close

keyboard_arrow_left

Table of Contents Expand all

play_arrow Overview
- play_arrow Services Overview
  - Adaptive Services and Multiservices Interfaces Overview
  - Packet Flow Through the Adaptive Services or Multiservices PIC
- play_arrow Services Configuration Overview
play_arrow Network Address Translation
- play_arrow NAT Overview
- play_arrow Stateful NAT64
  - Stateful NAT64
- play_arrow Static Source NAT
  - Static Source NAT
- play_arrow Static Destination NAT
  - Static Destination NAT
- play_arrow Network Address Port Translation
  - Network Address Port Translation
- play_arrow Deterministic NAT
  - Deterministic NAT
- play_arrow NAT Protocol Translation
  - NAT Protocol Translation
  - Example: Configuring the DNS ALG Application on MX-SPC3 service card
- play_arrow IPv4 Connectivity Across IPv6-Only Network Using 464XLAT
  - IPv4 Connectivity Across IPv6-Only Network Using 464XLAT
- play_arrow Port Control Protocol
  - Port Control Protocol
- play_arrow Secured Port Block Allocation
  - Secured Port Block Allocation
  - Secured Port Block Allocation Interim Logging
- play_arrow Port Forwarding
  - Port Forwarding
- play_arrow Dynamic Address-Only Source Translation
  - Dynamic Address-Only Source Translation
- play_arrow Inline NAT
  - Inline NAT
- play_arrow Stateless Source Network Prefix Translation for IPv6
  - Stateless Source Network Prefix Translation for IPv6
- play_arrow Monitoring NAT
  - Monitoring NAT
- play_arrow Packet Translation and GRE Tunneling
  - Packet Translation and GRE Tunneling
play_arrow Transitioning to IPv6 Using MAP-E and MAP-T
- play_arrow Transitioning to IPv6 Using MAP-E and MAP-T
  - Mapping of Address and Port with Encapsulation (MAP-E)
  - Equal Cost Multiple Path (ECMP) support for Mapping of Address and Port with Encapsulation (MAP-E)
- Mapping of Address and Port with Translation (MAP-T)
play_arrow Transition to IPv6 With Softwires
- play_arrow Transition to IPv6 With 6to4 Softwires
  - Softwires Configuration Overview
  - 6to4 Softwires
- play_arrow Transition to IPv6 With DS-Lite Softwires
  - DS-Lite Softwires
- play_arrow Transition to IPv6 With 6rd Softwires
  - Configuring a 6rd Softwire
- play_arrow Transition to IPv6 With Inline Softwires
  - Inline 6rd and 6to4 Softwires
- play_arrow Monitoring and Troubleshooting Softwires
  - Monitoring and Troubleshooting Softwires
play_arrow ALGs
- play_arrow ALGs
  - ALG Overview
  - ALG Applications
play_arrow Access Security
- play_arrow Stateful Firewalls
  - Stateful Firewalls
  - Monitoring Stateful Firewalls
- play_arrow IDS on MS-DPC
  - IDS on MS-DPC
- play_arrow Network Attack Protection on MS-MPC and MS-MIC
  - Network Attack Protection on MS-MPC and MS-MIC
play_arrow IPsec Tunnels
- play_arrow IPsec Overview
  - IPsec Overview
- play_arrow Inline IPsec
  - Inline IPsec
- play_arrow IPsec Tunnels With Static Endpoints
- play_arrow IPsec Tunnels With Dynamic Endpoints
  - IPsec Tunnels With Dynamic Endpoints
- - Inline IPsec
play_arrow CoS on Services Cards
- play_arrow CoS on Services Cards
  - Class of Service on Services Interfaces
- play_arrow Class of Service on Link Services Interfaces
  - Class of Service on Link Services Interfaces
play_arrow Inter-Chassis Redundancy for NAT and Stateful Firewall Flows
- play_arrow Configuring Inter-Chassis MS-MPC and MS-MIC for NAT and Stateful Firewall (Release 16.1 and later)
  - Inter-Chassis Stateful Synchronization for Long Lived NAT and Stateful Firewall Flows (MS-MPC, MS-MIC) (Release 16.1 and later)
  - Service Redundancy Daemon
- play_arrow Configuring Inter-Chassis Stateful Synchronization for NAT and Stateful Firewall (Release 15.1 and earlier)
  - Inter-Chassis High Availability for MS-MIC and MS-MPC (Release 15.1 and earlier)
play_arrow Multilinks
- play_arrow Link Services Interface Redundancy
  - Link Services Interface Redundancy
- play_arrow Link Bundling
  - Inline Multlink Services
play_arrow Traffic Load Balancer
- play_arrow Traffic Load Balancer
  - Traffic Load Balancer
play_arrow Services Card Redundancy
- play_arrow Services Card Redundancy for MS-MPC and MS-MIC
  - Load Balancing and High Availability With Aggregated Multiservices Interfaces on MS-MPC and MS-MIC
- play_arrow Services Card Redundancy for Multiservices PIC
  - Configuring AS or Multiservices PIC Redundancy
play_arrow Voice Services
- play_arrow Voice Services
  - Voice Services
play_arrow Layer 2 PPP Tunnels
- play_arrow Layer 2 Tunneling of PPP Packets
  - Layer 2 Tunneling of PPP Packets
play_arrow URL Filtering
- play_arrow URL Filtering
  - URL Filtering
play_arrow Configuration Statements and Operational Commands
- [OBSOLETE] unidirectional-session-refreshing
- Junos CLI Reference Overview

