Configuring Service Sets for Network Address Translation
When configuring a service set for NAT processing, make sure you have defined:
Service interface(s) for handling inbound and outbound traffic
NotePrior to Junos OS Release 11.4R3, you could only use a source NAT pool in a single service set. As of Junos OS Release 11.4R3 and subsequent releases, you can reuse a source or destination NAT pool in multiple service sets, provided that the service interfaces associated with the service sets are in different virtual routing and forwarding (VRF) instances.
For interface style service sets, when a NAT pool is reused in multiple service sets, the service interfaces used in the interface-service service-interface option of each service set must be in different VRFs.
For next-hop style service sets, when a NAT pool is reused in multiple service sets, the service interfaces used in the outside-interface option of each service set must be in different VRFs.
Not adhering to these service interface restrictions will cause multiple routes to be installed in the same VRF for the same NAT addresses, causing reverse traffic to be processed incorrectly.
To enable sharing of source NAT pools, include the allow-overlapping-nat-pools statement at the [edit services nat] hierarchy level.
A NAT rule or ruleset
To configure an MS-DPC interface to be used exclusively for carrier-grade NAT (CGN) or related services (intrusion detection, stateful firewall, and softwire), include the cgn-pic statement at the [edit interfaces interface-name services-options] hierarchy level. This allows CGN to access all of the available memory on the MS-DPC.
To configure a NAT service set:
- At the [edit services] hierarchy level, define
the service set.content_copy zoom_out_map[edit services]user@host# edit service-set service-set-name
- Configure either an interface service, which requires
a single service interface, or a next-hop service, which requires
an inside and outside service interface.content_copy zoom_out_map[edit services service-set service-set-name]user@host# set interface-service service-interface interface-name
Or
content_copy zoom_out_map[edit services service-set service-set-name]user@host# set next-hop-service inside-service-interface interface-name outside-service-interface interface-nameNoteOn ACX series routers, or if you have a Trio-based line card (MPC/MIC), you can use an inline-services interface that was configured on that card, as shown in this example:
content_copy zoom_out_map[edit]user@host# set interfaces si-0/0/0[edit services service-set s1]user@host# set interface-service service-interface si-0/0/0For more information on interface service and next-hop service, see “Configuring Service Sets to be Applied to Services Interfaces.”
- Configure a reference to the NAT rules or ruleset to be
used with the service set.content_copy zoom_out_map[edit services service-set service-set-name]user@host set nat-rules rule-or-ruleset-name
- (Optional) For NAT64, specify that the don’t fragment
(DF) bit for IPv4 packet headers is cleared when packet length is
less than 1280 bytes.content_copy zoom_out_map[edit services service-set service-set-name]user@host# set nat-options stateful-nat64 clear-dont-fragment-bit
