1, Number of responders: 1
Flow                                                State    Dir       Frm count
ICMP        172.16.1.9       ->    172.16.1.10       Watch    O            1000
    NAT dest       172.16.1.10         ->       10.1.1.10
ICMP         10.1.1.10       ->     172.16.1.9       Watch    I            1000
    NAT source       10.1.1.10         ->     172.16.1.10

Conversation: ALG protocol: icmp
  Number of initiators: 1, Number of responders: 1
Flow                                                State    Dir       Frm count
ICMP         10.1.1.10       ->     172.16.1.9       Watch    I            1000
    NAT source       10.1.1.10         ->     172.16.1.10
ICMP        172.16.1.9       ->    172.16.1.10       Watch    O            1000
    NAT dest       172.16.1.10         ->       10.1.1.10

Conversation: ALG protocol: icmp
  Number of initiators: 1, Number of responders: 1
Flow                                                State    Dir       Frm count
ICMP         10.1.1.10       ->     172.16.1.9       Watch    I            1000
    NAT source       10.1.1.10         ->     172.16.1.10
ICMP        172.16.1.9       ->    172.16.1.10       Watch    O            1000
    NAT dest       172.16.1.10         ->       10.1.1.10

Now, bidirectional traffic is working fine.

Note:

  • Service PIC MS-DPC card is needed for MX 240, 480, and 960
  • For MX 80, 40, 10, and 5, need MS-MIC; the configuration might differ and is not discussed here.
Cause:

Solution:

To perform NAT conversion using both source and destination NAT, configure both SNAT and DNAT NAT rules under the same service set and apply them to the respective interfaces on both incoming and outgoing sides.

Example:

MX# show services service-set SNAT1
nat-rules SNAT1;<<<<<
nat-rules DNAT;<<<<<<
interface-service {
    service-interface sp-1/0/0;
}



MX# show interfaces ge-3/1/2
unit 0 {
    family inet {
        service {
            input {
                service-set SNAT1;
            }
            output {
                service-set SNAT1;
            }
        }
        address 10.1.1.1/24;
    }
}


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search