list Table of Contents

English

Dynamic Address-Only Source Translation

date_range 13-Jan-21

arrow_backward

arrow_forward

Configuring Dynamic Address-Only Source Translation in IPv4 Networks

In IPv4 networks, dynamic address translation (dynamic NAT) is a mechanism to dynamically translate the destination traffic without port mapping. To use dynamic NAT, you must specify a source pool name, which includes an address configuration.

To configure dynamic NAT in IPv4 networks:

In configuration mode, go to the [edit services] hierarchy level.
```
[edit]
user@host# edit services
```
Configure the service set and NAT rule.
```
[edit services]
user@host# set service-set service-set-name nat-rules rule-name
```
In the following example, the name of the service set is s1, and the name of the NAT rule is rule-dynamic-nat44.
```
[edit services]
user@host# set service-set s1 nat-rules rule-dynamic-nat44
```
Go to the [interface-service] hierarchy level for the service set.
```
[edit services]
user@host# edit service-set s1 interface-service
```
Configure the service interface.
```
 [edit services service-set s1 interface-service]
user@host# set service-interface service-interface-name
```
In the following example, the name of the service interface is ms-0/1/0.

Note:
If the service interface is not present in the router, or the specified interface is not functional, the following command can result in an error.
```
 [edit services service-set s1 interface-service]
user@host# set service-interface ms-0/1/0
```
Go to the [edit services nat] hierarchy level. Issue the following command from the top of the services hierarchy, or use the top keyword.
```
 [edit services service-set s1 interface-service]
user@host# top editservices nat
```
Configure the NAT pool with an address.
```
[edit services nat]
user@host# set pool pool-name address address
```
In the following example, the name of the pool is source-dynamic-pool, and the address is 10.10.10.0.
```
[edit services nat]
user@host# set pool source-dynamic-pool address 10.10.10.0
```
Configure the rule, match direction, term, and source address.
```
[edit services nat]
user@host# set rule rule-name match-direction match-direction term term-name from source-address address
```
In the following example, the name of the rule is rule-dynamic-nat44, the match direction is input, the name of the term is t1, and the source address is 3.1.1.0.
```
[edit services nat]
user@host# set rule rule-dynamic-nat44 match-direction  input term t1 from source-address  3.1.1.0
```
Go to the [edit rule rule-dynamic-nat-44 term t1] hierarchy level.
```
[edit services nat]
user@host# edit rule rule-dynamic-nat44 term t1
```

Configure the source pool and the translation type.

content_copy zoom_out_map
[edit services nat rule rule-dynamic-nat44 term t1]
user@host# set then translated source-pool src-pool-name translation-type translation-type

In the following example, the name of the source pool is source-dynamic-pool and the translation type is dynamic-nat44.

content_copy zoom_out_map
[edit services nat rule rule-dynamic-nat44 term t1]
user@host# set then translated source-pool  source-dynamic-pool translation-type dynamic-nat44 

Go to the [edit services adaptive-services-pics] hierarchy level. In the following command, the top keyword ensures that the command is run from the top of the hierarchy.
```
[edit services nat rule rule-dynamic-nat44 term t1]
user@host# top editservices adaptive-services-pics
```

Configure the trace options.

content_copy zoom_out_map
[edit services adaptive-services-pics]
user@host# set traceoptions flag tracing parameter

In the following example, the tracing parameter is configured as all.

content_copy zoom_out_map
[edit services adaptive-services-pics]
user@host# set traceoptions flag all

Verify the configuration by using the show command at the [edit services] hierarchy level.

content_copy zoom_out_map
[edit services]
user@host# show 
service-set s1 {
    nat-rules rule-dynamic-nat44;
    interface-service {
        service-interface ms-0/1/0;
    }
}
 nat {
    pool source-dynamic-pool {
        address 10.1.1.0/24;
    }
    rule rule-dynamic-nat44 {
        match-direction input;
        term t1 {
            from {
                source-address {
                    3.1.1.0/24;
                }
            }
            then {
                translated {
                    destination-pool source-dynamic-pool;
                    translation-type {
                        dynamic-nat44;
                    }
                }
            }
        }
    }
}
 adaptive-services-pics {
    traceoptions {
        flag all;
    }
  }

The following example configures the translation type as dynamic-nat44.

