How to configure a basic interface-style source NAT service on M Series and T Series routers equipped with AS-PIC
This article provides details and configurations for configuring interface-based NAT services on the M and T series routers
Configure a basic interface style source NAT service on M Series and T Series routers equipped with AS-PIC.
Topology:
---> NAT -->33.33.33.3
[R1] ------------------ [R2] ----------------- [R-NAT] ------------------ [R-Internet]
.1 .2 .2 .1 .2 .1
192.168.4.0/30 192.168.5.0/30 1.1.6.0/30
In the above scenario, any packet destined to router R-Internet (public address space) with source address 192.168.4.0/30, Network Address Translation (NAT) to the public source IP 33.33.33.3/32 shall be performed. Other packets, e.g. traffic coming from 192.168.5.0/30 and going to router R-Internet, should not be translated.
The following example shows how to configure the router
R-NAT in 4 steps to allow NAT based on the above criteria:
Router
R-NAT has the following interfaces and assigned IP addresses:
192.168.5.1/30 1.1.6.2/30
private interface public interface
---- [so-0/3/1 ---> sp-1/2/0 ---> e1-0/2/0:0] ----
Configuration of router R-NAT:
Step 1) Configure the NAT Service :
operator@R-NAT# show services nat
pool NAT_POOL_01 { # Pool to choose the IP address(es) and the port
address 33.33.33.3/32;
port automatic;
}
rule SVC_NAT_RULES_01 {
match-direction input; # this service will be applied to the 'internal' interface
term A {
from {
source-address {
192.168.4.0/30; # only these source IP will be translated
}
}
then {
translated {
source-pool NAT_POOL_01; # picks the 33.33.33.3
translation-type source dynamic; # allows NAT/PAT
}
}
}
}
Step 2) Configure a Stateful-Firewall to catch the traffic that will be sent to the NAT-Service
In a basic scenario, everything that arrives at the interface where the stateful-firewall service is applied, will be accepted.
operator@R-NAT# show services stateful-firewall
rule SVC_STAT_FW_01 {
match-direction input;
term A {
then {
accept;
}
}
}
Step 3) Combine (Service-NAT and Stateful-FW) and apply it to the AS-PIC Service-Interface.
This is called a
Service-Set..
operator@R-NAT# show services service-set SVC_SET_NAT_01
stateful-firewall-rules SVC_STAT_FW_01;
nat-rules SVC_NAT_RULES_01;
interface-service {
service-interface sp-1/2/0;
}
Note: When doing NAT in routing-instances, you need to use a so called
next-hop style service-set. This means, instead of the whole service-interface of the AS-PIC (sp-1/2/0), you can specify both the inbound unit and the outbound unit of the service interface:
i.e. : in replacement of
interface-service {
service-interface sp-1/2/0;
}
the configuration would be:
next-hop-service {
inside-service-interface sp-1/2/0.10;
outside-service-interface sp-1/2/0.20;
}
Step 4) Apply all the Service-Set to the inbound interface (the one on the private side):
operator@R-NAT# show interfaces so-0/3/1
unit 0 {
family inet {
service {
input {
service-set SVC_SET_NAT_01;
}
output {
service-set SVC_SET_NAT_01;
}
}
address 192.168.5.1/30;
}
}
Note: The Service interface on the AS-PIC must be configured with family inet :
operator@R-NAT# show interfaces sp-1/2/0
unit 0 {
family inet;
}
How to check your work:
TEST #1:
From router
R1, ping router
R-Internet: (192.168.4.1
---> 1.1.6.1)
operator@R1> ping 1.1.6.1
PING 1.1.6.1 (1.1.6.1): 56 data bytes
64 bytes from 1.1.6.1: icmp_seq=0 ttl=62 time=6.675 ms
64 bytes from 1.1.6.1: icmp_seq=1 ttl=62 time=6.784 ms
^C
At the same time monitor traffic on the interface on
R-Internet, to check that the source IP has been translated to source IP 33.33.33.3
operator@R-Internet> monitor traffic interface e1-0/3/0:0 matching icmp
10:30:46.142823 In IP 33.33.33.3 > 1.1.6.1: ICMP echo request seq 2816, length 64
10:30:46.142891 Out IP 1.1.6.1 > 33.33.33.3: ICMP echo reply seq 2816, length 64
10:30:47.152884 In IP 33.33.33.3 > 1.1.6.1: ICMP echo request seq 3072, length 64
10:30:47.152947 Out IP 1.1.6.1 > 33.33.33.3: ICMP echo reply seq 3072, length 64
Check the NAT pool on
R-NAT (1 address/port is in use)
operator@R-NAT> show services nat pool
Interface: sp-1/2/0, Service set: SVC_SET_NAT_01
NAT pool Type Address Port Ports used
NAT_POOL_01 dynamic 33.33.33.3-33.33.33.3 512-65535 1
On
R-NAT, check the stateful-firewall for existing flows, and verify that both NAT and PAT are working
operator@R-NAT> show services stateful-firewall flows
Interface: sp-1/2/0, Service set: SVC_SET_NAT_01
Flow State Dir Frm count
...
