Nat Configuration Part II
Sign in
  • BLOG
  • Editor's Picks
  • |
  • Technology
  • |
  • Entrepreneurship
  • |
  • Business
  • |
  • Finance
  • |
  • Career
  • |
  • New India
  • |
  • Entertainment
  • |
  • Others

    • Nat Configuration Part II

    Ganesh Mule

    Microsoft Technology Specialist

    Packet Discard Rules

    For all supported types of traffic (TCP, UDP, ICMP, and GRE), NAT discards packets in the following cases:
    • When the translation table is full (that is, no more entries can be added).
    • When the address pool is exhausted for outbound packets with inside source dynamic translation.
    • When no match can be found for the destination addresses of inbound packets.
    • When the address pool is exhausted for inbound packets with outside source dynamic translation.
    In addition, NAT discards GRE packets under the following conditions:

    • When the GRE packets match an NAPT rule.
    • When Firewall is functioning.

    Configuring a NAT License

    You must configure a NAT license before you can use any NAT commands on the ERX router.

    license nat

    • Use to specify a NAT license.
    • Purchase a NAT license to allow NAT configuration on the ERX router.

      NOTE: Acquire the license from Juniper Networks Customer Services and Support or from your Juniper Networks sales representative.

    • Example
      • host1(config)#license nat license-value

    • Use the no version to disable the license.

    Limiting Translation Entries

    You can configure the maximum number of dynamic translation entries that the translation table contains in global configuration mode for a given virtual router.

    ip nat translation max-entries

    • Use to specify the maximum number of dynamic translation entries that the translation table can contain in global configuration mode for the given virtual router.
    • Example
      • host:VR1 (config-if) #ip nat translation max-entries 1000

    • Use the no version to remove the configured limit and return the maximum number of translation entries to the default, which is no enforced limit, as capacity allows.

    Specifying Inside and Outside Interfaces

    You must mark interfaces that participate in NAT translation as residing on the inside or the outside network.

    CAUTION: Only packets routed between an inside and an outside interface are subject to translation.

    You can unmark an interface by using the no version of this command.

    ip nat

    • Use to mark an IP interface as participating in NAT translation.
    • Use the keyword (inside or outside) to specify the side of the network on which the interface resides.
    • Example
      • host (config-if) # ip nat inside

    • Use the no version to unmark the interface (the default) so that it does not participate in NAT translation.

    Defining Static Address Translations

    Static address translation establishes a one-to-one mapping between a local and global address or local and global address/port pair. When you specify a static address translation or address/port pair translation, you issue commands to indicate how the translation is applied, along with more specific variables that further define the type of translation.

    CAUTION: You must mark interfaces that participate in NAT translation as on the inside or the outside network.


    Creating Static Inside Source Translations

    You use the ip nat inside source static command to create static translations from a local IP address to a global IP address, and to untranslate the destination address when a packet returns from the outside network to the inside network. When you configure traditional NAT (both basic NAT and NAPT), you only need to use this command alone. However, when you configure twice NAT, you must also use the ip nat outside source static command.

    The ip nat inside source static command creates a simple (IP address only) or extended (IP address, port, and protocol) entry in the translation table that maps the two addresses.

    ip nat inside source static

    • Use to create static translations for a source address (or address/port pair) when routing a packet from the inside network to the outside network, and to untranslate the destination address (or address/port pair) when a packet returns from the outside network to the inside network.
    • A static translation created with the ip nat inside source static command enables any outside host to contact the inside host by using the inside global address of the inside host. A static translation can be used by traffic that is initiated in either direction
    • Example 1—Simple address translation 
      • host (config) # ip nat inside source static 10.1.2.3 171.69.68.10

    • Example 2—Extended address/port translation 
      • host (config) # ip nat inside source static tcp 10.1.2.3 15 171.69.68.10 30

    • Use the no version to remove the static translation and purge the associated translations from the translation table.

    Creating Static Outside Source Translations

    Less commonly used, outside source translation enables you to set up translation between two non-unique or not publicly routable networks (for example, two separate networks that use overlapping IP address blocks).

    ip nat outside source static

    • Use to translate the source address when routing a packet from the outside network to the inside network, and to untranslate the destination address when a packet travels from the inside network to the outside network.
    • Creates a simple (IP address only) or extended (IP address, protocol, and port) entry in the translation table that maps the two addresses.
    • A static translation created with the ip nat outside source static command enables any inside host to contact the outside host by using the outside local address of the outside host. A static translation can be used by traffic that is initiated in either direction.
    • Example 1—Simple address translation 
      • host (config) # ip nat outside source static 171.69.68.10 10.1.2.3

    • Example 2—Extended address/port translation 
      • host (config) # ip nat outside source static tcp 171.69.68.10 56 10.1.2.3 24

    • Use the no version to remove the static translation and purge the associated translations from the translation table.

