When you configure NAT-PT with DNS ALG support, you must configure two NAT rules.
The first NAT rule ensures that the DNS query and response packets are translated
correctly. For this rule to work, you must configure a DNS ALG application and reference
it in the rule. The second rule is required to ensure that NAT sessions are destined to
the address mapped by the DNS ALG.
•
To configure the correct translation of the DNS query and response packets, include
the dns-alg-pool dns-alg-pool or dns-alg-prefix dns-alg-prefix statement at the [edit
services nat rule rule-name term term-name then translated] hierarchy level.
•
To configure the DNS ALG application, include the application application-name
statement at the [edit applications] hierarchy level, then reference it at the [edit
services nat rule rule-name term term-name from] hierarchy level.
•
To configure destination translation with the DNS ALG address map, use the
use-dns-map-for-destination-translation statement at the [edit services nat rule
rule-name term term-name then translated] hierarchy level. This statement correlates
the DNS query or response processing done by the first rule with the actual data
sessions processed by the second rule.
You can also control the translation of IPv6 and IPv4 DNS queries in the following
ways.
•
For translation control of IPv6 DNS queries, use the
do-not-translate-AAAA-query-to-A-query statement at the [edit applications
application application-name] hierarchy level.
•
For translation control of IPv4 queries, use the
do-not-translate-A-query-to-AAAA-query statement at the [edit applications
application application-name] hierarchy level.
NOTE: The above two statements cannot be configured together. You
can only configure one at a time, but not both.
To check that the flows are established properly, use the show services
stateful-firewall flows command or the show services stateful-firewall conversations
command.
[Services Interfaces]
•
Enhancements to active flow monitoring—Add support for extraction of bandwidth
usage information for billing purposes in PIC-based sampling configurations. This
capability is supported on M Series, MX Series, and T Series routers and applies only
to IPv4 and IPv6 traffic. It is enabled only at the global instance hierarchy level and is
not available for per Packet Forwarding Engine instances. To configure the sampling
of traffic for billing purposes, include the template as-peer-billing-template-name
statement at the [edit forwarding-options sampling family (inet | inet6) output
flow-server server-name version version-number] hierarchy level. To define the peer-AS
billing functionality, include the peer-as-billing-template statement at the [edit services
flow-monitoring version9 template template-name] hierarchy level. For a list of the
template fields, see the Junos OS Services Interfaces Configuration Guide. You can apply
19Copyright © 2010, Juniper Networks, Inc.
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
To Next Page
Loading...