Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Example: NAPT Configuration for the MS-MPC

This example shows how to configure network address translation with port translation (NAPT) on an MX series router using a MultiServices Modular Port Concentrator (MS-MPC) as a services interface card.

Requirements

This example uses the following hardware and software components:

  • MX-series router
  • MultiServices Modular Port Concentrator (MS-MPC)
  • Junos OS Release 13.2R1 or higher

Overview

A service provider has chosen an MS-MPC as a platform to provide NAT services to accommodate new subscribers.

Configuration

To configure NAPT44 using the MS-MPC as a services interface card, perform these tasks:

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

set interfaces ge-0/2/0 unit 0 family inet address 10.255.248.2/24set interfaces xe-1/1/0 unit 0 family inet address 10.255.247.2/24set interfaces xe-1/1/0 unit 0 family inet service input service-set sset1set interfaces xe-1/1/0 unit 0 family inet service output service-set sset1set interfaces ms-3/0/0 unit 0 family inetset applications application-set accept-algs application junos-httpset applications application-set accept-algs application junos-ftpset applications application-set accept-algs application junos-tftpset applications application-set accept-algs application junos-telnetset applications application-set accept-algs application junos-sipset applications application-set accept-algs application junos-rtcpset services stateful-firewall rule sf-rule1 match-direction input-outputset services stateful-firewall rule sf-rule1 term sf-term1 from source-address 10.255.247.0/24set services stateful-firewall rule sf-rule1 term sf-term1 from application-sets accept-algsset services stateful-firewall rule sf-rule1 term sf-term1 then acceptset services nat pool napt-pool address 1.1.1.0/24set services nat pool napt-pool port automatic* nat rule for naptset services nat rule nat-rule1 match-direction inputset services nat rule nat-rule1 term nat-term1 from source-address 10.255.247.0/24set services nat rule nat-rule1 term nat-term1 from application-sets accept-algsset services nat rule nat-rule1 term nat-term1 then translated source-pool napt-poolset services nat rule nat-rule1 term nat-term1 then translated translation-type napt-44* nat rule for basic natset services service-set sset1 stateful-firewall-rules sf-rule1set services service-set sset1 nat-rules nat-rule1set services service-set sset1 interface-service service-interface ms-3/0/0

Configuring Interfaces

Step-by-Step Procedure

Configure the interfaces required for NAT processing. You will need the following interfaces:

  • A customer-facing interface that handles traffic from and to the customer.
  • An internet-facing interface.
  • A services interface that provides NAT and stateful firewall services to the customer-facing interface
  1. Configure the interface for the customer-facing interface.
    user@host# edit[edit ]user@host# set interfaces xe-1/1/0 unit 0 family inet address 10.255.247.2/24user@host# set interfaces xe-1/1/0 unit 0 family inet service input service-set sset1user@host# set interfaces xe-1/1/0 unit 0 family inet service output service-set sset1
  2. Configure the interface for the Internet-facing interface.
    [edit ]set interfaces ge-0/2/0 unit 0 family inet address 10.255.248.2/24
  3. Configure the interface for the service set that will connect services to the customer-facing interface. In our example, the interface resides on an MS-MPC.
    [edit ]user@host# set interfaces ms-3/0/0 unit 0 family inet

Results

Configure an Application Set of Acceptable ALG traffic

Step-by-Step Procedure

Identify the acceptable ALGs for incoming traffic.

  1. Specify an application set that contains acceptable incoming ALG traffic.
    user@host# set applications application-set accept-algs application junos-httpuser@host# set applications application-set accept-algs application junos-ftpuser@host# set applications application-set accept-algs application junos-tftpuser@host# set applications application-set accept-algs application junos-telnetuser@host# set applications application-set accept-algs application junos-sipuser@host# set applications application-set accept-algs application junos-rtcp

Results

user@host#edit services applications application-set accept-algs
user@host#show
application junos-http;
application junos-ftp;
application junos-tftp;
application junos-telnet;
application junos-sip;
application junos-

Configuring a Stateful Firewall Rule

Step-by-Step Procedure

Configure a stateful firewall rule that will accept all incoming traffic.

  1. Specify firewall matching for all input and output
    user@hos#t set services stateful-firewall rule sf-rule1 match-direction input-output
  2. Identify source-address and acceptable ALG traffic from the customer-facing interface.
    user@host# set services stateful-firewall rule sf-rule1 term sf-term1 from source-address 10.255.247.0/24user@host# set services stateful-firewall rule sf-rule1 term sf-term1 from application-sets accept-algsuser@host# set services stateful-firewall rule sf-rule1 term sf-term1 then accept

Results

user@host# edit services stateful-firewall
user@host# show
rule sf-rule1 {
    match-direction input-output;
    term sf-term1 {
        from {
            source-address {
                10.255.247.0/24;
            }
            application-sets accept-algs;
        }
        then {
            accept;
        }
    }
}

Configuring NAT Pool and Rule

Step-by-Step Procedure

Configure a NAT pool and rule for address translation with automatic port assignment.

  1. Configure the NAT pool with automatic port assignment.
    user@host# set services nat pool napt-pool address 1.1.1.0/24user@host# set services nat pool napt-pool port automatic
  2. Configure a NAT rule that applies translation type napt-44 using the defined NAT pool.
    user@host# set services nat rule nat-rule1 term nat-term1 from application-sets accept-algsuser@host# set services nat rule nat-rule1 term nat-term1 then translated source-pool napt-pooluser@host# set services nat rule nat-rule1 term nat-term1 then translated translation-type napt-44

Results

user@host#edit services nat
user@host#show
pool napt-pool {
    address 1.1.1.0/24;
    port {
        automatic;
    }
}
rule nat-rule1 {
    match-direction input;
    term nat-term1 {
        from {
            source-address {
                10.255.247.0/24;
            }
            application-sets accept-algs; 
        }
        then {
            translated {
                source-pool napt-pool;                 
                translation-type {
                    napt-44;
                }
            }
        }
    }
}

Configuring the Service Set

Step-by-Step Procedure

Configure an interface type service set.

  1. Specify the NAT and stateful firewall rules that apply to customer traffic.
    user@host set services service-set sset1 stateful-firewall-rules sf-rule1user@host set services service-set sset1 nat-rules bat-rule1
  2. Specify the services interface that applies the rules to customer traffic.
    set services service-set sset1 interface-service service-interface ms-3/0/0

Results

user@host# edit services service-set sset1
user@host# show
set services service-set sset1 stateful-firewall-rules sf-rule1
set services service-set sset1 nat-rules nat-rule1
set services service-set sset1 interface-service service-interface ms-3/0/0
 

Related Documentation

 

Published: 2013-08-14

Previous Page Next Page