ICMP 192.168.4.1:2199 -> 1.1.6.1 Watch I 4
NAT source 192.168.4.1:2199 -> 33.33.33.3:1029
...
ICMP 1.1.6.1:4 -> 33.33.33.3 Watch O 3
NAT dest 33.33.33.3:4 -> 192.168.4.1:38674
RSVP 192.168.5.2:0 -> 192.168.5.1:0 Forward I 7446
...
TEST #2 :
From
R2, ping
R-Internet: (192.168.5.2
---> 1.1.6.1)
Note: the source address '192.168.5.2' does NOT match the NAT rule, hence NAT translation should not happen
operator@R2> ping 1.1.6.1
PING 1.1.6.1 (1.1.6.1): 56 data bytes
64 bytes from 1.1.6.1: icmp_seq=0 ttl=63 time=4.571 ms
64 bytes from 1.1.6.1: icmp_seq=1 ttl=63 time=5.668 ms
^C
Again, at the same time monitor traffic on the interface on
R-Internet, check that the source IP has
not changed
operator@R-Internet> monitor traffic interface e1-0/3/0:0 matching icmp
10:48:26.842013 In IP 192.168.5.2 > 1.1.6.1: ICMP echo request seq 1536, length 64
10:48:26.842079 Out IP 1.1.6.1 > 192.168.5.2: ICMP echo reply seq 1536, length 64
10:48:27.853111 In IP 192.168.5.2 > 1.1.6.1: ICMP echo request seq 1792, length 64
10:48:27.853171 Out IP 1.1.6.1 > 192.168.5.2: ICMP echo reply seq 1792, length 64
Check the NAT pool on
R-NAT (0 address/port is in use)
operator@R-NAT> show services nat pool
Interface: sp-1/2/0, Service set: SVC_SET_NAT_01
NAT pool Type Address Port Ports used
NAT_POOL_01 dynamic 33.33.33.3-33.33.33.3 512-65535 0
On router
R-NAT, the stateful-firewall for existing flows, and verify that the flow doesn't go through the NAT service:
operator@R-NAT> show services stateful-firewall flows
Interface: sp-1/2/0, Service set: SVC_SET_NAT_01
Flow State Dir Frm count
...
ICMP 1.1.6.1:146 -> 192.168.5.2 Watch O 140
...
ICMP 192.168.5.2:2194 -> 1.1.6.1 Watch I 140
Another usefull utility for troubleshooting is the "show services stateful-firewall conversations" command line utility. This gives some more details about the flows. Below is an example of a UDP flow and a TCP flow.
operator@R-NAT> show services stateful-firewall conversations source-prefix 10.10.10.1 extensive
Interface: sp-2/0/0, Service set: nat_WOL
Conversation: ALG protocol: udp
Number of initiators: 1, Number of responders: 1
Flow State Dir Frm count
UDP 10.10.10.1:1709 -> 89.2.0.2:53 Forward I 2
NAT source 10.10.10.1:1709 -> 89.156.172.1:57013
Byte count: 130
Flow role: Master, Timeout: 16
UDP 89.2.0.2:53 -> 89.156.172.1:57013 Forward O 2
NAT dest 89.156.172.1:57013 -> 10.10.10.1:1709
Byte count: 366monitor
Flow role: Responder, Timeout: 16
Conversation: ALG protocol: tcp
Number of initiators: 1, Number of responders: 1
Flow State Dir Frm count
TCP 10.10.10.1:2399 -> 107.21.110.107:80 Forward I 3
NAT source 10.10.10.1:2399 -> 89.156.172.1:57047
Byte count: 1196, TCP established, TCP window size: 16384
TCP acknowledge: 1862629086, TCP tickle enabled, tcp_tickle: 0
Flow role: Master, Timeout: 16
TCP 107.21.110.107:80 -> 89.156.172.1:57047 Forward O 14
NAT dest 89.156.172.1:57047 -> 10.10.10.1:2399
Byte count: 8360, TCP established, TCP window size: 16384
TCP acknowledge: 398524347, TCP tickle enabled, tcp_tickle: 0
Flow role: Responder, Timeout: 26
2020-03-22: ​Article reviewed for accuracy; it is valid and accurate