•
from statement—Specifies the match conditions and applications that are included
and excluded.
•
then statement—Specifies the actions and action modifiers to be performed by the
router software.
The following sections explain how to configure the components of NAT rules:
•
Configuring Match Direction for NAT Rules on page 1005
•
Configuring Match Conditions in NAT Rules on page 1005
•
Configuring Actions in NAT Rules on page 1006
•
Configuring Translation Types on page 1006
Configuring Match Direction for NAT Rules
Each rule must include a match-direction statement that specifies the direction in which
the match is applied. To configure where the match is applied, include the match-direction
statement at the [edit services nat rule rule-name] hierarchy level:
[edit services nat rule rule-name]
match-direction input;
The match direction is used with respect to the traffic flow through the NAT engine. When
a packet is sent to the NAT engine, direction information is carried along with it. The
packet direction is determined on the basis of the following criteria:
•
With an interface service set, packet direction is determined by whether a packet is
entering or leaving the interface on which the service set is applied.
•
With a next-hop service set, packet direction is determined by the interface used to
route the packet to the NAT engine. If the inside interface is used to route the packet,
the packet direction is input. If the outside interface is used to direct the packet to the
NAT engine, the packet direction is output. For more information about inside and
outside interfaces, see “Configuring Service Sets to Be Applied to Services Interfaces”
on page 1031.
•
On the NAT engine, a flow lookup is performed. If no flow is found, rule processing is
performed. All rules in the service set are considered. During rule processing, the packet
direction is compared against rule directions. Only rules with direction information that
matches the packet direction are considered.
Configuring Match Conditions in NAT Rules
To configure NAT match conditions, include the from statement at the [edit services nat
rule rule-name term term-name] hierarchy level:
[edit services nat rule rule-name term term-name]
from {
destination-address (Services NAT) prefix;
destination-address-range (Services NAT) low minimum-value high maximum-value
<except>;
destination-port range;
1005Copyright © 2017, Juniper Networks, Inc.
Chapter 31: Configuring Network Address Translation (NAT) and Stateful Firewall Services
To Next Page
Loading...
Need help?
General