content_copy zoom_out_map
[edit services]
user@host# show 
service-set s1 {
    nat-rules rule-dynamic-nat44;
    interface-service {
        service-interface ms-0/1/0;
    }
}
 nat {
    pool source-dynamic-pool {
        address 10.1.1.0/24;
    }
    rule rule-dynamic-nat44 {
        match-direction input;
        term t1 {
            from {
                source-address {
                    3.1.1.0/24;
                }
            }
            then {
                translated {
                    destination-pool source-dynamic-pool;
                    translation-type {
                        dynamic-nat44;
                    }
                }
            }
        }
    }
}
 adaptive-services-pics {
    traceoptions {
        flag all;
    }
  }

The following configuration specifies that NAT is not performed on incoming traffic from the source address 192.168.20.24/32 by providing a NAT rule term t0 that configures no-translation. Dynamic NAT is performed on all other incoming traffic, as configured by term t1 of the NAT rule. The no-translation option is supported on MX Series routers with MS-DPCs and on M Series routers with MS-100, MS-400, and MS-500 MultiServices PICS. The no-translation option is supported on MX Series routers with MS-MPCs and MS-MICs starting in Junos OS release 15.1R1.

content_copy zoom_out_map
[edit services nat]
pool my-pool {
    address-range low 10.10.10.1 high 10.10.10.16;
    port automatic;
}
rule src-nat {
    match-direction input;
    term t0 {
        from {
            source-address 192.168.20.24/32;
        }
        then {
            no-translation;
        }
    }
    term t1 {
        then {
            translated {
                translation-type dynamic-nat44;
                source-pool my-pool;
            }
        }
    }
}

The following configuration performs NAT using the source prefix 20.20.10.0/24 without defining a pool.

content_copy zoom_out_map
[edit services nat]
rule src-nat {
    match-direction input;
    term t1 {
        then {
            translation-type dynamic-nat44;
            source-prefix 20.20.10.0/24;
        }
    }
}

The following configuration performs NAT using the destination prefix 20.20.10.0/32 without defining a pool.

content_copy zoom_out_map
[edit services nat]
rule src-nat {
    match-direction input;
    term t1 {
        from {
            destination-address 10.10.10.10/32;
            then {
                translation-type dnat44;
                destination-prefix 20.20.10.0/24;
            }
        }
    }
}

Example: Dynamic Source NAT as a Next-Hop Service

The following example shows dynamic-source NAT applied as a next-hop service:

content_copy zoom_out_map
[edit interfaces]
ge-0/2/0 {
    unit 0 {
        family mpls;
    }
}
sp-1/3/0 {
    unit 0 {
        family inet;
    }
    unit 20 {
        family inet;
    }
    unit 32 {
        family inet;
    }
}
[edit routing-instances]
protected-domain {
    interface ge-0/2/0.0;
    interface sp-1/3/0.20;
    instance-type vrf;
    route-distinguisher 10.58.255.17:37;
    vrf-import protected-domain-policy;
    vrf-export protected-domain-policy;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop sp-1/3/0.20;
        }
    }
}
[edit policy-options]
policy-statement protected-domain-policy {
    term t1 {
        then reject;
    }
}
[edit services]
stateful-firewall {
    rule allow-all {
        match-direction input;
        term t1 {
            then {
                accept;
            }
        }
    }
}
nat {
    pool my-pool {
        address 10.58.16.100;
        port automatic;
    }
    rule hide-all {
        match-direction input;
        term t1 {
            then {
                translated {
                    source-pool my-pool;
                    translation-type napt-44;
                }
            }
        }
    }
}
service-set null-sfw-with-nat {
    stateful-firewall-rules allow-all;
    nat-rules hide-all;
    next-hop-service {
        inside-service-interface sp-1/3/0.20;
        outside-service-interface sp-1/3/0.32;
    }
}

Example: Assigning Addresses from a Dynamic Pool for Static Use

The following configuration statically assigns a subset of addresses that are configured as part of a dynamic pool (dynamic-pool) to two separate static pools (static-pool and static-pool2).

content_copy zoom_out_map
[edit services nat]
pool dynamic-pool {
    address 20.20.10.0/24;
}
pool static-pool {
    address-range low 20.20.10.10 high 10.20.10.12;
}
pool static-pool2 {
    address 20.20.10.15/32;
}
rule src-nat {
    match-direction input;
    term t1 {
        from {
            source-address 30.30.30.0/24;
        }
        then {
            translation-type dynamic-nat44;
            source-pool dynamic-pool;
        }
    }
    term t2 {
        from {
            source-address 10.10.10.2;
        }
        then {
            translation-type basic-nat44;
            source-pool static-pool;
        }
    }
    term t3 {
        from {
            source-address 10.10.10.10;
        }
        then {
            translation-type basic-nat44;
            source-pool static-pool2;
        }
    }
}

arrow_backward PREVIOUS Port Forwarding

NEXT arrow_forward Inline NAT

Adaptive Services Interfaces User Guide for Routing Devices

ON THIS PAGE

Dynamic Address-Only Source Translation

Configuring Dynamic Address-Only Source Translation in IPv4 Networks

Example: Dynamic Source NAT as a Next-Hop Service

Example: Assigning Addresses from a Dynamic Pool for Static Use

Stay in touch

Helped me install or use the product
Accelerated my deployment

Discuss the product with a co-worker
Make a purchase inquiry