NAPT-44 on an MX104

Still playing around with a Services MIC (MS-MIC-16G) that is inserted into an MX104. Thought I’d share a small post on how to enable NAT for a simple scenario. There are over 10 different types of NAT that the Services MIC can provide you with. Here’s an example on how to have the MX104 perform NAPT-44 in the following scenario:



By enabling NAPT-44 on the MX, users sitting behind the CPE will be able to access the Internet using a private IP address. NAPT stands for Network Address Port Translation. This is a method to translate many IP addresses and their TCP/UDP ports into a single IP address and its TCP/UDP port.

Let’s start with the configuration of the CPE-facing interface, the static route to make the CPE subnet reachable and the configuration of the services interface (enabling it for IPv4):

set interfaces ae1 unit 4004 description NAT-TEST-CPE-facing-interface
set interfaces ae1 unit 4004 vlan-id 4004
set interfaces ae1 unit 4004 family inet mtu 1500
set interfaces ae1 unit 4004 family inet address 192.168.10.1/24
set routing-options static route 192.168.50.0/24 next-hop 192.168.10.2
set routing-options static route 192.168.50.0/24 no-readvertise
set interfaces ms-0/0/0 unit 0 family inet

The configuration of NAT takes place in the [ edit services ] stanza. We will need to configure three things; a service-set, a NAT pool and a NAT rule.

To configure a service-set for NAT, we could take the following approach:

set services service-set nat-test nat-rules nat-test
set services service-set nat-test interface-service service-interface ms-0/0/0

This service-set, named ‘nat-test’, will use the Services MIC ‘ms-0/0/0’.

To configure a simple nat-pool;

set services nat pool public address-range low 89.0.0.2 high 89.0.0.3
set services nat pool public port automatic

The configuration above is for a NAT pool with two public IP addresses. When doing NAPT, many IP addresses can be translated into a single public IP address. If there are thousands of users, chances are that 1 or 2 IP addresses are not enough. For this reason, you can configure the NAT pool with many public IP addresses.

Lastly, the nat-rule:

set services nat rule nat-test match-direction input
set services nat rule nat-test term 1 from destination-address any-ipv4
set services nat rule nat-test term 1 then translated source-pool public
set services nat rule nat-test term 1 then translated translation-type napt-44

The rule above will match on packets send to the MX104 with any IPv4 destination. The previously created nat-pool called ‘public’ will be used for NAPT-44 translations.

To make configuration for NAT take effect, we have to enable the service-set on the CPE-facing interface;

set interfaces ae1 unit 4004 family inet service input service-set nat-test
set interfaces ae1 unit 4004 family inet service output service-set nat-test

With this configuration, packets sourced from the CPE are eligible for NAPT translation. Let’s verify this by sending some packets from our MX480 CPE:

{master}
play@MX480-TEST-RE0:Nat> ping 80.0.0.2 rapid source 192.168.50.254
PING 80.0.0.2 (80.0.0.2): 56 data bytes
!!!!!
--- 80.0.0.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.439/0.569/0.984/0.208 ms

Now, on to the MX104 to check out the NAT translations:



play@MX104-TEST-HB> show services sessions
ms-0/0/0
Service Set: nat-test, Session: 1845493763, ALG: icmp, Flags: 0x0000, IP Action: no, Offload: no, Asymmetric: no
ICMP     192.168.50.254        ->        80.0.0.2        Forward  I               5
ICMP           80.0.0.2        ->        89.0.0.3        Forward  O               5

The above printout shows us that the nat session exists on the ms-0/0/0 interface and that the service-set is called ‘nat-test’. The ‘Forward I’ (or ingress) tells us the source and destination address of the packet that the CPE has forwarded towards the MX104. The ‘Forward O’ (or egress) tells us the source and destination address of the packet that the CPE has forwarded towards the MX104.

The ‘extensive’ version of the command will give use some additional information;

play@MX104-TEST-HB> show services sessions extensive
ms-0/0/0
Service Set: nat-test, Session: 1811939331, ALG: icmp, Flags: 0x0000, IP Action: no, Offload: no, Asymmetric: no
NAT PLugin Data:
  NAT Action:   Translation Type - NAPT-44
    NAT source       192.168.50.254:38661   ->        89.0.0.3:1069
ICMP     192.168.50.254        ->        80.0.0.2        Forward  I               5
  Byte count: 420
  Flow role: Initiator, Timeout: 29
ICMP           80.0.0.2        ->        89.0.0.3        Forward  O               5
  Byte count: 420
  Flow role: Responder, Timeout: 29

Here we can see what type of NAT was used (NAPT-44) and what the source IP + port was translated into. Hope this helps!

3-6-2015