[j-nsp] Doing SNAT only for destinations learned from a specific BGP peering
Martin Tonusoo
martin at tonusoo.ee
Sun Apr 26 17:32:15 EDT 2026
Hi.
With multiservices line-card, the PAT configuration could be something
like this:
root at lab-mx960> show configuration services
service-set pat-service-set {
nat-rules rule-napt-44;
interface-service {
/* first PIC of MS-DPC in slot 9; Multiservices MIC should use
"ms" interface instead of "sp" interface */
service-interface sp-9/0/0;
}
}
nat {
pool napt-pool {
address 10.1.1.1/32;
port {
automatic {
random-allocation;
}
}
}
rule rule-napt-44 {
match-direction output;
/* such simple conf will also punt the L3VPN BGP session
traffic to multiservices line-card */
term match-all {
then {
translated {
source-pool napt-pool;
translation-type {
napt-44;
}
}
}
}
}
}
root at lab-mx960>
root at lab-mx960> show configuration interfaces
ge-2/1/6 {
description L3VPN;
unit 0 {
family inet {
service {
input {
service-set pat-service-set;
}
output {
service-set pat-service-set;
}
}
address 10.1.1.1/31;
}
}
}
ge-2/1/8 {
description LAN;
unit 0 {
family inet {
address 10.4.4.1/24;
}
}
}
sp-9/0/0 {
unit 0 {
family inet;
}
}
fxp0 {
unit 0 {
family inet {
dhcp;
}
}
}
root at lab-mx960>
This was tested on MX960 running Junos 19.4 with legacy MS-DPC:
root at lab-mx960> show chassis fpc pic-status 9
Slot 9 Online MS-DPC
PIC 0 Online MS-DPC PIC
PIC 1 Online MS-DPC PIC
root at lab-mx960>
Newer Junos releases like 21.4 no longer support the MS-DPC.
NAT state table when there were 10.4.4.10 -> 10.1.1.0:1234 and
10.4.4.20 -> 10.1.1.0:1234 TCP sessions established and "ping -I
10.4.4.30 10.1.1.0" running:
root at lab-mx960> show services stateful-firewall conversations
service-set pat-service-set
Interface: sp-9/0/0, Service set: pat-service-set
Conversation: ALG protocol: tcp
Number of initiators: 1, Number of responders: 1
Flow State Dir Frm count
TCP 10.4.4.20:33171 -> 10.1.1.0:1234 Forward O
15
NAT source 10.4.4.20:33171 -> 10.1.1.1:60339
TCP 10.1.1.0:1234 -> 10.1.1.1:60339 Forward I
14
NAT dest 10.1.1.1:60339 -> 10.4.4.20:33171
Conversation: ALG protocol: icmp
Number of initiators: 1, Number of responders: 1
Flow State Dir Frm count
ICMP 10.4.4.30 -> 10.1.1.0 Watch O
168
NAT source 10.4.4.30 -> 10.1.1.1
ICMP 10.1.1.0 -> 10.1.1.1 Watch I
168
NAT dest 10.1.1.1 -> 10.4.4.30
Conversation: ALG protocol: tcp
Number of initiators: 1, Number of responders: 1
Flow State Dir Frm count
TCP 10.4.4.10:60385 -> 10.1.1.0:1234 Forward O
17
NAT source 10.4.4.10:60385 -> 10.1.1.1:39723
TCP 10.1.1.0:1234 -> 10.1.1.1:39723 Forward I
16
NAT dest 10.1.1.1:39723 -> 10.4.4.10:60385
root at lab-mx960>
Finally, it's worth noting that the related ICMP packets are allowed
by default, e.g if there are UDP flows for traceroute, then the
related ICMP "dst port unreachable" messages are allowed through:
$ sudo ip netns exec lan traceroute -n 10.1.1.0
traceroute to 10.1.1.0 (10.1.1.0), 30 hops max, 60 byte packets
1 10.4.4.1 2.454 ms 2.421 ms 2.474 ms
2 10.1.1.0 0.550 ms 0.479 ms 0.476 ms
$
Martin
More information about the juniper-nsp
mailing list