Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Configuring NAT Rules

To configure a NAT rule, include the rule rule-name statement at the [edit services nat] hierarchy level:

Each rule must include a match-direction statement that specifies the direction in which the match is applied.

In addition, each NAT rule consists of a set of terms, similar to a firewall filter. A term consists of the following:

• from statement—Specifies the match conditions and applications that are included and excluded.
• then statement—Specifies the actions and action modifiers to be performed by the router software.

The following sections explain how to configure the components of NAT rules:

Configuring Match Direction for NAT Rules

Each rule must include a match-direction statement that specifies the direction in which the match is applied. To configure where the match is applied, include the match-direction statement at the [edit services nat rule rule-name] hierarchy level:

The match direction is used with respect to the traffic flow through the Multiservices DPC and Multiservices PICs. When a packet is sent to the PIC, direction information is carried along with it. The packet direction is determined based on the following criteria:

• With an interface service set, packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied.

• With a next-hop service set, packet direction is determined by the interface used to route the packet to the Multiservices DPC or Multiservices PIC. If the inside interface is used to route the packet, the packet direction is input. If the outside interface is used to direct the packet to the PIC or DPC, the packet direction is output. For more information about inside and outside interfaces, see “Configuring Service Sets to be Applied to Services Interfaces.”

• On the Multiservices DPC and Multiservices PIC, a flow lookup is performed. If no flow is found, rule processing is performed. All rules in the service set are considered. During rule processing, the packet direction is compared against rule directions. Only rules with direction information that matches the packet direction are considered.

Configuring Match Conditions in NAT Rules

To configure NAT match conditions, include the from statement at the [edit services nat rule rule-name term term-name] hierarchy level:

To configure traditional NAT, you can use the destination address, a range of destination addresses, the source address, or a range of source addresses as a match condition, in the same way that you would configure a firewall filter; for more information, see the Routing Policy Configuration Guide.

Alternatively, you can specify a list of source or destination prefixes by including the prefix-list statement at the [edit policy-options] hierarchy level and then including either the destination-prefix-list or source-prefix-list statement in the NAT rule. For an example, see “Examples: Configuring Stateful Firewall Rules.”

You can include application protocol definitions that you have configured at the [edit applications] hierarchy level; for more information, see “Configuring Application Protocol Properties”:

• To apply one or more specific application protocol definitions, include the applications statement at the [edit services nat rule rule-name term term-name from] hierarchy level.
• To apply one or more sets of application protocol definitions that you have defined, include the application-sets statement at the [edit services nat rule rule-name term term-name from] hierarchy level.

Note: If you include one of the statements that specifies application protocols, the router derives port and protocol information from the corresponding configuration at the [edit applications] hierarchy level; you cannot specify these properties as match conditions. When matched rules include more than one ALG, the more specific ALG takes effect; for example, if the stateful firewall rule includes TCP and the NAT rule includes FTP, the NAT rule takes precedence. You can configure ALGs for ICMP and traceroute under stateful firewall and NAT. By default, NAT can restore IP, TCP, and UDP headers embedded in the payload of ICMP error messages. You can include the protocol tcp and protocol udp statements with the application statement for NAT configurations.

Configuring Actions in NAT Rules

To configure NAT actions, include the then statement at the [edit services nat rule rule-name term term-name] hierarchy level:

The no-translation statement allows you to specify addresses that you want excluded from NAT.

The syslog statement enables you to record an alert in the system logging facility.

The destination-pool, destination-prefix, source-pool, and source-prefix statements specify addressing information that you define by including the pool statement at the [edit services nat] hierarchy level; for more information, see Configuring Addresses and Ports for Use in NAT Rules.

The translation-type statement specifies the type of NAT used for source or destination traffic. The options are basic-nat-pt, basic-nat44, basic-nat66, dnat-44, dynamic-nat44, napt-44, napt-66, napt-pt, stateful-nat64, twice-basic-nat-44, twice-dynamic-nat-44, and twice-napt-44.

The implementation details of the nine options of the translation-type statement are as follows:

• basic-nat44—This option implements the static translation of source IP addresses without port mapping. You must configure the from source-address statement in the match condition for the rule. The size of the address range specified in the statement must be the same as or smaller than the source pool. You must specify either a source pool or a destination prefix. The referenced pool can contain multiple addresses but you cannot specify ports for translation.

