Routing

Dear community,

I have been trying to configure NAT on my ACX500 but without avail. Its either me, or the documentation is a bit lacking. I'm unable to do any mappings, or getting any nat statistics. i'm not sure what i'm missing, and therefore i need some help if its possible . My configuration is as the following:

NAT configuration

#show services nat
pool napt-pool {
    address 172.22.2.47/32; #This is my public IP which i want my LAN addresses to be translated to
    port {
        automatic;
    }
}
rule nat-rule1 {
    match-direction input;
    term nat-term1 {
        from {
            source-address {
                192.168.1.0/24; #This is my lan network which i intend to translate
            }
            application-sets accept-algs;
        }
        then {
            translated {
                source-pool napt-pool;
                translation-type {
                    napt-44;
                }
            }
        }
    }
}

LAN interface

show interfaces ge-0/1/2
description "Ingress (LAN)";
media-type copper;
gigether-options {
    auto-negotiation;
}
unit 0 {
    family inet {
        service {
            inactive: input {
                service-set sset1;
            }
            inactive: output {
                service-set sset1;
            }
        }
        address 192.168.1.10/24;
    }
}

Public Interface

 show interfaces ge-0/1/3
description "Egress (Public)";
vlan-tagging;
media-type copper;
gigether-options {
    auto-negotiation;
}
unit 0 {
    vlan-id 9;
    family inet {
        address 172.22.2.47/24 {
            primary;
        }
    }
}

Service-Set

# show services service-set sset1
stateful-firewall-rules sf-rule1;
nat-rules nat-rule1;
interface-service {
    service-interface ms-0/2/0;
}

Model: acx500-ac
Junos: 18.4R1.8

I'd also like to add that i've tried to follow those two guides:
https://www.juniper.net/documentation/en_US/junos/topics/concept/nat-overview-acx-series.html

https://www.juniper.net/documentation/en_US/junos/topics/example/nat-nat44-config-ms-mpc.html

Any help would be appreciated 

Have you purchased the license to do inline NAT as mentioned on https://forums.juniper.net/t5/forums/replypage/board-id/IProuting/message-id/19173 ?

A license is required for enabling inline services on ACX500 routers.

Hej Jonas,

according to my show output, i have 27 days left to use this feature.
according to my commit, well, it only gives me a warning

License usage:
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed
  si-ifd                                1            0           1    27 days

Licenses installed: none

[edit]
root# commit
[edit chassis fpc 0 pic 1]
  'inline-services'
    warning: requires 'si-ifd' license
commit complete

Hi,

Kindly add following configuration.

    fpc 0 {

        pic 0 {

            inline-services {

                bandwidth 1g;

      }

        }

        service-package bundle-nat-ipsec;

    }

}

Remove ms interface and configure the SI interface for inline NAT

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/service-package-edit-chassis-fpc-acx-series.html

Sample configuration

set chassis fpc 0 pic 0 inline-services bandwidth 1g
set chassis fpc 0 service-package bundle-nat-ipsec
set services service-set set_0 nat-rules rule_nat44
set services service-set set_0 interface-service service-interface si-0/0/0.0
set services nat pool pool_nat44 address 10.10.10.1/32
set services nat pool pool_nat44 address-overload
set services nat pool pool_nat44 port range low 49160
set services nat pool pool_nat44 port range high 51207
set services nat allow-overlapping-nat-pools
set services nat rule rule_nat44 match-direction input
set services nat rule rule_nat44 term t2 from source-address 192.168.1.0/24
set services nat rule rule_nat44 term t2 then translated source-pool pool_nat44
set services nat rule rule_nat44 term t2 then translated translation-type napt-44
set interfaces si-0/0/0 unit 0 family inet
set interfaces si-0/0/0 unit 0 family inet6
set interfaces ge-0/0/2 unit 0 family inet service input service-set set_0
set interfaces ge-0/0/2 unit 0 family inet service output service-set set_0
set interfaces ge-0/0/2 unit 0 family inet address 20.20.20.1/30

show services inline nat pool 

Interface: si-0/0/0, Service set: set_0

  NAT pool: pool_nat44, Translation type: NAPT-44

    Address range: 10.10.10.1-10.10.10.1

    NATed packets: 304753899, deNATed packets: 300695047, Errors: 0, Skipped packets: 0

Hello again,

i looked at your sample and imitated it. Its still not working (no output from the show services inline..) HOWEVER, if i switch from FPC0/PIC0 to FPC0/PIC1 i get the following

run show services inline nat pool
Interface: si-0/0/0, Service set: sset1
  NAT pool: napt-pool, Translation type: NAPT-44
    Address range: 172.22.2.47-172.22.2.47
    NATed packets: 0, deNATed packets: 0, Errors: 0, Skipped packets: 0

The thing is, im not using pic1, which includes 2 optical interfaces. according to the acx manual, i'm using the FPC0/PIC0.

Another question for you. In your example, you provided the 3 following addresses:

set interfaces ge-0/0/2 unit 0 family inet address 20.20.20.1/30
set services nat rule rule_nat44 term t2 from source-address 192.168.1.0/24
set services nat pool pool_nat44 address 10.10.10.1/32

In my case, i have my local interface with 192.168.1.0/24 network and
172.2.2.47/32 public interface. If i assume that your "from source-address" is your LAN network, and the "pool_nat44" is your public network, what is the 20.20.20.1/30 for? 

