(Very) Simple NAT configuration using nex-hop service-pic

VRF instance required on the middle router to avoid packet loops.

In order to enabling NAT in Juniper, AS-PIC/MS-PIC needed in the router.

Packet lookup and translation will done in the SP (Services PIC) interface.

Below is the topology used in this post:

A-B prefix list is 172.16.0.0/24 (A =.1, B=.2)

A loopback address is 1.1.1.1/32

B-C prefix list is 192.168.150.0/24 (B=.252, C=.102)

B is the middle router and doing NAT from source address A.

Thus, all packet with source IP 1.1.1.1 (A’s loopback) will translated to 10.0.0.0/24, and source IP Address 172.16.0.0/24 will translated to 10.1.1.0/24.

IP Nat pool = 10.0.0.0/24 and 10.1.1.0/24 (In the real network, only 1 prefix needed).

Router B Service Configuration

enugadi@M7i# show
stateful-firewall {
    rule firewall-nat-rule {
        match-direction input;
        term 1 {
            then {
                accept;
            }
        }
    }
}
nat {
    pool nat-pool {
        address 10.0.0.0/24;
    }
    pool nat-pool-1 {
        address 10.1.1.0/24;
    }
    rule nat-rule {
        match-direction input;
        term 1 {
            from {
                source-address {
                    1.1.1.1/32;
                }
            }
            then {
                translated {
                    source-pool nat-pool;
                    translation-type {
                        source static;
                    }
                }
            }
        }
        term 2 {
            from {
                source-address {
                    172.16.0.0/24;
                }
            }
            then {
                translated {
                    source-pool nat-pool-1;
                    translation-type {
                        source static;
                    }
                }
            }
        }
    }
}
service-set nat {
    stateful-firewall-rules firewall-nat-rule;
    nat-rules nat-rule;
    next-hop-service {
        inside-service-interface sp-0/1/0.100;
        outside-service-interface sp-0/1/0.200;
    }
}

Interface Configuration

enugadi@M7i# show interfaces sp-0/1/0
unit 100 {
    family inet;
    service-domain inside;
}
unit 200 {
    family inet;
    service-domain outside;
}

VRF Configuration

enugadi@M7i# show routing-instances vrf-a
instance-type vrf;
interface sp-0/1/0.100;
interface ge-0/0/0.0;
route-distinguisher 1:1;
vrf-target target:1:1;
routing-options {
    static {
        route 192.168.150.0/24 next-hop sp-0/1/0.100;
        route 1.1.1.1/32 next-hop 172.16.0.2;
    }
}

Verify NAT packet translation:

enugadi@m7i# run show services stateful-firewall flows
Interface: sp-0/1/0, Service set: nat
Flow                                                State    Dir       Frm count
ICMP   192.168.150.102       ->       10.0.0.1       Watch    O             343
NAT dest          10.0.0.1         ->         1.1.1.1
ICMP   192.168.150.102       ->       10.1.1.2       Watch    O             100
NAT dest          10.1.1.2         ->      172.16.0.2
ICMP        172.16.0.2       ->192.168.150.102       Watch    I             100
NAT source      172.16.0.2         ->        10.1.1.2
ICMP           1.1.1.1       ->192.168.150.102       Watch    I             343
NAT source         1.1.1.1         ->        10.0.0.1

Source IP Address 1.1.1.1/32 are translated to 10.0.0.0,

Source IP Address 172.168.0.0/24 are translated to 10.1.1.0 as expected.

(Very) Simple NAT Configuration using service-set

Network Address Translation (NAT) is a technique to rewriting cluster ip address with a new one.

In order to enabling NAT in Juniper, AS-PIC/MS-PIC needed in the router.

Packet lookup and translation will done in the SP (Services PIC) interface.

Below is the topology used in this post:

A-B prefix list is 172.16.0.0/24 (A =.1, B=.2)

A loopback address is 1.1.1.1/32

B-C prefix list is 192.168.150.0/24 (B=.252, C=.102)

B is the middle router and doing NAT from source address A.

Thus, all packet with source IP 1.1.1.1 (A’s loopback) will translated to 10.0.0.0/24, and source IP Address 172.16.0.0/24 will translated to 10.1.1.0/24.

