Vous êtes sur la page 1sur 5

How to configure a basic NAT service

SUMMARY:
How to configure a basic interface-style source NAT service on M Series and T Series routers equipped with AS-
PIC
SYMPTOMS:
This article provides details and configurations for configuring interface-based NAT services on the M and T series
routers
SOLUTION:
Configure a basic interface style source NAT service on M Series and T Series routers equipped with AS-PIC.
Topology:

---> NAT -->33.33.33.3


[R1] ------------------ [R2] ----------------- [R-NAT] ------------------
[R-Internet]
.1 .2 .2 .1 .2 .
1
192.168.4.0/30 192.168.5.0/30 1.1.6.0/30

In the above scenario, any packet destined to router R-Internet (public address space) with source address
192.168.4.0/30, Network Address Translation (NAT) to the public source IP 33.33.33.3/32 shall be performed. Other
packets, e.g. traffic coming from 192.168.5.0/30 and going to router R-Internet, should not be translated.

The following example shows how to configure the router R-NAT in 4 steps to allow NAT based on the above criteria:

Router R-NAT has the following interfaces and assigned IP addresses:

192.168.5.1/30 1.1.6.2/30
private interface public interface
---- [so-0/3/1 ---> sp-1/2/0 ---> e1-0/2/0:0] ----

Configuration of router R-NAT:

Step 1) Configure the NAT Service :


operator@R-NAT# show services nat
pool NAT_POOL_01 { # Pool to choose the IP address(es) and
the port
address 33.33.33.3/32;
port automatic;
}
rule SVC_NAT_RULES_01 {
match-direction input; # this service will be applied to the
'internal' interface
term A {
from {
source-address {
192.168.4.0/30; # only these source IP will be translated
}
}
then {
translated {
source-pool NAT_POOL_01; # picks the 33.33.33.3
translation-type source dynamic; # allows NAT/PAT
}
}
}
}

Step 2) Configure a Stateful-Firewall to catch the traffic that will be sent to the NAT-Service
In a basic scenario, everything that arrives at the interface where the stateful-firewall service is applied, will be
accepted.
operator@R-NAT# show services stateful-firewall
rule SVC_STAT_FW_01 {
match-direction input;
term A {
then {
accept;
}
}
}

Step 3) Combine (Service-NAT and Stateful-FW) and apply it to the AS-PIC Service-Interface.
This is called a Service-Set..
operator@R-NAT# show services service-set SVC_SET_NAT_01
stateful-firewall-rules SVC_STAT_FW_01;
nat-rules SVC_NAT_RULES_01;
interface-service {
service-interface sp-1/2/0;
}

Note: When doing NAT in routing-instances, you need to use a so called next-hop style service-set. This means,
instead of the whole service-interface of the AS-PIC (sp-1/2/0), you can specify both the inbound unit and the
outbound unit of the service interface:
i.e. : in replacement of

interface-service {
service-interface sp-1/2/0;
}

the configuration would be:

next-hop-service {
inside-service-interface sp-1/2/0.10;
outside-service-interface sp-1/2/0.20;
}
Step 4) Apply all the Service-Set to the inbound interface (the one on the private side):
operator@R-NAT# show interfaces so-0/3/1
unit 0 {
family inet {
service {
input {
service-set SVC_SET_NAT_01;
}
output {
service-set SVC_SET_NAT_01;
}
}
address 192.168.5.1/30;
}
}

Note: The Service interface on the AS-PIC must be configured with family inet :
operator@R-NAT# show interfaces sp-1/2/0
unit 0 {
family inet;
}

How to check your work:

TEST #1:

From router R1, ping router R-Internet: (192.168.4.1 ---> 1.1.6.1)


operator@R1> ping 1.1.6.1
PING 1.1.6.1 (1.1.6.1): 56 data bytes
64 bytes from 1.1.6.1: icmp_seq=0 ttl=62 time=6.675 ms
64 bytes from 1.1.6.1: icmp_seq=1 ttl=62 time=6.784 ms
^C

At the same time monitor traffic on the interface on R-Internet, to check that the source IP has been translated to
source IP 33.33.33.3
operator@R-Internet> monitor traffic interface e1-0/3/0:0 matching icmp
10:30:46.142823 In IP 33.33.33.3 > 1.1.6.1: ICMP echo request seq 2816,
length 64
10:30:46.142891 Out IP 1.1.6.1 > 33.33.33.3: ICMP echo reply seq 2816, length
64
10:30:47.152884 In IP 33.33.33.3 > 1.1.6.1: ICMP echo request seq 3072,
length 64
10:30:47.152947 Out IP 1.1.6.1 > 33.33.33.3: ICMP echo reply seq 3072, length
64

