[Contents] [Prev] [Next] [Index] [Report an Error]

Example: Configuring Source NAT (CLI)

When source NAT is performed, source pools provide JUNOS Software with a supply of addresses from which to draw. When a NAT rule requires NAT and references a specific source pool, JUNOS Software draws addresses from that pool when translation is performed.

Note: When the JUNOS Software performs source NAT, security policies are applied first, and then the address in question is translated according to configured NAT source rules.

Source NAT rules have three available actions:

Note: The off action is a useful command for detail control when you are configuring source NAT rules. For example, you can configure a rule that says, “if rule A is from zone1 to zone2, do source NAT.” However, you do not want source NAT performed if the traffic egresses from interface if2, which belongs to zone2. In that case, you can define a rule B, which is from zone1 to if2 with off as the source NAT action.

In this example, you perform the following tasks:

To configure source NAT pools:

user@host# set security nat source pool spool-1 routing-instance ri-1user@host# set security nat source pool spool-1 address 10.1.1.1user@host# set security nat source pool spool-2 routing-instance ri-1user@host# set security nat source pool spool-2 address 10.1.1.2user@host# set security nat source pool spool-3 routing-instance ri-1user@host# set security nat source pool spool-3 address 10.1.1.3user@host# set security nat source pool spool-4 routing-instance ri-1user@host# set security nat source pool spool-4 address 10.1.1.4user@host# set security nat source pool spool-5 routing-instance ri-1user@host# set security nat source pool spool-5 address 10.1.1.5

To configure source NAT rules:

user@host# set security nat source rule-set rs1 from routing-instance ri-2user@host# set security nat source rule-set rs1 to routing-instance ri-1user@host#set security nat source rule-set rs1 rule r1 match destination-address 30.1.1.1 user@host# set security nat source rule-set rs1 rule r1 then source-nat pool spool-1user@host# set security nat source rule-set rs1 rule r5 match destination-address 30.1.1.5user@host# set security nat source rule-set rs1 rule r5 then source-nat pool spool-5
user@host# set security nat source rule-set rs2 from zone [z3 z4]user@host#set security nat source rule-set rs2 to routing-instance ri-1 user@host# set security nat source rule-set rs2 rule r2 match destination-address 30.1.1.2user@host# set security nat source rule-set rs2 rule r2 then source-nat pool spool-2
user@host# set security nat source rule-set rs3 from interface [fe-0/0/0.0 fe-0/0/1.0]user@host# set security nat source rule-set rs3 to interface [ge-1/0/0.0 ge-1/0.1.0]user@host# set security nat source rule-set rs3 rule r3 match destination-address 30.1.1.3user@host# set security nat source rule-set rs3 rule r3 then source-nat spool-3
user@host# set security nat source rule-set rs4 from routing-instance ri-2user@host# set security nat source rule-set rs4 to zone z2user@host# set security nat source rule-set rs4 rule r4 match destination-address 30.1.1.4user@host# set security nat source rule-set rs4 rule r4 then source-nat pool spool-4

Related Topics

[Contents] [Prev] [Next] [Index] [Report an Error]


[an error occurred while processing this directive]