packets then emerge on the inside interface, the router performs a route lookup, and
the traffic exits the router.
A service rule’s match direction—whether input, output, or input and output—is applied
with respect to the traffic flow through the NAT engine, not through a specific inside or
outside interface.
When a packet is sent to an NAT engine, packet direction information is carried along
with it. This is true for both interface-style and next-hop-style service sets.
Interface-Style Service Sets
Packet direction is determined by whether a packet is entering or leaving any Packet
Forwarding Engine interface (with respect to the forwarding plane) on which the
interface-service statement is applied. This is similar to the input direction for stateless
firewall filters.
The match direction can also depend on the network topology. For example, you might
route all the external traffic through one interface that is used to protect the other
interfaces on the router, and configure various services on this interface specifically.
Alternatively, you might use one interface for priority traffic and configure special services
on it, but not care about protecting traffic on the other interfaces.
Next-Hop-Style Service Sets
Packet direction that is determined by the NAT engine is used to route packets to the
NAT engine. If you use the inside-interface statement to route traffic, then the packet
direction is input. If you use the outside-interface statement to direct packets to the NAT
engine, then the packet direction is output.
The interface to which you apply the service sets affects the match direction. For example,
apply the following configuration:
si-0/0/0 unit 1 service-domain inside;
si-0/0/0 unit 2 service-domain outside;
If you configure match-direction input, you include the following statements:
[edit]
services service-set test1 next-hop-service inside-service-interface si-0/0/0.1;
services service-set test1 next-hop-service outside-service-interface si-0/0/0.2;
services ipsec-vpn rule test-ipsec-rule match-direction input;
routing-options static route 10.0.0.0/24 next-hop si-0/0/0.1;
The essential difference between the two configurations is the change in the match
direction and the static routes’ next hop, pointing to either the NAT engine’s inside or
outside interface.
Related
Documentation
Network Address Translation Overview on page 999•
• Network Address Port Translation Overview on page 1001
• IPsec for ACX Series Overview on page 1087
• Enabling Inline Services Interface on ACX Series on page 1008
Copyright © 2017, Juniper Networks, Inc.1034
ACX Series Universal Access Router Configuration Guide
To Next Page
Loading...
Need help?
General
