Simple Nat MX

How to configure a basic NAT service
SUMMARY:
How to configure a basic interface-style source NAT service on M Series and T Series routers equipped with AS-
PIC
SYMPTOMS:
This article provides details and configurations for configuring interface-based NAT services on the M and T series
routers
SOLUTION:
Configure a basic interface style source NAT service on M Series and T Series routers equipped with AS-PIC.
Topology:
---> NAT -->33.33.33.3

[R1] ------------------ [R2] ----------------- [R-NAT] ------------------
[R-Internet]
.1 .2 .2 .1 .2 .
1
192.168.4.0/30 192.168.5.0/30 1.1.6.0/30
In the above scenario, any packet destined to router R-Internet (public address space) with source address
192.168.4.0/30, Network Address Translation (NAT) to the public source IP 33.33.33.3/32 shall be performed. Other
packets, e.g. traffic coming from 192.168.5.0/30 and going to router R-Internet, should not be translated.
The following example shows how to configure the router R-NAT in 4 steps to allow NAT based on the above criteria:
Router R-NAT has the following interfaces and assigned IP addresses:
192.168.5.1/30 1.1.6.2/30
private interface public interface
---- [so-0/3/1 ---> sp-1/2/0 ---> e1-0/2/0:0] ----
Configuration of router R-NAT:
Step 1) Configure the NAT Service :

operator@R-NAT# show services nat
pool NAT_POOL_01 { # Pool to choose the IP address(es) and
the port
address 33.33.33.3/32;
port automatic;
}
rule SVC_NAT_RULES_01 {
match-direction input; # this service will be applied to the
'internal' interface
term A {
from {
source-address {
192.168.4.0/30; # only these source IP will be translated
}
}
then {
translated {
source-pool NAT_POOL_01; # picks the 33.33.33.3
translation-type source dynamic; # allows NAT/PAT
}
}
}
}
Step 2) Configure a Stateful-Firewall to catch the traffic that will be sent to the NAT-Service
In a basic scenario, everything that arrives at the interface where the stateful-firewall service is applied, will be
accepted.
operator@R-NAT# show services stateful-firewall
rule SVC_STAT_FW_01 {
match-direction input;
term A {
then {
accept;
}
}
}
Step 3) Combine (Service-NAT and Stateful-FW) and apply it to the AS-PIC Service-Interface.
This is called a Service-Set..
operator@R-NAT# show services service-set SVC_SET_NAT_01
stateful-firewall-rules SVC_STAT_FW_01;
nat-rules SVC_NAT_RULES_01;
interface-service {
service-interface sp-1/2/0;
}
Note: When doing NAT in routing-instances, you need to use a so called next-hop style service-set. This means,
instead of the whole service-interface of the AS-PIC (sp-1/2/0), you can specify both the inbound unit and the
outbound unit of the service interface:
i.e. : in replacement of
interface-service {
service-interface sp-1/2/0;
}
the configuration would be:
next-hop-service {
inside-service-interface sp-1/2/0.10;
outside-service-interface sp-1/2/0.20;
}
Step 4) Apply all the Service-Set to the inbound interface (the one on the private side):
operator@R-NAT# show interfaces so-0/3/1
unit 0 {
family inet {
service {
input {
service-set SVC_SET_NAT_01;
}
output {
service-set SVC_SET_NAT_01;
}
}
address 192.168.5.1/30;
}
}
Note: The Service interface on the AS-PIC must be configured with family inet :
operator@R-NAT# show interfaces sp-1/2/0
unit 0 {
family inet;
}
How to check your work:
TEST #1:
From router R1, ping router R-Internet: (192.168.4.1 ---> 1.1.6.1)

operator@R1> ping 1.1.6.1
PING 1.1.6.1 (1.1.6.1): 56 data bytes
64 bytes from 1.1.6.1: icmp_seq=0 ttl=62 time=6.675 ms
^C
At the same time monitor traffic on the interface on R-Internet, to check that the source IP has been translated to
source IP 33.33.33.3
operator@R-Internet> monitor traffic interface e1-0/3/0:0 matching icmp
10:30:46.142823 In IP 33.33.33.3 > 1.1.6.1: ICMP echo request seq 2816,
length 64
10:30:46.142891 Out IP 1.1.6.1 > 33.33.33.3: ICMP echo reply seq 2816, length
64
length 64
10:30:47.152947 Out IP 1.1.6.1 > 33.33.33.3: ICMP echo reply seq 3072, length
64
Check the NAT pool on R-NAT (1 address/port is in use)

