Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Network Address Translation Rules Overview

To configure a Network Address Translation (NAT) rule, include the rule rule-name statement at the [edit services nat] hierarchy level:

[edit services nat]
allow-overlapping-nat-pools ;
apply-groups;
apply-groups-except;
pool pool-name;
port-forwarding port-forwarding-name;
rule (Services NAT) rule-name {
match-direction (Services NAT) input;
term (Services NAT) term-name {
from {
destination-address (Services NAT) prefix;
destination-address-range (Services NAT) low minimum-value high maximum-value <except>;
destination-port range;
source-address prefix;
source-address-range (Services NAT) low minimum-value high maximum-value <except>;
}
then (Services NAT) {
no-translation;
translated {
source-pool nat-pool-name;
source-prefix (Services NAT) source-prefix;
translation-type {
napt-44;
}
}
}
}
}
rule-set rule-set-name;

Each rule must include a match-direction statement that specifies the direction in which the match is applied.

Note: ACX Series routers support only input as the match direction.

In addition, each NAT rule consists of a set of terms, similar to a firewall filter. A term consists of the following:

  • from statement—Specifies the match conditions and applications that are included and excluded.
  • then statement—Specifies the actions and action modifiers to be performed by the router software.

The following sections explain how to configure the components of NAT rules:

Configuring Match Direction for NAT Rules

Each rule must include a match-direction statement that specifies the direction in which the match is applied. To configure where the match is applied, include the match-direction statement at the [edit services nat rule rule-name] hierarchy level:

[edit services nat rule rule-name]
match-direction input;

The match direction is used with respect to the traffic flow through the NAT engine. When a packet is sent to the NAT engine, direction information is carried along with it. The packet direction is determined on the basis of the following criteria:

  • With an interface service set, packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied.
  • With a next-hop service set, packet direction is determined by the interface used to route the packet to the NAT engine. If the inside interface is used to route the packet, the packet direction is input. If the outside interface is used to direct the packet to the NAT engine, the packet direction is output. For more information about inside and outside interfaces, see Configuring Service Sets to Be Applied to Services Interfaces.
  • On the NAT engine, a flow lookup is performed. If no flow is found, rule processing is performed. All rules in the service set are considered. During rule processing, the packet direction is compared against rule directions. Only rules with direction information that matches the packet direction are considered.

Configuring Match Conditions in NAT Rules

To configure NAT match conditions, include the from statement at the [edit services nat rule rule-name term term-name] hierarchy level:

[edit services nat rule rule-name term term-name]
from {
destination-address (Services NAT) prefix;
destination-address-range (Services NAT) low minimum-value high maximum-value <except>;
destination-port range;
source-address prefix;
source-address-range (Services NAT) low minimum-value high maximum-value <except>;
}

To configure traditional NAT, you can use the destination address, a range of destination addresses, the source address, or a range of source addresses as a match condition, in the same way as you would configure a firewall filter; for more information, see the Routing Policies, Firewall Filters, and Traffic Policers Feature Guide.

Alternatively, you can specify a list of source or destination prefixes by including the prefix-list statement at the [edit policy-options] hierarchy level and then including either the destination-prefix-list or the source-prefix-list statement in the NAT rule.

Configuring Actions in NAT Rules

To configure NAT actions, include the then statement at the [edit services nat rule rule-name term term-name] hierarchy level:

[edit services nat rule rule-name term term-name]

The no-translation statement enables you to specify addresses that you want excluded from NAT.

The syslog statement enables you to record an alert in the system logging facility.

Configuring Translation Types

The translation-type statement specifies the type of NAT used for source or destination traffic. ACX Series routers support only napt-44 NAT type. The napt-44 option implements dynamic translation of source IP addresses with port mapping. You must specify a name for the source-pool statement. The referenced pool must include a port configuration. If a port range is specified, then it implies that Network Address Port Translation (NAPT) is used.

Note: When configuring NAT, if any traffic is destined for the following addresses and does not match a NAT flow or NAT rule, the traffic is dropped:

  • Addresses specified in the source NAT pool when you are using source translation
 

Related Documentation

 

Modified: 2017-08-31

Previous Page Next Page