Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to configure a basic NAT service

0

0

Article ID: KB9337 KB Last Updated: 26 Mar 2020Version: 4.0
Summary:
How to configure a basic interface-style source NAT service on  M Series and  T Series routers equipped with AS-PIC
Symptoms:
This article provides details and configurations for configuring interface-based NAT services on the M and T series routers
Solution:
Configure a basic interface style source NAT service on  M Series and T Series routers equipped with AS-PIC.
Topology:
 
 
 
                                                ---> NAT -->33.33.33.3
    [R1] ------------------ [R2] ----------------- [R-NAT] ------------------ [R-Internet]
        .1       
        .2    .2               .1       .2                .1
           192.168.4.0/30         
192.168.5.0/30              1.1.6.0/30                        
               
 
 
In the above scenario, any packet destined to router R-Internet (public address space) with source address 192.168.4.0/30, Network Address Translation (NAT) to the public source IP 33.33.33.3/32 shall be performed.  Other packets, e.g. traffic coming from 192.168.5.0/30 and going to router R-Internet, should not be translated.

 

The following example shows how to configure the router R-NAT in 4 steps to allow NAT based on the above criteria:
 
Router R-NAT has the following interfaces and assigned IP addresses:
 
    192.168.5.1/30                                 1.1.6.2/30
    private interface                              public interface
         ---- [so-0/3/1 ---> sp-1/2/0 ---> e1-0/2/0:0] ----

 


Configuration of router R-NAT:
 
Step 1) Configure the NAT Service :
operator@R-NAT# show services nat
pool NAT_POOL_01 {                  # Pool to choose the IP address(es) and the port
    address 33.33.33.3/32;
    port automatic;
}
rule SVC_NAT_RULES_01 {
    match-direction input;          # this service will be applied to the 'internal' interface
    term A {
        from {
            source-address {
                192.168.4.0/30;     # only these source IP will be translated
            }
        }
        then {
            translated {
                source-pool NAT_POOL_01;          # picks the 33.33.33.3
                translation-type source dynamic;  # allows NAT/PAT
            }
        }
    }
}

 

Step 2) Configure a Stateful-Firewall to catch the traffic that will be sent to the NAT-Service
In a basic scenario, everything that arrives at the interface where the stateful-firewall service is applied, will be accepted.
operator@R-NAT# show services stateful-firewall
rule SVC_STAT_FW_01 {
    match-direction input;  
    term A {                
        then {              
            accept;      
        }
    }
}

 

Step 3) Combine (Service-NAT and Stateful-FW) and apply it to the AS-PIC Service-Interface.
This is called a Service-Set..
operator@R-NAT# show services service-set SVC_SET_NAT_01
stateful-firewall-rules SVC_STAT_FW_01;
nat-rules SVC_NAT_RULES_01;
interface-service {
    service-interface sp-1/2/0;
}



Note: When doing NAT in routing-instances, you need to use a so called next-hop style service-set.   This means, instead of the whole service-interface of the AS-PIC (sp-1/2/0), you can specify both the inbound unit and the outbound unit of the service interface:
        i.e. :  in replacement of
 
       interface-service {
          service-interface sp-1/2/0;
       }

 
        the configuration would be:
 
        next-hop-service {
            inside-service-interface sp-1/2/0.10;
            outside-service-interface sp-1/2/0.20;
        }

 
 

 


Step 4) Apply all the Service-Set to the inbound interface (the one on the private side):
operator@R-NAT# show interfaces so-0/3/1
unit 0 {
    family inet {
        service {
            input {
                service-set SVC_SET_NAT_01;
            }
            output {
                service-set SVC_SET_NAT_01;
            }
        }
        address 192.168.5.1/30;
    }
}

 
Note: The Service interface on the AS-PIC must be configured with  family inet :
operator@R-NAT# show interfaces sp-1/2/0
unit 0 {
    family inet;
}

 
 


How to check your work:
  

TEST #1:
 
From router R1, ping router R-Internet:  (192.168.4.1 ---> 1.1.6.1)
operator@R1> ping 1.1.6.1
PING 1.1.6.1 (1.1.6.1): 56 data bytes
64 bytes from 1.1.6.1: icmp_seq=0 ttl=62 time=6.675 ms
64 bytes from 1.1.6.1: icmp_seq=1 ttl=62 time=6.784 ms
^C

 
At the same time monitor traffic on the interface on R-Internet, to check that the source IP has been translated to source IP 33.33.33.3
operator@R-Internet> monitor traffic interface e1-0/3/0:0 matching icmp
10:30:46.142823  In IP 33.33.33.3 > 1.1.6.1: ICMP echo request seq 2816, length 64
10:30:46.142891 Out IP 1.1.6.1 > 33.33.33.3: ICMP echo reply seq 2816, length 64
10:30:47.152884  In IP 33.33.33.3 > 1.1.6.1: ICMP echo request seq 3072, length 64
10:30:47.152947 Out IP 1.1.6.1 > 33.33.33.3: ICMP echo reply seq 3072, length 64