EDIT

My configuration right now is as the following:

set chassis fpc 0 pic 1 inline-services bandwidth 1g
set chassis fpc 0 service-package bundle-nat-ipsec
set services service-set sset1 nat-rules nat-rule1
set services service-set sset1 interface-service service-interface si-0/0/0.0
set services nat pool napt-pool address 172.22.2.47/32
set services nat pool napt-pool port range low 49160
set services nat pool napt-pool port range high 51207
set services nat pool napt-pool address-overload
set services nat rule nat-rule1 match-direction input
set services nat rule nat-rule1 term nat-term1 from source-address 192.168.1.0/24
set services nat rule nat-rule1 term nat-term1 then translated source-pool napt-pool
set services nat rule nat-rule1 term nat-term1 then translated translation-type napt-44
set interfaces ge-0/0/0 unit 0 family inet
set interfaces si-0/0/0 unit 0 family inet
set interfaces ge-0/1/2 description "Ingress (LAN)"
set interfaces ge-0/1/2 media-type copper
set interfaces ge-0/1/2 gigether-options auto-negotiation
set interfaces ge-0/1/2 unit 0 family inet service input service-set sset1
deactivate interfaces ge-0/1/2 unit 0 family inet service input
set interfaces ge-0/1/2 unit 0 family inet service output service-set sset1
deactivate interfaces ge-0/1/2 unit 0 family inet service output
set interfaces ge-0/1/2 unit 0 family inet address 192.168.1.10/24
set interfaces ge-0/1/3 description "Egress (Public)"
set interfaces ge-0/1/3 vlan-tagging
set interfaces ge-0/1/3 media-type copper
set interfaces ge-0/1/3 gigether-options auto-negotiation
set interfaces ge-0/1/3 unit 0 vlan-id 9
set interfaces ge-0/1/3 unit 0 family inet address 172.22.2.47/24 primary
set routing-options static route 0.0.0.0/0 next-hop 172.22.2.1
set protocols lldp interface all

Hi,

In case you're using PIC1, then SI interface will be si-0/1/0. Kindly check the same using "show interface terse| match si-".

Let me know if you see any issue post changes.

Regards,
Rahul

Hi,

You were right, using pic1 means i should use si-0/1/0 (si-slot/PIC/port). Right now, i'm using pic0 with si-0/0/0.

Now,  some of it is working. It seems like the nat pool that i'm using should not include the ip address of my egress port (172.22.2.47/32). I changed it to 172.22.2.39/32, and bingo! now i can reach 8.8.8.8 from the routers inside interface (ge-0/0/0 address 192.168.1.10), but cannot ping from a client (192.168.1.11) who is directly connected to ge-0/0/0, not even the ip of the interface itself. 

The client can ping its gateway when i deactivate the  service set configured on ge-0/0/0. 

 Here is an update of my configuration:

chassis {
    fpc 0 {
        pic 0 {
            ##
            ## Warning: requires 'si-ifd' license
            ##
            inline-services {
                bandwidth 1g;
            }
        }
        service-package bundle-nat-ipsec;
    }
}
services {
    service-set INT-STYLE-SS-NAT1 {
        nat-rules SRC-NAT1;
        interface-service {
            service-interface si-0/0/0.0;
        }
    }
    nat {
        pool p1 {
            address 172.22.2.39/32;
            port {
                range low 49160 high 51207;
            }
        }
        rule SRC-NAT1 {
            match-direction input;
            term r1 {
                from {
                    source-address {
                        192.168.1.0/24;
                    }
                }
                then {
                    translated {
                        source-pool p1;
                        translation-type {
                            napt-44;
                        }
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        description INSIDE;
        unit 0 {
            family inet {
                service {
                    input {
                        service-set INT-STYLE-SS-NAT1;
                    }
                    output {
                        service-set INT-STYLE-SS-NAT1;
                    }
                }
                address 192.168.1.10/24;
            }
        }
    }
    si-0/0/0 {
        unit 0 {
            family inet;
        }
    }
    ge-0/1/3 {
        description OUTSIDE;
        vlan-tagging;
        media-type copper;
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            vlan-id 9;
            family inet {
                address 172.22.2.47/24 {
                    primary;
                }
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 172.22.2.1;
        route 192.168.1.0/24 next-hop ge-0/0/0.0;
    }
}

Here is a ping from 192.168.1.10 (ge-0/0/0)

root# run ping source 192.168.1.10 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=118 time=14.269 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=12.930 ms

Show services inline nat pool

root# run show services inline nat pool
Interface: si-0/0/0, Service set: INT-STYLE-SS-NAT1
  NAT pool: p1, Translation type: NAPT-44
    Address range: 172.22.2.39-172.22.2.39
    NATed packets: 2530, deNATed packets: 4, Errors: 0, Skipped packets: 0

I know that i have changed a lot in the naming of my pool/rule/services. I hope it won't confuse you guys.

This is expected. You need to use service-filter to skip some traffic getting NAT.

labroot@jtac-acx500-r2030# show interfaces ge-0/0/0
description INSIDE;
unit 0 {
family inet {
service {
input {
service-set INT-STYLE-SS-NAT1 service-filter TEST;
}
output {
service-set INT-STYLE-SS-NAT1 service-filter TEST;
}
}
address 192.168.1.10/24;
}
}

[edit]
labroot@jtac-acx500-r2030# show firewall | display set
set firewall family inet service-filter TEST term 1 from destination-address 192.168.1.0/24
set firewall family inet service-filter TEST term 1 then skip
set firewall family inet service-filter TEST term 2 then service

Dear Rahul,

Thank you so much for your help. At long last it is now working. Just one last thing, the show services inline nat statistics doe not show any entries, and i cannot show mappings. Do i need to configure stateful-firewall?

Thanks in advance

Best regards

Mohammad

Hi,

Did you tried to capture below command output?

show services inline stateful-firewall flows

Regards,

Rahul

Hi, 

I did have the package enabled, and i also tried the SI interface, but all still the same. right now i did what you suggested, and its still not working.