When a next-hop service is configured, the IPsec or NAT engine is considered to be a
two-part interface, with one part configured to be the inside interface (inside the network)
and the other configured as the outside interface (outside the network).
To configure the service domain, include the service-domain statement at the [edit
interfaces interface-name unit logical-unit-number] hierarchy level:
[edit interfaces interface-name unit logical-unit-number]
service-domain (inside | outside);
The service-domain setting must match the configuration for the next-hop’s inside and
outside services interfaces. To configure the inside and outside services interfaces, include
the next-hop-service statement at the [editservices service-set service-set-name] hierarchy
level. The interfaces you specify must be logical interfaces on the same NAT engine. You
cannot configure unit 0 for this purpose, and the logical interface you choose must not
be used by another service set.
next-hop-service {
inside-service-interface interface-name.unit-number;
outside-service-interface interface-name.unit-number;
}
Traffic on which the service is applied is forced to the inside interface using a static route.
For example:
routing-options {
static {
route 10.1.2.3 next-hop si-0/0/0.1;
}
}
After the service is applied, traffic exits through the outside interface. A lookup is then
performed in the Packet Forwarding Engine to send the packet out of the NAT engine.
The reverse traffic enters the outside interface, is serviced, and sent to the inside interface.
The inside interface forwards the traffic out of the NAT engine.
Determining Traffic Direction
When you configure next-hop service sets, the IPsec or NAT engine functions as a two-part
interface, in which one part is the inside interface and the other part is the outside interface.
The following sequence of actions takes place:
1. To associate the two parts with logical interfaces, you configure two logical interfaces
with the service-domain statement, one with the inside value and one with the outside
value, to mark them as either an inside or outside service interface.
2. The router forwards the traffic to be serviced to the inside interface, using the next-hop
lookup table.
3. After the service is applied, the traffic exits from the outside interface. A route lookup
is then performed on the packets to be sent out of the router.
4. When the reverse traffic returns on the outside interface, the applied service is undone;
for example, IPsec traffic is decrypted or NAT addresses are unmasked. The serviced
1033Copyright © 2017, Juniper Networks, Inc.
Chapter 31: Configuring Network Address Translation (NAT) and Stateful Firewall Services
To Next Page
Loading...
Need help?
General