Check the NAT pool on R-NAT (1 address/port is in use)


operator@R-NAT> show services nat pool
Interface: sp-1/2/0, Service set: SVC_SET_NAT_01
NAT pool Type Address Port Ports
used
NAT_POOL_01 dynamic 33.33.33.3-33.33.33.3 512-
65535 1

On R-NAT, check the stateful-firewall for existing flows, and verify that both NAT and PAT are working
operator@R-NAT> show services stateful-firewall flows
Interface: sp-1/2/0, Service set: SVC_SET_NAT_01
Flow State Dir
Frm count
...
ICMP 192.168.4.1:2199 -
> 1.1.6.1 Watch I 4
NAT source 192.168.4.1:2199 -> 33.33.33.3:1029
...
ICMP 1.1.6.1:4 -
> 33.33.33.3 Watch O 3
NAT dest 33.33.33.3:4 -> 192.168.4.1:38674
RSVP 192.168.5.2:0 -
> 192.168.5.1:0 Forward I 7446
...

TEST #2 :

From R2, ping R-Internet: (192.168.5.2 ---> 1.1.6.1)


Note: the source address '192.168.5.2' does NOT match the NAT rule, hence NAT translation should not happen
operator@R2> ping 1.1.6.1
PING 1.1.6.1 (1.1.6.1): 56 data bytes
64 bytes from 1.1.6.1: icmp_seq=0 ttl=63 time=4.571 ms
64 bytes from 1.1.6.1: icmp_seq=1 ttl=63 time=5.668 ms
^C

Again, at the same time monitor traffic on the interface on R-Internet, check that the source IP has not changed
operator@R-Internet> monitor traffic interface e1-0/3/0:0 matching icmp
10:48:26.842013 In IP 192.168.5.2 > 1.1.6.1: ICMP echo request seq 1536,
length 64
10:48:26.842079 Out IP 1.1.6.1 > 192.168.5.2: ICMP echo reply seq 1536,
length 64
10:48:27.853111 In IP 192.168.5.2 > 1.1.6.1: ICMP echo request seq 1792,
length 64
10:48:27.853171 Out IP 1.1.6.1 > 192.168.5.2: ICMP echo reply seq 1792,
length 64

Check the NAT pool on R-NAT (0 address/port is in use)


operator@R-NAT> show services nat pool
Interface: sp-1/2/0, Service set: SVC_SET_NAT_01
NAT pool Type Address Port Ports
used
NAT_POOL_01 dynamic 33.33.33.3-33.33.33.3 512-
65535 0
On router R-NAT, the stateful-firewall for existing flows, and verify that the flow doesn't go through the NAT service:
operator@R-NAT> show services stateful-firewall flows
Interface: sp-1/2/0, Service set: SVC_SET_NAT_01
Flow State Dir Fr
m count
...
ICMP 1.1.6.1:146 -
> 192.168.5.2 Watch O 140
...
ICMP 192.168.5.2:2194 -
> 1.1.6.1 Watch I 140

Another usefull utility for troubleshooting is the "show services stateful-firewall conversations" command line utility.
This gives some more details about the flows. Below is an example of a UDP flow and a TCP flow.

operator@R-NAT> show services stateful-firewall conversations source-prefix


10.10.10.1 extensive
Interface: sp-2/0/0, Service set: nat_WOL

Conversation: ALG protocol: udp


Number of initiators: 1, Number of responders: 1
Flow State Dir Frm count
UDP 10.10.10.1:1709 -> 89.2.0.2:53 Forward I 2
NAT source 10.10.10.1:1709 -> 89.156.172.1:57013
Byte count: 130
Flow role: Master, Timeout: 16
UDP 89.2.0.2:53 -> 89.156.172.1:57013 Forward O 2
NAT dest 89.156.172.1:57013 -> 10.10.10.1:1709
Byte count: 366monitor
Flow role: Responder, Timeout: 16

Conversation: ALG protocol: tcp


Number of initiators: 1, Number of responders: 1
Flow State Dir Frm count
TCP 10.10.10.1:2399 -> 107.21.110.107:80 Forward I 3
NAT source 10.10.10.1:2399 -> 89.156.172.1:57047
Byte count: 1196, TCP established, TCP window size: 16384
TCP acknowledge: 1862629086, TCP tickle enabled, tcp_tickle: 0
Flow role: Master, Timeout: 16
TCP 107.21.110.107:80 -> 89.156.172.1:57047 Forward O 14
NAT dest 89.156.172.1:57047 -> 10.10.10.1:2399
Byte count: 8360, TCP established, TCP window size: 16384
TCP acknowledge: 398524347, TCP tickle enabled, tcp_tickle: 0
Flow role: Responder, Timeout: 26