operator@R-NAT> show services nat pool
Interface: sp-1/2/0, Service set: SVC_SET_NAT_01
NAT pool Type Address Port Ports
used
NAT_POOL_01 dynamic 33.33.33.3-33.33.33.3 512-
65535 1
On R-NAT, check the stateful-firewall for existing flows, and verify that both NAT and PAT are working
operator@R-NAT> show services stateful-firewall flows
Flow State Dir
Frm count
...
ICMP 192.168.4.1:2199 -
> 1.1.6.1 Watch I 4
NAT source 192.168.4.1:2199 -> 33.33.33.3:1029
...
ICMP 1.1.6.1:4 -
> 33.33.33.3 Watch O 3
NAT dest 33.33.33.3:4 -> 192.168.4.1:38674
RSVP 192.168.5.2:0 -
> 192.168.5.1:0 Forward I 7446
...
TEST #2 :
From R2, ping R-Internet: (192.168.5.2 ---> 1.1.6.1)

Note: the source address '192.168.5.2' does NOT match the NAT rule, hence NAT translation should not happen
operator@R2> ping 1.1.6.1
PING 1.1.6.1 (1.1.6.1): 56 data bytes
^C
Again, at the same time monitor traffic on the interface on R-Internet, check that the source IP has not changed
operator@R-Internet> monitor traffic interface e1-0/3/0:0 matching icmp
length 64
10:48:26.842079 Out IP 1.1.6.1 > 192.168.5.2: ICMP echo reply seq 1536,
length 64
length 64
10:48:27.853171 Out IP 1.1.6.1 > 192.168.5.2: ICMP echo reply seq 1792,
length 64
Check the NAT pool on R-NAT (0 address/port is in use)

operator@R-NAT> show services nat pool
NAT pool Type Address Port Ports
used
NAT_POOL_01 dynamic 33.33.33.3-33.33.33.3 512-
65535 0
On router R-NAT, the stateful-firewall for existing flows, and verify that the flow doesn't go through the NAT service:
operator@R-NAT> show services stateful-firewall flows
Flow State Dir Fr
m count
...
ICMP 1.1.6.1:146 -
> 192.168.5.2 Watch O 140
...
ICMP 192.168.5.2:2194 -
> 1.1.6.1 Watch I 140
Another usefull utility for troubleshooting is the "show services stateful-firewall conversations" command line utility.
This gives some more details about the flows. Below is an example of a UDP flow and a TCP flow.
operator@R-NAT> show services stateful-firewall conversations source-prefix

10.10.10.1 extensive
Interface: sp-2/0/0, Service set: nat_WOL
Conversation: ALG protocol: udp

Number of initiators: 1, Number of responders: 1
Flow State Dir Frm count
UDP 10.10.10.1:1709 -> 89.2.0.2:53 Forward I 2
NAT source 10.10.10.1:1709 -> 89.156.172.1:57013
Byte count: 130
Flow role: Master, Timeout: 16
UDP 89.2.0.2:53 -> 89.156.172.1:57013 Forward O 2
NAT dest 89.156.172.1:57013 -> 10.10.10.1:1709
Byte count: 366monitor
Flow role: Responder, Timeout: 16
Conversation: ALG protocol: tcp

Number of initiators: 1, Number of responders: 1
Flow State Dir Frm count
TCP 10.10.10.1:2399 -> 107.21.110.107:80 Forward I 3
NAT source 10.10.10.1:2399 -> 89.156.172.1:57047
Byte count: 1196, TCP established, TCP window size: 16384
TCP acknowledge: 1862629086, TCP tickle enabled, tcp_tickle: 0
Flow role: Master, Timeout: 16
TCP 107.21.110.107:80 -> 89.156.172.1:57047 Forward O 14
NAT dest 89.156.172.1:57047 -> 10.10.10.1:2399
Byte count: 8360, TCP established, TCP window size: 16384
TCP acknowledge: 398524347, TCP tickle enabled, tcp_tickle: 0
Flow role: Responder, Timeout: 26

Simple Nat MX

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Simple Nat MX

Încărcat de

Drepturi de autor:

Formate disponibile

How to configure a basic NAT service

---> NAT -->33.33.33.3

Router R-NAT has the following interfaces and assigned IP addresses:

Configuration of router R-NAT:

Step 1) Configure the NAT Service :

the configuration would be:

How to check your work:

From router R1, ping router R-Internet: (192.168.4.1 ---> 1.1.6.1)

Check the NAT pool on R-NAT (1 address/port is in use)

From R2, ping R-Internet: (192.168.5.2 ---> 1.1.6.1)

Check the NAT pool on R-NAT (0 address/port is in use)

operator@R-NAT> show services stateful-firewall conversations source-prefix

Conversation: ALG protocol: udp

Conversation: ALG protocol: tcp

S-ar putea să vă placă și