    Defining Dynamic Translations

    Dynamic translations use access list rules, to determine whether or not to apply NAT to incoming traffic, and NAT address pools, from which a NAT translation can allocate IP addresses. You use dynamic translation when you want the NAT router to initiate and manage address translation and session flows between address realms on demand.

    To configure dynamic translations:

    • Define any access list rules that the NAT router uses to decide which packets need translation.
    • Define an address pool from which the NAT router obtains addresses.
    • Define inside and outside source translation rules for the NAT router to create NAT translations.
    • Mark interfaces as inside or outside.
    • (Optional) Modify any translation timeout values.

    Creating Access List Rules

    Before you create a dynamic translation, create the access list rules that you plan to apply to the translation.

    The router evaluates multiple commands for the same access list in the order they were created. An undefined access list implicitly contains a rule to permit any. A defined access list implicitly ends with a rule to deny any.

    NOTE: The access lists do not filter any packets; they determine whether the packet requires translation.

    You use the access-list command to create an access list.

    access-list

    • Use to define an IP access list to permit or deny translation based on the addresses in the packets.
    • Each access list is a set of permit or deny conditions for routes that are candidates for translation (that is, moving from the inside network to the outside network).
    • A zero in the wildcard mask means that the route must exactly match the corresponding bit in the address. A one in the wildcard mask means that the route does not have to match the corresponding bit in the address.
    • Use the log keyword to log an Info event in the ipAccessList log whenever matching an access list rule.
    • Example
      • host1(config)#access-list bronze permit ip host any 228.0.0.0 0.0.0.255

    • Use the no version to delete the access list (by not specifying any other options), the specified entry in the access list, or the log for the specified access list or entry (by specifying the log keyword).

    Defining Address Pools

    Before you can configure dynamic translation, create an address pool. An address pool is a group of IP addresses from which the NAT router obtains an address when dynamically creating a new translation. You can create address pools with either a single range or multiple, nonoverlapping ranges.

    When you create a single range, you specify the starting and ending IP addresses for the range in the root ip nat pool command. However, when you create multiple, nonoverlapping ranges, you omit the optional starting and ending IP addresses in the root ip nat pool command; this launches the IP NAT Pool Configuration (config-ipnat-pool) mode.

    The config-ipnat-pool mode uses an address command to specify a range of IP addresses. You can repeat this command to create multiple, nonoverlapping ranges.

    When you create or edit address pools, keep the following in mind:

    • Starting and ending IP addresses for the specified range are inclusive and must reside on the same subnet.
    • Address ranges are verified against other ranges in the specified pool to exclude range overlaps. Additional verification occurs when the pool is associated with a translation rule and the router can determine whether the rule is inside or outside.
    • You cannot change the network mask if configured ranges already exist.
    • The network mask (or prefix length) is used to recognize host addresses that end in either all zeros or all ones. These addresses are reserved as broadcast addresses and are not allocated from an address pool, even if they are included in an address pool range.
    • You cannot remove an address pool if the pool is part of a translation rule or if any of the ranges within the pool are still in use. You must issue the clear ip nat translation command to clear any ranges before you can remove the pool to which they apply.

    address

    • Use to specify a range of IP addresses in config-ipnat-pool mode; you can repeat the address command to create multiple ranges.
    • Example
      • host (config-ipnat-pool)#address 171.69.40.110 171.69.40.115

    • Use the no version to remove the range for the current address pool.

    ip nat pool

    • Use to create address pools.
    • Example 1—Creating a single, continuous range
      • host (config) #ip nat pool singlerange 171.69.40.1 171.69.40.100

      prefix-length 30

    • Example 2—Creating multiple, discontinuous ranges
      • host (config) #ip nat pool multiplerange prefix-length 30
      host (config-ipnat-pool)#address 171.69.40.110 171.69.40.112
      host (config-ipnat-pool)#address 171.69.40.118 171.69.40.120
      host (config-ipnat-pool)#exit

    • Use the no version to remove the address range.

    Defining Dynamic Translation Rules

    You can use the CLI to define dynamic translation rules for inside and outside sources.

