Juniper Labs Source Nat

ACX1100 Source NAT Lab

ACX1100 can perform source NAT (unfortunately it cannot do destination NAT).

In this lab we will prepare the ACX1100 to provide source NAT to all connected “nodes/logical systems” in order to give them Internet connectivity (to the “outside world”/home network).

Note: Here we prepare the source NAT only; how the nodes/logical systems reach the ACX1100 will be covered in other labs.

Before We Begin

Switch the service-pack in the rescue/init configuration (via console):

   set chassis fpc 0 service-package bundle-nat-ipsec

This bundle-nat-ipsec service‐pack provides source NAT and some IPsec capabilities.

Configure Source NAT

1. Enable Inline Services

configure inline-services  # (ACX1100 supports software base only)
set chassis fpc 0 pic 0 inline-services bandwidth 10g
set services service-set nat-ls nat-rules nat-ls
set services service-set nat-ls interface-service service-interface si-0/0/0
set interfaces si-0/0/0 unit 0 family inet

2. Configure NAT Pool and Port Range

set services nat pool ls_wan address-range low 172.20.13.200 high 172.20.13.205
set services nat pool ls_wan port range low 64000
set services nat pool ls_wan port range high 65000

3. Configure Source NAT Rules and Terms

ACX limitation: Only 4 terms per NAT rule in an inline service-set are allowed, so we’ll split into 2 terms.

# Define the NAT rule
set services nat rule nat-ls match-direction input

# Term 1: lrc, lr1, lr2, lr3
set services nat rule nat-ls term lr_wan from source-address 10.0.0.2/32
set services nat rule nat-ls term lr_wan from source-address 10.0.1.1/32
set services nat rule nat-ls term lr_wan from source-address 10.0.2.1/32
set services nat rule nat-ls term lr_wan from source-address 10.0.3.1/32
set services nat rule nat-ls term lr_wan then translated source-pool ls_wan
set services nat rule nat-ls term lr_wan then translated translation-type napt-44

# Term 2: arm64
set services nat rule nat-ls term arm64_wan from source-address 10.0.4.2/32
set services nat rule nat-ls term arm64_wan then translated source-pool ls_wan
set services nat rule nat-ls term arm64_wan then translated translation-type napt-44

4. Configure Firewall Service-Filter to Skip NAT for Node Networks

This ensures direct internal communication between the ACX1100 and each logical system’s network/loopback.

# Service‐filter name: SKIP_NAT_LS_IP

# ACX1100 itself
set firewall family inet service-filter SKIP_NAT_LS_IP term acx1100 from destination-address 10.0.0.0/30
set firewall family inet service-filter SKIP_NAT_LS_IP term acx1100 from destination-address 100.0.1.1/32
set firewall family inet service-filter SKIP_NAT_LS_IP term acx1100 then accept

# lrc
set firewall family inet service-filter SKIP_NAT_LS_IP term lrc from destination-address 10.0.0.0/30
set firewall family inet service-filter SKIP_NAT_LS_IP term lrc from destination-address 100.1.2.3/32
set firewall family inet service-filter SKIP_NAT_LS_IP term lrc then accept

# lr1
set firewall family inet service-filter SKIP_NAT_LS_IP term lr1 from destination-address 10.0.1.0/30
set firewall family inet service-filter SKIP_NAT_LS_IP term lr1 from destination-address 100.1.1.1/32
set firewall family inet service-filter SKIP_NAT_LS_IP term lr1 then accept

# lr2
set firewall family inet service-filter SKIP_NAT_LS_IP term lr2 from destination-address 10.0.2.0/30
set firewall family inet service-filter SKIP_NAT_LS_IP term lr2 from destination-address 100.2.2.2/32
set firewall family inet service-filter SKIP_NAT_LS_IP term lr2 then accept

# lr3
set firewall family inet service-filter SKIP_NAT_LS_IP term lr3 from destination-address 10.0.3.0/30
set firewall family inet service-filter SKIP_NAT_LS_IP term lr3 from destination-address 100.3.3.3/32
set firewall family inet service-filter SKIP_NAT_LS_IP term lr3 then accept

# arm64
set firewall family inet service-filter SKIP_NAT_LS_IP term arm64 from destination-address 10.0.4.0/30
set firewall family inet service-filter SKIP_NAT_LS_IP term arm64 from destination-address 200.4.4.4/32
set firewall family inet service-filter SKIP_NAT_LS_IP term arm64 then accept

# Finally allow all other traffic to be NATed
set firewall family inet service-filter SKIP_NAT_LS_IP term ANY then service

5. Apply NAT-LS Service-Set on the Internal LAN Interface

set interfaces ge-0/1/0 unit 0 family inet service input  service-set nat-ls service-filter SKIP_NAT_LS_IP
set interfaces ge-0/1/0 unit 0 family inet service output service-set nat-ls service-filter SKIP_NAT_LS_IP

Validation

  1. Switch into the lrc logical system and attempt to ping the Internet:

    root@acx1100> set cli logical-system lrc

# Ping fails (no default route)
root@acx1100:lrc> ping 8.8.8.8

  2. Add a temporary default route via the ACX1100, ping again, then remove the route:

    root@acx1100:lrc# configure
[edit]
root@acx1100:lrc# set routing-options static route 0.0.0.0/0 next-hop 10.0.0.1
root@acx1100:lrc# commit

root@acx1100:lrc# run ping count 3 8.8.8.8
# Success: 3 out of 3 replies

[edit]
root@acx1100:lrc# delete routing-options static route 0.0.0.0/0 next-hop 10.0.0.1
root@acx1100:lrc# commit and-quit
root@acx1100:lrc> clear cli logical-system

  3. On the ACX1100, verify the inline‐services NAT pool counters:

    root@acx1100> show services inline nat pool
Interface: si-0/0/0, Service set: nat-ls
  NAT pool: ls_wan, Translation type: NAPT-44
    Address range: 172.20.13.200-172.20.13.205
    NATed packets: 3, deNATed packets: 3, Errors: 0, Skipped packets: 0
Tags: labs juniper acx1100 network