Juniper NAT on MS-MIC-16G
Let’s set up the interface first:
vitalvas@mx80a# show interfaces ms-0/2/0
description "Card: MS-MIC-16G";
mtu 1518;
services-options {
open-timeout 10;
close-timeout 20;
}
unit 100 {
description "Inside: CGNAT-SET";
family inet {
filter {
input NAT-VALID;
}
}
service-domain inside;
}
unit 200 {
description "Outside: CGNAT-SET";
family inet;
service-domain outside;
}
And add a check which addresses are allowed to NAT:
vitalvas@mx80a# show firewall family inet filter NAT-VALID
term t0 {
from {
address {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
100.64.0.0/10;
}
}
then accept;
}
term default {
then {
discard;
}
}
Creating service-set:
vitalvas@mx80a# show services service-set CGNAT-SET
nat-options {
land-attack-check ip-only;
max-sessions-per-subscriber 4000;
}
nat-rules NAT-Customers;
next-hop-service {
inside-service-interface ms-0/2/0.100;
outside-service-interface ms-0/2/0.200;
}
Creating NAT rules:
vitalvas@mx80a# show services nat
pool NAT-Customers-P1 {
address-range low 192.0.2.0 high 192.0.2.255;
port {
automatic;
}
mapping-timeout 300;
snmp-trap-thresholds {
address-port low 60 high 90;
}
}
rule NAT-Customers {
match-direction input;
term ALG-noEIM-noEIF {
from {
source-prefix-list {
NAT-PREFIX-LIST;
}
application-sets ALG-SET-noEIM-noEIF;
}
then {
translated {
source-pool NAT-Customers-P1;
translation-type {
napt-44;
}
address-pooling paired;
}
}
}
term ALG-EIM-EIF {
from {
source-prefix-list {
NAT-PREFIX-LIST;
}
application-sets ALG-SET-EIM-EIF;
}
then {
translated {
source-pool NAT-Customers-P1;
translation-type {
napt-44;
}
mapping-type endpoint-independent;
filtering-type {
endpoint-independent;
}
address-pooling paired;
}
}
}
term NAT-EIM-EIF {
from {
source-prefix-list {
NAT-PREFIX-LIST;
}
}
then {
translated {
source-pool NAT-Customers-P1;
translation-type {
napt-44;
}
mapping-type endpoint-independent;
filtering-type {
endpoint-independent;
}
address-pooling paired;
}
}
}
}
And create application configuration:
vitalvas@mx80a# show applications
application all_udp {
protocol udp;
destination-port 1024-65535;
}
application dns-udp-10s {
protocol udp;
source-port 1-65535;
destination-port 53;
inactivity-timeout 10;
}
application https-1800s {
protocol tcp;
destination-port 443;
inactivity-timeout 1800;
}
application icmp-30s {
protocol icmp;
inactivity-timeout 30;
}
application traceroute-30s {
application-protocol traceroute;
protocol udp;
destination-port 33435-33450;
ttl-threshold 30;
inactivity-timeout 30;
}
application xmpp-1800s {
protocol tcp;
destination-port 5222-5223;
inactivity-timeout 1800;
}
application smtp-ssl {
protocol tcp;
destination-port 465;
}
application pop3-ssl {
protocol tcp;
destination-port 995;
}
application-set ALG-SET-EIM-EIF {
application junos-h323;
application junos-sip;
}
application-set ALG-SET-noEIM-noEIF {
application junos-http;
application junos-ftp;
application junos-rtsp;
application dns-udp-10s;
application https-1800s;
application icmp-30s;
application xmpp-1800s;
application traceroute-30s;
application junos-ntp;
application junos-telnet;
application junos-rsh;
application junos-ssh;
application junos-pop3;
application junos-smtp;
application junos-imap;
application junos-imaps;
application pop3-ssl;
application smtp-ssl;
application junos-pptp;
application junos-rpc-portmap-tcp;
application junos-rpc-portmap-udp;
application junos-tftp;
}
After these, you can route traffic via ms-0/2/0.100 interface. (via separate routing-instance)
Example:
[edit routing-instances]
CGNAT {
instance-type virtual-router;
interface ms-0/2/0.100;
routing-options {
static {
route 0.0.0.0/0 next-hop ms-0/2/0.100;
route 10.0.0.0/8 next-table inet.0;
route 100.64.0.0/12 next-table inet.0;
route 172.16.0.0/12 next-table inet.0;
route 192.168.0.0/16 next-table inet.0;
}
}
}
Don’t forget to add routers to routing-instance:
set routing-options rib-groups if-rib import-rib [ inet.0 CGNAT.inet.0 ]
set routing-options interface-routes rib-group inet if-rib
And forward traffic to ms-0/2/0.100:
[edit firewall family inet]
filter to-nat {
term cgnat {
from {
destination-address {
0.0.0.0/0;
}
source-prefix-list {
NAT-PREFIX-LIST;
}
}
then {
routing-instance CGNAT;
}
}
}