    CAUTION: You must mark interfaces that participate in NAT translation as on the inside or the outside network.


    You can create a dynamic translation rule to configure inside source or outside source translation. If the NAT router cannot locate a matching entry in its translation database for a given packet, it evaluates the access list of all applicable dynamic translation rules (inside source translation rules for outbound packets and outside source translation rules for inbound packets) against the packet. If an access list permits translation, the NAT router tries to allocate an address from the associated address pool to install a new translation.

    When you create dynamic translation rules, keep the following in mind:

    • You can associate a list with one pool at any given time. Associating a list with a different pool replaces the previous association.
    • The optional overload keyword for inside source translation specifies that the router employ NAPT.
    • You can configure dynamic NAPT for inside source translation only; you cannot configure dynamic NAPT for outside source translation.
    • When no match occurs for any dynamic translation rule, the NAT router does not translate the packet.
    • When an address pool is empty, the NAT router drops the packet.
    • Access lists and pools do not have to exist when you are defining dynamic translation rules; you may create them after you define the dynamic translations.

    Creating Dynamic Inside Source Translation Rules

    Use the ip nat inside source list command to create a dynamic inside source translation rule. This command creates a translation rule that:

    • Translates inside local source addresses to inside global addresses when packets from the inside network are routed to the outside network
    • Translates outside local source addresses to outside global addresses when packets from the outside network are routed to the inside network.
    • Use the overload keyword to specify that the translation create NAPT entries (protocol, port, and address) in the NAT table.

    The no version of this command removes the dynamic translation rule, but does not remove any previously created translations (resulting from the rule evaluation) from the translation table. To remove active translations from the translation table,

    ip nat inside source list

    • Use to create dynamic translation rules that specify when to create a translation for a source address when routing a packet from the inside network to the outside network.
    • Example
      • host (config) #ip nat inside source list translation1 pool pool1

    • Use the overload keyword to specify that the translation create extended entries (protocol, port, and address) in the translation table for NAPT.
    • Use the no version to remove the dynamic translation rule; this command does not remove any dynamic translations from the translation table.

    Creating Dynamic Outside Source Translation Rules

    Use the ip nat outside source list command to create a dynamic outside source translation rule. This command dynamically translates outside global source addresses to outside local addresses when packets are routed from the outside network to the inside network (and untranslates the destination address when a packet returns before a translation table entry times out).

    The no version of this command removes the dynamic translation rule, but does not remove any previously created translations from the translation table. To remove active translations from the translation table,

    ip nat outside source list

    • Use to create dynamic translation rules that specify when to create a translation for a source address when routing a packet from the outside network to the inside network.
    • Example
      • host (config) # ip nat outside source list translation1 pool pool1

    • Use the no version to remove the dynamic translation rule; this command does not remove any dynamic translations from the translation table.

    Defining Translation Timeouts

    The router removes unused dynamic translations in the translation table. Use the ip nat translation command to change or disable NAT translation timeouts.

    You can set the aging time (in seconds) for any of the specified timers:

    • timeout—Dynamic simple translations (not for overloaded translations); default is 86400 seconds (24 hours).
    • dns-timeout—DNS-created protocol translations; default is 120 seconds. These dynamic translations are installed by the DNS but not yet used; as soon as the translation is used, the router applies the timeout value mentioned above.
    • udp-timeout—UDP protocol extended translations; default is 300 seconds (5 minutes).
    • tcp-timeout—TCP protocol extended translations; default is 86400 seconds (24 hours).
    • finrst-timeout—TCP connections terminated with reset (RST) or bidirectional finished (FIN) flags; default is 120 seconds. This timeout applies only to TCP extended translations. The timer removes unused, closed TCP translations, which allows for retransmissions.
    • icmp-timeout—ICMP protocol extended translations; default is 300 seconds (5 minutes).
    • gre-timeout—Aging time for GRE protocol translations; default value is 300 seconds (5 minutes)

    All timeouts for this command support a maximum value of 2147483 seconds (about 25 days).

    The no version of this command resets the timer to its default value.

    ip nat translation

    • Use to change translation timeouts for existing and newly created translations in the translation table.
    • All timeouts for this command support a maximum value of 2147483 seconds (about 25 days).
    • Example
      • host1 (config) # ip nat translation timeout 23200

    • Use the no version to reset the timer to its default value.

    Remaining will be on last session.

    Thanks
    GM
    start_blog_img