IP Nat pool = 10.0.0.0/24 and 10.1.1.0/24 (In the real network, only 1 prefix needed).

Router Configuration

Router B

enugadi@M7i# show services
nat {
    pool nat-pool {
        address 10.0.0.0/24;
    }
    pool nat-pool-1 {
        address 10.1.1.0/24;
    }
    rule nat-rule {
        match-direction input;
        term 1 {
            from {
                source-address {
                    1.1.1.1/32;
                }
            }
            then {
                translated {
                    source-pool nat-pool;
                    translation-type {
                        source static;
                    }
                }
            }
        }
        term 2 {
            from {
                source-address {
                    172.16.0.0/24;
                }
            }
            then {
                translated {
                    source-pool nat-pool-1;
                    translation-type {
                        source static; <-- Create 1 on 1 mapping between source address and IP pool
                    }
                }
            }
        }
    }
}
service-set nat-service-interface {
    nat-rules nat-rule;
    interface-service {
        service-interface sp-0/1/0;
    }
}

Apply confiugration above to B’s interface between A and B.

enugadi@M7i# show interfaces ge-0/0/0
unit 0 {
    family inet {
        service {
            input {
                service-set nat-service-interface;
            }
            output {
                service-set nat-service-interface;
            }
        }
        address 172.16.0.1/24;
    }
}

Configure SP interface:

enugadi@M7i# show interfaces sp-0/1/0
unit 0 {
    family inet;
}

After finishing configuration, router A (Source 172.16.0.2) send icmp packets to router C (192.168.150.102).

Router C capture the ICMP packet shown below:

No.     Time            Source                Destination           Protocol Info
5      02:55:58.    10.1.1.2 192.168.150.102 ICMP     Echo (ping) request

Frame 52723 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: JuniperN_7c:0c:db (00:14:f6:7c:0c:db), Dst: Intel_04:fb:7b (00:16:6f:04:fb:7b)
Internet Protocol, Src: 10.1.1.2 (10.1.1.2), Dst: 192.168.150.102 (192.168.150.102)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0×00 (DSCP 0×00: Default; ECN: 0×00)
Total Length: 84
Identification: 0×3acd (15053)
Flags: 0×00
Fragment offset: 0
Time to live: 63
Protocol: ICMP (0×01)
Header checksum: 0xdeca [correct]
Source: 10.1.1.2 (10.1.1.2)
Destination: 192.168.150.102 (192.168.150.102)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0 ()
Checksum: 0xe7b7 [correct]
Identifier: 0xe53f
Sequence number: 746 (0×02ea)
Data (56 bytes)

The packets coming to router A with source address 10.1.1.2.

How about icmp packet with source A’s loopback address?

[edit]
enugadi@A# ping 192.168.150.102 source 1.1.1.1

,and the result is shown below:

No.     Time            Source                Destination           Protocol Info
26820   02:37:42      10.0.0.1 192.168.150.102 ICMP     Echo (ping) request

Frame 26820 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: JuniperN_7c:0c:db (00:14:f6:7c:0c:db), Dst: Intel_04:fb:7b (00:16:6f:04:fb:7b)
Internet Protocol, Src: 10.0.0.1 (10.0.0.1), Dst: 192.168.150.102 (192.168.150.102)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0×00 (DSCP 0×00: Default; ECN: 0×00)
Total Length: 84
Identification: 0×3296 (12950)
Flags: 0×00
Fragment offset: 0
Time to live: 63
Protocol: ICMP (0×01)
Header checksum: 0xe803 [correct]
Source: 10.0.0.1 (10.0.0.1)
Destination: 192.168.150.102 (192.168.150.102)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0 ()
Checksum: 0×55c9 [correct]
Identifier: 0×043f
Sequence number: 0 (0×0000)
Data (56 bytes)

As expected, the source IP address is 10.0.0.1.

Cheerss

Our son was born

Our first son, Francis was born on Saturday, 1 March 2008.

He came through caesarian surgery after his mother (my wife) endeavor almost 14 hours to normal birth.

Francis has 3.17kg and 52cm tall with good health and condition.

 

I’m so glad and happy being father.

Hope this son will be a good boy and star in my family.

 You can see his photos in our gallery here.