ACX1100 can perform source NAT (unfortunately cannot do destination NAT).
In this lab we will prepare ACX1100 to provide source NAT to all connected „nodes/logical systems“ in order to provide internet and connectivity to „outside world / home network“
note: Here we will prepare the source NAT, however how „nodes/logical systems“ will reach ACX1100 will depend on the rest of the labs.
Before we begin
ACX1100 must switch the service-pack, I do that in „rescue/init“ configuration.
bundle-nat-ipsec will provide source NAT and some ipsec capabilities (I suggest to do that via console)
set chassis fpc 0 service-package bundle-nat-ipsecConfigure source NAT
# configure inline-services (acx1100 support software base)
set chassis fpc 0 pic 0 inline-services bandwidth 10g
set services service-set nat-ls nat-rules nat-ls
set services service-set nat-ls interface-service service-interface si-0/0/0
set interfaces si-0/0/0 unit 0 family inet
# configure nat pool and port range
set services nat pool ls_wan address-range low 172.20.13.200 high 172.20.13.205
set services nat pool ls_wan port range low 64000
set services nat pool ls_wan port range high 65000
# configure source nat rules and terms
# acx1100 have a limitation: On ACX platforms only 4 terms per NAT rule in an inline service-set are allowed
# we will create 2 terms
set services nat rule nat-ls match-direction input
# lrc,lr1,lr2,lr3
set services nat rule nat-ls term lr_wan from source-address 10.0.0.2/32
set services nat rule nat-ls term lr_wan from source-address 10.0.1.1/32
set services nat rule nat-ls term lr_wan from source-address 10.0.2.1/32
set services nat rule nat-ls term lr_wan from source-address 10.0.3.1/32
set services nat rule nat-ls term lr_wan then translated source-pool ls_wan
set services nat rule nat-ls term lr_wan then translated translation-type napt-44
# arm64
set services nat rule nat-ls term arm64_wan from source-address 10.0.4.2/32
set services nat rule nat-ls term arm64_wan then translated source-pool ls_wan
set services nat rule nat-ls term arm64_wan then translated translation-type napt-44
# configure firewall service-filter to skip source nat for logical systems networks and loopback interfaces
# this will allow clear communication between them and acx1100
# acx1100
set firewall family inet service-filter SKIP_NAT_LS_IP term acx1100 from destination-address 10.0.0.0/30
set firewall family inet service-filter SKIP_NAT_LS_IP term acx1100 from destination-address 100.0.1.1/32
set firewall family inet service-filter SKIP_NAT_LS_IP term acx1100 then accept
# lrc
set firewall family inet service-filter SKIP_NAT_LS_IP term lrc from destination-address 10.0.0.0/30
set firewall family inet service-filter SKIP_NAT_LS_IP term lrc from destination-address 100.1.2.3/32
set firewall family inet service-filter SKIP_NAT_LS_IP term lrc then accept
# lr1
set firewall family inet service-filter SKIP_NAT_LS_IP term lr1 from destination-address 10.0.1.0/30
set firewall family inet service-filter SKIP_NAT_LS_IP term lr1 from destination-address 100.1.1.1/32
set firewall family inet service-filter SKIP_NAT_LS_IP term lr1 then accept
# lr2
set firewall family inet service-filter SKIP_NAT_LS_IP term lr2 from destination-address 10.0.2.0/30
set firewall family inet service-filter SKIP_NAT_LS_IP term lr2 from destination-address 100.2.2.2/32
set firewall family inet service-filter SKIP_NAT_LS_IP term lr2 then accept
# lr3
set firewall family inet service-filter SKIP_NAT_LS_IP term lr3 from destination-address 10.0.3.0/30
set firewall family inet service-filter SKIP_NAT_LS_IP term lr3 from destination-address 100.3.3.3/32
set firewall family inet service-filter SKIP_NAT_LS_IP term lr3 then accept
# arm64
set firewall family inet service-filter SKIP_NAT_LS_IP term arm64 from destination-address 10.0.4.0/30
set firewall family inet service-filter SKIP_NAT_LS_IP term arm64 from destination-address 200.4.4.4/32
set firewall family inet service-filter SKIP_NAT_LS_IP term arm64 then accept
# finally allow source nat service
set firewall family inet service-filter SKIP_NAT_LS_IP term ANY then service
# configure source nat to be done on main internal lan interface ge-0/1/0 to lrc
set interfaces ge-0/1/0 unit 0 family inet service input service-set nat-ls service-filter SKIP_NAT_LS_IP
set interfaces ge-0/1/0 unit 0 family inet service output service-set nat-ls service-filter SKIP_NAT_LS_IPValidation
We can make a quick validation with adding temporary static route in LRC to acx1100 (after that remove it)
root@acx1100> set cli logical-system lrc
Logical system: lrc
root@acx1100:lrc> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
root@acx1100:lrc>
root@acx1100:lrc> configure
Entering configuration mode
[edit]
root@acx1100:lrc# set routing-options static route 0.0.0.0/0 next-hop 10.0.0.1
[edit]
root@acx1100:lrc# commit
commit complete
[edit]
root@acx1100:lrc# run ping count 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=58 time=4.501 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=3.973 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=4.017 ms
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.973/4.164/4.501/0.239 ms
[edit]
root@acx1100:lrc# delete routing-options static route 0.0.0.0/0 next-hop 10.0.0.1
[edit]
root@acx1100:lrc# commit and-quit
commit complete
Exiting configuration mode
root@acx1100:lrc> clear cli logical-system
Cleared default logical system
root@acx1100> show services inline nat pool
Interface: si-0/0/0, Service set: nat-ls
NAT pool: ls_wan, Translation type: NAPT-44
Address range: 172.20.13.200-172.20.13.205
NATed packets: 3, deNATed packets: 3, Errors: 0, Skipped packets: 0
NAT pool: ls_wan, Translation type: NAPT-44
Address range: 172.20.13.200-172.20.13.205
NATed packets: 3, deNATed packets: 3, Errors: 0, Skipped packets: 0
root@acx1100>