Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Routing Internet Traffic Through a Separate NAT Device

In this example, the CE router does not perform NAT. It sends both VPN and Internet traffic over the same interface to the PE router. The PE router is connected to an NAT device by means of two interfaces. One interface is configured in the PE router’s VRF table and points to a VPN interface on the NAT device, which can route Internet traffic for the VPN. The other interface is in a default instance; for example, part of public routing table inet.0. There can be a single physical connection between the PE router and the NAT device and multiple logical connections—one for each VRF table and another interface—as part of the global routing table (see Figure 1).

Figure 1: Internet Traffic Routed Through a Separate NAT Device

Requirements

• M Series routers
• Junos OS Release 9.3 or later

Overview

This example’s topology expands upon that illustrated in Routing VPN and Internet Traffic Through Different Interfaces. The CE router sends both VPN and Internet traffic to Router PE1. VPN traffic is routed based on the VPN routes received by Router PE1. Traffic for everything else is sent to the NAT device using Router PE1’s private interface to the NAT device, which then translates the private addresses and sends the traffic back to Router PE1 using that router’s public interface (see Figure 2).

Topology

Figure 2: Internet Traffic Routed Through a NAT Example Topology

Configuration

To route Internet traffic through a separate NAT device, perform these tasks:

• Configuring Interfaces on Router PE1
• Configuring Routing Options for Router PE1
• Configuring Routing Protocols on Router PE1
• Configuring a Routing Instance on Router PE1
• Results

Configuring Interfaces on Router PE1

Step-by-Step Procedure

1. Configure an interface for VPN traffic from Router CE1:
   [edit]

   interfaces {t3-0/2/0 {dce;encapsulation frame-relay;unit 0 {description "to CE1 VPN interface";dlci 10;family inet {address 192.168.197.13/30;}}}}
2. Configure an interface for VPN traffic to and from the NAT device (unit 0), and an interface for Internet traffic to and from the NAT device (unit 1):
   [edit]

   interfaces {at-1/3/1 {atm-options {vpi 1 maximum-vcs 255;}unit 0 {description "to NAT VPN interface";vci 1.100;family inet {address 10.23.0.2/32 {destination 10.23.0.1;}}}unit 1 {description "to NAT public interface";vci 1.101;family inet {address 10.23.0.6/32 {destination 10.23.0.5;}}}}}

Configuring Routing Options for Router PE1

Step-by-Step Procedure

1. Configure a static route on Router PE1 to direct Internet traffic to the CE router through the NAT device. Router PE1 distributes this route to the Internet.
   [edit]

   routing-options {static {route 10.12.1.0/24 next-hop 10.23.0.5;}}

Configuring Routing Protocols on Router PE1

Step-by-Step Procedure

1. Configure MPLS on Router PE1. Include the NAT device’s VPN interface in the VRF table.
   [edit]

   protocols {mpls {interface so-0/0/0.0;interface at-1/3/1.0;}}
2. Configure BGP on Router PE1. Include a policy to advertise the public IP address pool:
   [edit]

   protocols {bgp {group pe-pe {type internal;local-address 10.255.14.171;family inet {any;}family inet-vpn {any;}export [ fix-nh redist-static ];neighbor 10.255.14.177;neighbor 10.255.14.173;}}}
3. Configure IS-IS on Router PE1:
   [edit]

   protocols {isis {level 1 disable;interface so-0/0/0.0;interface lo0.0;}}
4. Configure LDP on Router PE1:
   [edit]

   protocols {ldp {interface so-0/0/0.0;}}

Configuring a Routing Instance on Router PE1

Step-by-Step Procedure

1. Configure a routing instance on Router PE1. As part of the routing instance configuration, under routing-options, configure a static default route in vpna.inet.0 pointing to the NAT device’s VPN interface (this directs all non-VPN traffic to the NAT device):
   [edit]

   routing-instances {vpna {instance-type vrf;interface t3-0/2/0.0;interface at-1/3/1.0;route-distinguisher 10.255.14.171:100;vrf-import vpna-import;vrf-export vpna-export;routing-options {static {route 0.0.0.0/0 next-hop 10.23.0.1;}}protocols {bgp {group to-CE1 {peer-as 63001;neighbor 192.168.197.14;}}}}}
2. Configure the routing policy for the Layer 3 VPN routing instance on Router PE1:
   policy-options {policy-statement fix-nh {then {next-hop self;}}policy-statement redist-static {term a {from {protocol static;route-filter 10.12.1.0/24 exact;}then accept;}term b {from protocol bgp;then accept;}term c {then accept;}}policy-statement vpna-import {term a {from {protocol bgp;community vpna-comm;}then accept;}term b {then reject;}}policy-statement vpna-export {term a {from protocol bgp;then {community add vpna-comm;accept;}}term b {then reject;}}community vpna-comm members target:63000:100;}

Results

From configuration mode on Router PE1, confirm your configuration by entering the show interfaces, show routing-options, show protocols, show routing-instances and show policy-options commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.