 
Check the NAT pool on R-NAT  (1 address/port is in use)
operator@R-NAT> show services nat pool
Interface: sp-1/2/0, Service set: SVC_SET_NAT_01
NAT pool          Type    Address                         Port        Ports used
NAT_POOL_01       dynamic           33.33.33.3-33.33.33.3   512-65535          1

 
 
 
On R-NAT, check the stateful-firewall for existing flows, and verify that both NAT and PAT are working
operator@R-NAT> show services stateful-firewall flows
Interface: sp-1/2/0, Service set: SVC_SET_NAT_01
Flow                                                        State    Dir       Frm count
...
ICMP           192.168.4.1:2199  ->        1.1.6.1           Watch    I               4
    NAT source         192.168.4.1:2199    ->      33.33.33.3:1029
...
ICMP           1.1.6.1:4         ->        33.33.33.3        Watch    O               3
    NAT dest        33.33.33.3:4           ->      192.168.4.1:38674  
RSVP           192.168.5.2:0     ->        192.168.5.1:0     Forward  I            7446
...

 
 

TEST #2 :

From R2, ping R-Internet: (192.168.5.2 ---> 1.1.6.1)
Note: the source address '192.168.5.2' does NOT match the NAT rule, hence NAT translation should not happen 
operator@R2> ping 1.1.6.1
PING 1.1.6.1 (1.1.6.1): 56 data bytes
64 bytes from 1.1.6.1: icmp_seq=0 ttl=63 time=4.571 ms
64 bytes from 1.1.6.1: icmp_seq=1 ttl=63 time=5.668 ms
^C

 
Again, at the same time monitor traffic on the interface on R-Internet,  check that the source IP has not changed
operator@R-Internet> monitor traffic interface e1-0/3/0:0 matching icmp
10:48:26.842013  In IP 192.168.5.2 > 1.1.6.1: ICMP echo request seq 1536, length 64
10:48:26.842079 Out IP 1.1.6.1 > 192.168.5.2: ICMP echo reply seq 1536, length 64
10:48:27.853111  In IP 192.168.5.2 > 1.1.6.1: ICMP echo request seq 1792, length 64
10:48:27.853171 Out IP 1.1.6.1 > 192.168.5.2: ICMP echo reply seq 1792, length 64

 
 
Check  the NAT pool on R-NAT  (0 address/port is in use)
operator@R-NAT> show services nat pool
Interface: sp-1/2/0, Service set: SVC_SET_NAT_01
NAT pool          Type    Address                         Port        Ports used
NAT_POOL_01       dynamic           33.33.33.3-33.33.33.3   512-65535          0

 
 
On router R-NAT, the stateful-firewall for existing flows, and verify that the flow doesn't go through the NAT service:
operator@R-NAT> show services stateful-firewall flows
Interface: sp-1/2/0, Service set: SVC_SET_NAT_01
Flow                                                    State    Dir       Frm count
...
ICMP           1.1.6.1:146   ->        192.168.5.2       Watch    O             140
...
ICMP           192.168.5.2:2194  ->        1.1.6.1       Watch    I             140

Another usefull utility for troubleshooting is the "show services stateful-firewall conversations" command line utility. This gives some more details about the flows. Below is an example of a UDP flow and a TCP flow.

operator@R-NAT> show services stateful-firewall conversations source-prefix 10.10.10.1 extensive
Interface: sp-2/0/0, Service set: nat_WOL


Conversation: ALG protocol: udp
Number of initiators: 1, Number of responders: 1
Flow State Dir Frm count
UDP 10.10.10.1:1709 -> 89.2.0.2:53 Forward I 2
NAT source 10.10.10.1:1709 -> 89.156.172.1:57013
Byte count: 130
Flow role: Master, Timeout: 16
UDP 89.2.0.2:53 -> 89.156.172.1:57013 Forward O 2
NAT dest 89.156.172.1:57013 -> 10.10.10.1:1709
Byte count: 366monitor
Flow role: Responder, Timeout: 16



Conversation: ALG protocol: tcp
Number of initiators: 1, Number of responders: 1
Flow State Dir Frm count
TCP 10.10.10.1:2399 -> 107.21.110.107:80 Forward I 3
NAT source 10.10.10.1:2399 -> 89.156.172.1:57047
Byte count: 1196, TCP established, TCP window size: 16384
TCP acknowledge: 1862629086, TCP tickle enabled, tcp_tickle: 0
Flow role: Master, Timeout: 16
TCP 107.21.110.107:80 -> 89.156.172.1:57047 Forward O 14
NAT dest 89.156.172.1:57047 -> 10.10.10.1:2399
Byte count: 8360, TCP established, TCP window size: 16384
TCP acknowledge: 398524347, TCP tickle enabled, tcp_tickle: 0
Flow role: Responder, Timeout: 26



 
 
Modification History:
2020-03-22: â€‹Article reviewed for accuracy; it is valid and accurate
 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search