Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

NAT for VRF Routing Instance

NAT Overview

Network Address Translation (NAT) is a method for modifying or translating network address information in packet headers. NAT was described in RFC 1631 to solve IPv4 address depletion problems. NAT is a useful tool for firewalls, traffic redirect, load sharing, and network migrations.

In an SD-WAN deployment, SRX Series Firewalls are deployed in the hub and spoke locations. Different sites are connected to the spoke SRX Series Firewall. Packets are sent from these sites to public Internet servers or remote sites. At the hub, after the security processing is complete, the packet is examined to determine whether the destination is a public Internet server or an MPLS next-hop device. If the destination is a public Internet server, NAT converts the virtual routing and forwarding (VRF) private IP address to a public IP address and establishes a session. Similarly, NAT is required for traffic from public Internet servers to reach a VRF private network.

The following types of NAT are supported on Juniper Networks devices:

  • Static NAT

  • Destination NAT

  • Source NAT

Example: Configuring Source NAT to convert the private IP address of a VRF instance to the private IP address of another VRF instance

This example describes how to configure a source NAT between two MPLS networks.

Requirements

Before you Begin

Example Prerequisites

  • Software requirements: Supported only in Junos OS Release 15.1X49-D160.

  • Hardware requirements: SRX Series Firewall devices.

Overview

Source NAT is the translation of the source IP address of a packet leaving the Juniper Networks device. Source NAT is used to allow hosts with private IP addresses to access a public network.

In this example, the SRX Series Firewall connects two MPLS private networks to convert the private IP address from one VRF’s private IP address to another VRF’s private IP address. In Figure 1, the spoke SRX Series Firewall is configured with VRF-a and VRF-b routing instances, which are connected to the hub SRX Series Firewall. Site C and site D are connected to another spoke SRX Series Firewall. In the hub SRX Series Firewall, the source IP addresses 192.168.1.200 and 192.168.1.201 from VRF-a and VRF-b routing instances are translated to 203.0.113.200 and 203.0.113.201.

Figure 1: Source NAT conversionSource NAT conversion

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy.

To configure source NAT mapping:

  1. Layer 3 VPNs require a VRF table for distributing routes within the networks. Create a VRF instance and specify the value vrf.

  2. Assign a route distinguisher to the routing instance.

  3. Create a community policy to import or export all routes.

  4. Assign a single VPN label for all the routes in the VRF.

  5. Create a source NAT pool.

  6. Create a source NAT rule set.

  7. Configure a rule that matches packets and translates the source IP address to an IP address in the source NAT pool.

Results

From configuration mode, confirm your configuration by entering the show security nat and show routing-instances commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Source NAT Rule Usage
Purpose

Verify that there is traffic matching the source NAT rule.

Action

From operational mode, enter the show security nat source rule all command. In the Translation hits field, verify whether there is traffic that matches the source NAT rule.

Example: Configuring Destination NAT to Convert Public IP Address to VRF’s Single Private IP Address of a VRF instance

This example describes how to configure the destination NAT mapping of a public IP address to the single VRF’s private address for directing the packets to the correct VRF instance.

Requirements

Overview

Destination NAT is the translation of the destination IP address of a packet entering the Juniper Networks device. Destination NAT is used to redirect traffic destined to a virtual host (identified by the original destination IP address) to the real host (identified by the translated destination IP address).

In this example, an SRX Series Firewall is configured with destination NAT to convert a public IP address to the VRF private IP address of a VRF instance. The public IP address can be configured per VRF instance. In Figure 2, the SRX Series Firewall is configured with two VRF instances, VRF-a and VRF-b. The SRX Series Firewall coverts the public IP address to private IP address of a VRF instance.

Figure 2: Destination NATDestination NAT

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy.

To configure destination NAT mapping for a single VRF:

  1. Layer 3 VPNs require a VRF table for distributing routes within the networks. Create a VRF instance and specify the value vrf.

  2. Assign a route distinguisher to the routing instance.

  3. Create a community policy to import or export all routes.

  4. Assign a single VPN label for all the routes in the VRF.

  5. Specify a destination NAT IP address pool.

  6. Assign the routing instance to the destination pool.

  7. Create a destination NAT rule set.

  8. Configure a rule that matches packets and translates the destination IP address to an IP address in the destination NAT IP address pool.

Results

From configuration mode, confirm your configuration by entering the show security nat and show routing-instances commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Destination NAT Rule Usage

Purpose

Verify that there is traffic matching the destination NAT rule.

Action

From operational mode, enter the show security nat destination rule all command. In the Translation hits field, verify whether there is traffic that matches the destination NAT rule.

Example: Configuring Static NAT to Convert the Private IP Address of a VRF Instance to Public IP Address

This example describes how to configure a static NAT mapping of VRF single private IP address to a public IP address.

Requirements

Understand how SRX Series Firewalls work in an SD-WAN deployment for NAT. See NAT Overview.

Overview

In this example, an SRX Series Firewall is configured with static NAT to convert the VRF private IP address of a VRF instance to a public IP address of a VRF instance. Static NAT can be applied on the source NAT and destination NAT. In Figure 3, the SRX Series Firewall is configured with two VRF instances, VRF-a and VFR-b. The SRX Series Firewall converts the private IP address of a VRF instance to a public IP address.

Figure 3: Static NATStatic NAT

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy.

To configure static NAT mapping for the IP address of a single VRF:

  1. Layer 3 VPNs require a VRF table for distributing routes within the networks. Create a VRF instance and specify the value vrf.

  2. Assign a route distinguisher to the routing instance.

  3. Create a community policy to import or export all routes.

  4. Assign a single VPN label for all the routes in the VRF.

  5. Create a static NAT rule set.

  6. Configure a rule that matches packets and translates the destination address in the packets to a private IP address.

Results

From configuration mode, confirm your configuration by entering the show security nat and show routing-instances commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Static NAT Rule Usage

Purpose

Verify that there is traffic matching the static NAT rule.

Action

From operational mode, enter the show security nat static rule command. In the Translation hits field, verify whether there is traffic that matches the static NAT rule.