Navigation
Example: NAT Between VRFs Configuration
The following example configuration enables NAT between VRFs with overlapping private addresses, using distinct public addresses for the source and destination NAT in this scenario:
- A host in vrf-a traverses 10.58.16.201 to reach 10.58.0.2 in vrf-b.
- A host in vrf-b traverses 10.58.16.101 to reach 10.58.0.2 in vrf-a.
[edit interfaces]
ge-0/2/0 {unit 0 {family inet {address 10.58.0.1/24;service {input service-set vrf-a-svc-set;output service-set vrf-a-svc-set;}}}}
ge-0/3/0 {unit 0 {family inet {address 10.58.0.1/24;service {input service-set vrf-b-svc-set;output service-set vrf-b-svc-set;}}}}
sp-1/3/0 {unit 0 {family inet;}unit 10 {family inet;service-domain inside;}unit 20 {family inet;service-domain inside;}}
[edit policy-options]policy-statement test-policy {term t1 {then reject;}}
[edit routing-instances]vrf-a {interface ge-0/2/0.0;interface sp-1/3/0.10;instance-type vrf;route-distinguisher 10.1.1.1:1;vrf-import test-policy;vrf-export test-policy;routing-options {static {route 0.0.0.0/0 next-table inet.0;}}}
vrf-b {interface ge-0/3/0.0;interface sp-1/3/0.20;instance-type vrf;route-distinguisher 10.2.2.2:2;vrf-import test-policy;vrf-export test-policy;routing-options {static {route 0.0.0.0/0 next-table inet.0;}}}
[edit services]stateful-firewall {rule allow-all {match-direction input-output;term t1 {then {accept;}}}}
nat {pool vrf-a-src-pool {address 10.58.16.100;port automatic;}pool vrf-a-dst-pool {address 10.58.0.2;}rule vrf-a-input {match-direction input;term t1 {then {translated {source-pool vrf-a-src-pool;translation-type napt-44;}}}}rule vrf-a-output {match-direction output;term t1 {from {destination-address 10.58.16.101;}then {translated {destination-pool vrf-a-dst-pool;translation-type destination static;}}}}pool vrf-b-src-pool {address 10.58.16.200;port automatic;}pool vrf-b-dst-pool {address 10.58.0.2;}rule vrf-b-input {match-direction input;term t1 {then {translated {source-pool vrf-b-src-pool;translation-type source dynamic;}}}}rule vrf-b-output {match-direction output;term t1 {from {destination-address 10.58.16.201;}then {translated {destination-pool vrf-b-dst-pool;translation-type destination static;}}}}}
service-set vrf-a-svc-set {stateful-firewall-rules allow-all;nat-rules vrf-a-input;nat-rules vrf-a-output;interface-service {service-interface sp-1/3/0.10;}}
service-set vrf-b-svc-set {stateful-firewall-rules allow-all;nat-rules vrf-b-input;nat-rules vrf-b-output;interface-service {service-interface sp-1/3/0.20;}}