  Note: In an interface service set, all packets destined for the source address specified in the match condition are automatically routed to the services PIC, even if no service set is associated with the interface.

  Note: Prior to Junos OS Release 11.4R3, you could only use a source NAT pool in a single service set. As of Junos OS Release 11.4R3 and subsequent releases, you can reuse a source NAT pool in multiple service sets.

• basic-nat66—This option implements the static translation of source IP addresses without port mapping in IPv6 networks. The configuration is similar to the basic-nat44 implementation, but with IPv6 addresses.
• basic-nat-pt—This option implements translation of addresses of IPv6 hosts, as they originate sessions to the IPv4 hosts in an external domain and vice versa. This option is always implemented with DNS ALG. You must define the source and destination pools of IPv4 addresses. You must configure one rule and define two terms. Configure the IPv6 addresses in the from statement in both the term statements. In the then statement of the first term within the rule, reference both the source and destination pools and configure dns-alg-prefix. Configure the source prefix in the then statement of the second term within the same rule.
• dnat-44—This option implements static translation of destination IP addresses without port mapping. The size of the pool address space must be greater than or equal to the destination address space. You must specify a name for the destination pool statement. The referenced pool can contain multiple addresses, ranges, or prefixes, as long as the number of NAT addresses in the pool is larger than the number of destination addresses in the from statement. You must include exactly one destination-address value at the [edit services nat rule rule-name term term-name from] hierarchy level; if it is a prefix, the size must be less than or equal to the pool prefix size. Any addresses in the pool that are not matched in the destination-address value remain unused, because a pool cannot be shared among multiple terms or rules.
• dynamic-nat44—This option implements dynamic translation of source IP addresses without port mapping. You must specify a source-pool name. The referenced pool must include an address configuration (for address-only translation).

  The dynamic-nat44 address-only option supports translating up to 16,777,216 addresses to a smaller size pool. The requests from the source address range are assigned to the addresses in the pool until the pool is used up, and any additional requests are rejected. A NAT address assigned to a host is used for all concurrent sessions from that host. The address is released to the pool only after all the sessions for that host expire. This feature enables the router to share a few public IP addresses between several private hosts. Because all the private hosts might not simultaneously create sessions, they can share a few public IP addresses.

• napt-44—This option implements dynamic translation of source IP addresses with port mapping. You must specify a name for the source-pool statement. The referenced pool must include a port configuration. If the port is configured as automatic or a port range is specified, then it implies that Network Address Port Translation (NAPT) is used.
• napt-66—This option implements dynamic address translation of source IP addresses with port mapping for IPv6 addresses. The configuration is similar to the napt-44 implementation, but with IPv6 addresses.
• napt-pt—This option implements dynamic address and port translation for source and static translation of destination IP address. You must specify a name for the source-pool statement. The referenced pool must include a port configuration (for NAPT). Additionally, you must configure two rules, one for the DNS traffic and the other for the rest of the traffic. The rule meant for the DNS traffic should be DNS ALG enabled and the dns-alg-prefix statement should be configured. Moreover, the prefix configured in the dns-alg-prefix statement must be used in the second rule to translate the destination IPv6 addresses to IPv4 addresses.
• stateful-nat64—This option implements dynamic address and port translation for source IP addresses and prefix removal translation for destination IP addresses. You must specify the IPv4 addresses used for translation at the [edit services nat pool] hierarchy level. This pool must be referenced in the rule that translates the IPv6 addresses to IPv4.
• twice-basic-nat-44—This option implements static source and static destination translation for IPv4 addesses, thus combining basic-nat44 for source and dnat-44 for destination addresses.
• twice-dynamic-nat-44—This option implements source dynamic and destination static translation for IPv4 addresses, combining dynamic-nat44 for source and dnat-44 for destination addresses.
• twice-napt-44—This option implements source NAPT and destination static translation for IPv4 address, combining napt-44 for source and dnat-44 for destination addresses.

Note: When configuring NAT, if any traffic is destined for the following addresses and does not match a NAT flow or NAT rule, the traffic is dropped: Addresses specified in the from destination-address statement when you are using destination translation Addresses specified in the source NAT pool when you are using source translation

For more information on NAT methods, see RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations.