Documente Academic
Documente Profesional
Documente Cultură
SUMMARY:
How to configure a basic interface-style source NAT service on M Series and T Series routers equipped with AS-
PIC
SYMPTOMS:
This article provides details and configurations for configuring interface-based NAT services on the M and T series
routers
SOLUTION:
Configure a basic interface style source NAT service on M Series and T Series routers equipped with AS-PIC.
Topology:
In the above scenario, any packet destined to router R-Internet (public address space) with source address
192.168.4.0/30, Network Address Translation (NAT) to the public source IP 33.33.33.3/32 shall be performed. Other
packets, e.g. traffic coming from 192.168.5.0/30 and going to router R-Internet, should not be translated.
The following example shows how to configure the router R-NAT in 4 steps to allow NAT based on the above criteria:
192.168.5.1/30 1.1.6.2/30
private interface public interface
---- [so-0/3/1 ---> sp-1/2/0 ---> e1-0/2/0:0] ----
Step 2) Configure a Stateful-Firewall to catch the traffic that will be sent to the NAT-Service
In a basic scenario, everything that arrives at the interface where the stateful-firewall service is applied, will be
accepted.
operator@R-NAT# show services stateful-firewall
rule SVC_STAT_FW_01 {
match-direction input;
term A {
then {
accept;
}
}
}
Step 3) Combine (Service-NAT and Stateful-FW) and apply it to the AS-PIC Service-Interface.
This is called a Service-Set..
operator@R-NAT# show services service-set SVC_SET_NAT_01
stateful-firewall-rules SVC_STAT_FW_01;
nat-rules SVC_NAT_RULES_01;
interface-service {
service-interface sp-1/2/0;
}
Note: When doing NAT in routing-instances, you need to use a so called next-hop style service-set. This means,
instead of the whole service-interface of the AS-PIC (sp-1/2/0), you can specify both the inbound unit and the
outbound unit of the service interface:
i.e. : in replacement of
interface-service {
service-interface sp-1/2/0;
}
next-hop-service {
inside-service-interface sp-1/2/0.10;
outside-service-interface sp-1/2/0.20;
}
Step 4) Apply all the Service-Set to the inbound interface (the one on the private side):
operator@R-NAT# show interfaces so-0/3/1
unit 0 {
family inet {
service {
input {
service-set SVC_SET_NAT_01;
}
output {
service-set SVC_SET_NAT_01;
}
}
address 192.168.5.1/30;
}
}
Note: The Service interface on the AS-PIC must be configured with family inet :
operator@R-NAT# show interfaces sp-1/2/0
unit 0 {
family inet;
}
TEST #1:
At the same time monitor traffic on the interface on R-Internet, to check that the source IP has been translated to
source IP 33.33.33.3
operator@R-Internet> monitor traffic interface e1-0/3/0:0 matching icmp
10:30:46.142823 In IP 33.33.33.3 > 1.1.6.1: ICMP echo request seq 2816,
length 64
10:30:46.142891 Out IP 1.1.6.1 > 33.33.33.3: ICMP echo reply seq 2816, length
64
10:30:47.152884 In IP 33.33.33.3 > 1.1.6.1: ICMP echo request seq 3072,
length 64
10:30:47.152947 Out IP 1.1.6.1 > 33.33.33.3: ICMP echo reply seq 3072, length
64
On R-NAT, check the stateful-firewall for existing flows, and verify that both NAT and PAT are working
operator@R-NAT> show services stateful-firewall flows
Interface: sp-1/2/0, Service set: SVC_SET_NAT_01
Flow State Dir
Frm count
...
ICMP 192.168.4.1:2199 -
> 1.1.6.1 Watch I 4
NAT source 192.168.4.1:2199 -> 33.33.33.3:1029
...
ICMP 1.1.6.1:4 -
> 33.33.33.3 Watch O 3
NAT dest 33.33.33.3:4 -> 192.168.4.1:38674
RSVP 192.168.5.2:0 -
> 192.168.5.1:0 Forward I 7446
...
TEST #2 :
Again, at the same time monitor traffic on the interface on R-Internet, check that the source IP has not changed
operator@R-Internet> monitor traffic interface e1-0/3/0:0 matching icmp
10:48:26.842013 In IP 192.168.5.2 > 1.1.6.1: ICMP echo request seq 1536,
length 64
10:48:26.842079 Out IP 1.1.6.1 > 192.168.5.2: ICMP echo reply seq 1536,
length 64
10:48:27.853111 In IP 192.168.5.2 > 1.1.6.1: ICMP echo request seq 1792,
length 64
10:48:27.853171 Out IP 1.1.6.1 > 192.168.5.2: ICMP echo reply seq 1792,
length 64
Another usefull utility for troubleshooting is the "show services stateful-firewall conversations" command line utility.
This gives some more details about the flows. Below is an example of a UDP flow and a TCP flow.