Inline Source NAT Configuration Example

This post explains inline NAT configuration on juniper MX-series router.

On MX-series Juniper routers we generally need Multiservices Dense Port Concentrator (MS-DPC) card for NAT. Inline NAT eliminates need of MS-DPC card.

Requirements for Inline NAT:

·         MPC cards

·         Junos OS Release 11.4R1 or higher

 

Topology:

In the above topology RTR-2 performs Source NAT when traffic from RTR-1 to RTR-3 reaches RTR-2.

We initiate traffic from loopback of RTR-1 (11.11.11.11) to loopback of RTR-3 (13.13.13.13)

RTR-2 nats source address 11.11.11.11 to 192.168.16.0

 

RTR-1 Configuration:

set interfaces lt-3/0/0 unit 0 encapsulation ethernet

set interfaces lt-3/0/0 unit 0 peer-unit 1

set interfaces lt-3/0/0 unit 0 family inet address 1.1.1.1/24

set interfaces lo0 unit 11 family inet address 11.11.11.11/32

 

//Static route to RTR-3 loopback

set routing-options static route 13.13.13.13/32 next-hop 1.1.1.2

 

RTR-2 Configuration:

//Configure inline services on MPC cards. Below command will create si- interface

set chassis fpc 7 pic 1 inline-services bandwidth 1g

 

//Interface configuration

 

set interfaces lt-3/0/0 unit 1 encapsulation ethernet

set interfaces lt-3/0/0 unit 1 peer-unit 0

set interfaces lt-3/0/0 unit 1 family inet service input service-set SSET1

set interfaces lt-3/0/0 unit 1 family inet service output service-set SSET1

set interfaces lt-3/0/0 unit 1 family inet address 1.1.1.2/24

set interfaces lt-3/0/0 unit 2 encapsulation ethernet

set interfaces lt-3/0/0 unit 2 peer-unit 3

set interfaces lt-3/0/0 unit 2 family inet address 2.2.2.1/24

 

//Static route towards RTR-1 loopback

set routing-options static route 11.11.11.11/32 next-hop 1.1.1.1

 

//Static route towards RTR-3 loopback

set routing-options static route 13.13.13.13/32 next-hop 2.2.2.2

//service-set configuration

set services service-set SSET1 nat-rules RULE1

set services service-set SSET1 interface-service service-interface si-7/1/0.0

 

//NAT POOL

set services nat pool SOURCE-POOL address 192.168.16.0/24

 

//NAT Rule

set services nat rule RULE1 match-direction input

set services nat rule RULE1 term 1 from source-address 11.11.11.11/32

set services nat rule RULE1 term 1 then translated source-pool SOURCE-POOL

set services nat rule RULE1 term 1 then translated translation-type basic-nat44

 

 

RTR-3 Configuration:

set interfaces lt-3/0/0 unit 3 encapsulation ethernet

set interfaces lt-3/0/0 unit 3 peer-unit 2

set interfaces lt-3/0/0 unit 3 family inet address 2.2.2.2/24

set interfaces lo0 unit 13 family inet address 13.13.13.13/32

 

//Static route to NAT POOL towards RTR-2

set routing-options static route 192.168.16.0/24 next-hop 2.2.2.1

 

Verification:

Ping loopback interface of RTR-3 from RTR-1:

lab@RTR-1> ping 13.13.13.13 source 11.11.11.11 count 10 rapid

PING 13.13.13.13 (13.13.13.13): 56 data bytes

!!!!!!!!!!

--- 13.13.13.13 ping statistics ---

10 packets transmitted, 10 packets received, 0% packet loss

round-trip min/avg/max/stddev = 0.689/0.732/0.820/0.032 ms

 

RTR-2

We can see 10 packets are natted and denatted

lab@RTR-2> show services inline nat statistics                                 

 

 Service PIC Name                                      si-7/1/0            

 

 Control Plane Statistics

     Received IPv4 packets                                0                   

     ICMPv4 error packets pass through                    0                   

     ICMPv4 error packets locally generate                0                   

     Dropped IPv4 packets                                 0                   

     Received IPv6 packets                                0                   

     ICMPv6 error packets pass through for NPTv6          0                   

     ICMPv6 error packets locally generated for NPTv6     0                   

     Dropped IPv6 packets                                 0                   

 

 Data Plane Statistics           Packets                  Bytes

     IPv4 NATed packets            10                      840                 

     IPv4 deNATed packets          10                      840                 

     IPv4 error packets            0                       0                   

     IPv4 skipped packets          0                       0                   

     IPv6 NATed packets            0                       0                   

     IPv6 deNATed packets          0                       0                   

     IPv6 error packets            0                       0                   

     IPv6 skipped packets          0                       0

 

RTR-3

Monitor traffic interface output on RTR-3 shows that traffic is received from 192.168.16.0

lab@RTR-3> monitor traffic interface lt-3/0/0.3

verbose output suppressed, use <detail> or <extensive> for full protocol decode

Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.

Address resolution timeout is 4s.

Listening on lt-3/0/0.3, capture size 96 bytes

 

Reverse lookup for 13.13.13.13 failed (check DNS reachability).

Other reverse lookup failures will not be reported.

Use <no-resolve> to avoid reverse lookups on IP addresses.

 

17:22:43.175949  In IP 192.168.16.0 > 13.13.13.13: ICMP echo request, id 45695, seq 59, length 64

17:22:43.175966 Out IP truncated-ip - 30 bytes missing! 13.13.13.13 > 192.168.16.0: ICMP echo reply, id 45695, seq 59, length 64