Juniper MX NAT with MS-DPC

- networking juniper

Looking through Juniper’s documentation, it was difficult to find a concrete example of MS-DPC NAT. It’s an older style configuration and somewhat difficult to find information on. This example will have both Source NAT and Destination NAT. In this example, traffic originating from 192.168.5.0/24 will be source NAT’d to 198.51.100.10. Additionally, traffic inbound to 198.51.100.5 will be DNAT’d to 192.168.5.5.

mx-nat

set interfaces sp-0/0/0 unit 30 description NAT
set interfaces sp-0/0/0 unit 30 family inet
set interfaces sp-0/0/0 unit 30 service-domain inside

set interfaces ge-0/0/0 unit 0 family inet service input service-set NAT-SVC-SET
set interfaces ge-0/0/0 unit 0 family inet service output service-set NAT-SVC-SET

set services stateful-firewall rule allow-all match-direction input-output
set services stateful-firewall rule allow-all term a then accept

set services service-set NAT-SVC-SET stateful-firewall-rules allow-all
set services service-set NAT-SVC-SET nat-rule-sets MY-NAT-SET
set services service-set NAT-SVC-SET interface-service service-interface sp-0/0/0.30

set services nat rule-set MY-NAT-SET rule MY-SNAT
set services nat rule-set MY-NAT-SET rule MY-DNAT

set services nat pool MY-SNAT-POOL address 198.51.100.10/32
set services nat pool MY-SNAT-POOL port automatic

set services nat pool MY-DNAT-POOL address 198.51.100.10/32

set services nat rule MY-SNAT match-direction output
set services nat rule MY-SNAT term a from source-address 192.168.5.0/24
set services nat rule MY-SNAT term a then translated source-pool MY-SNAT-POOL
set services nat rule MY-SNAT term a then translated translation-type source dynamic

set services nat rule MY-DNAT match-direction input
set services nat rule MY-DNAT term DASH-8946 from destination-address 198.51.100.5/32
set services nat rule MY-DNAT term DASH-9206 then translated destination-pool MY-DNAT-POOL
set services nat rule MY-DNAT term DASH-9206 then translated translation-type dnat-44

To show the translations, you need to look at the service set.

root@mx> show services stateful-firewall flows service-set NAT-SVC-SET
Interface: sp-0/0/0, Service set: NAT-SVC-SET
Flow                                                State    Dir       Frm count
TCP     203.0.113.200:41974  ->  198.51.100.5:80  Forward  I           13350
    NAT dest    198.51.100.5:80   ->      192.168.5.5:17000   
TCP     203.0.113.200:30571  ->  198.51.100.5:80  Forward  I            6758
    NAT dest    198.51.100.5:80   ->      192.168.5.5:17000   
TCP          192.168.5.5:80  -> 203.0.113.200:41974  Forward  O           15088
    NAT source      192.168.5.5:80   ->  198.51.100.5:80