SmartEdge: Simple NAPT configuration

in redback •  6 years ago 

smartedge-napt.png

Rules – how to apply NAT

  • NAT policy should be apply to incoming traffic
  • IP outgoing interface cannot be used in the NAT pool
  • NAT pool must be on separate subnet (not part of interface subnet)
  • In dynamic nat, NAT type of route is automatically created (no need extra route configuration)
  • In static nat, extra route must by added (ip route 6.6.6.0/24 1.1.2.2) to point nat interface for coming back packet
  • If we do “clear ip route * ” dynamic nat is stop working and nat policy must be recreated on interface level (SEOS 6.2)
  • On “multibind” interface, combination with static and dynamic nat is not working (only dynamic is operational), pool should be configured as multibind

ip nat pool my-pool napt multibind

  • NAT policy could be applied on the subscriber level
subscriber default
     ip address pool
     nat policy my-nat

Dynamic NAT

The ping from “LAN” context with any source address will be NAT-ed in “local” context in LAN interface. Example source address 1.1.2.2 will be replace to POOL-1 address 2.2.2.0/24 (dynamic mapping) and routed to context WAN.

Static NAT:

The ping from “LAN” context will be NAT-ed in “local” context in LAN interface. Source address 5.5.5.5 will be replace to 6.6.6.6 (static mapping) address and routed to context WAN.

Example configuration:

!
context local
!
 ip nat pool POOL-1 napt
  address 2.2.2.0/24
!
 nat policy POL-NAT
! Default class
  pool POOL-1 local
! Static rules
  ip static in source 5.5.5.5 6.6.6.6
!
 interface LAN
  ip address 1.1.2.1/24
  ip nat POL-NAT acl-counters
!
 interface WAN
  ip address 192.168.1.1/24
!
 ip route 0.0.0.0/0 192.168.1.2
 ip route 5.5.5.0/24 1.1.2.2
 ip route 6.6.6.0/24 1.1.2.2
 ip route 159.107.0.0/16 159.107.90.1
!
context WAN
!
 interface to-local
  ip address 192.168.1.2/24
 no logging console
!
 ip route 1.1.2.0/24 192.168.1.1
 ip route 1.1.3.0/24 192.168.1.1
 ip route 2.2.2.0/24 192.168.1.1
 ip route 6.6.6.0/24 192.168.1.1
!
context LAN
!
 interface Static loopback
  ip address 5.5.5.5/24
!
 interface to-local
  ip address 1.1.2.2/24
 no logging console
!
 ip route 0.0.0.0/0 1.1.2.1
!
! ** End Context **
!
card carrier 2
 mic 1 fe-12-port
!
port ethernet 2/1
 no shutdown
 medium-type copper
 bind interface to-local LAN
!
port ethernet 2/2
 no shutdown
 medium-type copper
 bind interface LAN local
!
port ethernet 2/3
 no shutdown
 bind interface WAN local
!
port ethernet 2/4
 no shutdown
 bind interface to-local WAN
!
end

Checking nat translation:

[LAN]Redback# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2): source 1.1.2.2, 36 data bytes,
timeout is 1 second
!!!!!
 
[LAN]Redback# ping 192.168.1.2 source 5.5.5.5
PING 192.168.1.2 (192.168.1.2): source 5.5.5.5, 36 data bytes,
timeout is 1 second
!!!!!
 
[local]Redback# show nat policy POL-NAT detail
 
Policy name             :  POL-NAT
Policy grid             :  0x1
Number of rules          :  1
Slot mask               :  0xc
Number of binds         :  1
  Circuit               :  2/2
 
Reference counters (in circuits * classes):
Slot     2
           1
 
Static NAT Rules:
In/Out      Protocol    Src-Addr            Port    NAT-Src-Addr        Port    NAT-Ctx-Id
in              ip              5.5.5.5             0       6.6.6.6                 0       0x40080001
 
Class-Name              Action/  Pool-Grid/   Dest-IP-Addr/   Timeout(sec)  Admit-Ctrl
                            P2MP    Context-Id  Context-Id
 
default             na[p]t  0x1                                 tcp    86400
                        Off         0x40080001                      udp    120
                                                                finrst 240
                                                                icmp   60
                                                                syn    128
                                                                    basic  3600

** Note: This is not official command and should be use with extra attention.**

The syntax could be changed in new release:

Checking dynamic translations

[local]Redback# show card 2 nat ?
  circuit        Display circuit nat information
  counters       Display NAT counters (without drop counters)
  drop-counters  Display NAT drop counters
  log            NAT Message Log
  policy         Display policy information
  pool           Display pool information
  translation    Display translation information
 
[local]Redback# show context
Context Name               Context ID        VPN-RD               Description
------------------------------------------------------------------------------
local                      0x40080001
 
[local]Redback# show card 2 nat translation context 0x40080001 source any
 
Slot 2 Ingress:
 
 Type  IP From          IP To            Ports      Flag   Pointer     Ctx Flag
 Flag: D-Dynamic, R-remote, Z-dmz, A-admission, I-ignore translation,
       d-dest NAT, U - p2mp UDP
 NAPT  1.1.2.2          2.2.2.0          1990/0009  0x0014 0x50024440  1/1 D
 NAPT  1.1.2.2          2.2.2.0          1991/0010  0x0014 0x500244a0  1/1 D
 NAPT  1.1.2.2          2.2.2.0          1989/0008  0x0014 0x500243e0  1/1 D

Checking static translation

[local]Redback# show card 2 nat circuit 2/2:1023:63/1/1/7 detail
 
 Circuit 2/2:1023:63/1/1/7 ingress
  Feature block pointer: 0x4ea8b4e0
  Policy: grid=1 version=1 pointer=0xf0536ae0
  Number src  rules: 1 ptr 0xf05877c0
  Number dst  rules: 0 ptr 0x0
  Number napt rules: 0 ptr 0x0
  Out nat ptr 0xd053c2c0 napt ptr 0xf053eac0
  class 0 ptr 0x4eaab500
 Rule table:
 Type       IP From           IP To            Ports            Csum    Idx   Ctx   Vrs
 src nat    5.5.5.5             6.6.6.6          0000/0000      0xfdfd    65    1       1
 
 Circuit 2/2:1023:63/1/1/7 egress
  Feature block pointer: 0x4ae2c520
  Policy: grid=1 version=1 pointer=0xd00eb240
  Number src  rules: 0 ptr 0x0
  Number dst  rules: 1 ptr 0xd09cf0e0
  Number napt rules: 0 ptr 0x0
 Rule table:
 Type     IP From          IP To            Ports      Csum    Idx   Ctx   Vrs
 dst nat  6.6.6.6          5.5.5.5          0000/0000  0x0202  129   1     1

Checking translation by using “access-list”

!
 ip access-list dyn
  seq 10 permit ip 2.2.2.0 0.0.0.255 any
  seq 15 permit ip host 6.6.6.6 any
  seq 20 permit ip any any
!
!
 interface to-local
  ip address 192.168.1.2/24
  ip access-group dyn in count log
 no logging console
!
 
[WAN]Redback# clear access-group ip-filter interface to-local in all
[WAN]Redback# show access-group ip-filter interface to-local in counters
Circuit 2/4, slot 2, IPv4 access-list dyn, in, 3 rules
 
Hit Count:         0  No Match (Default)
Hit Count:         0  seq 10 permit ip 2.2.2.0 0.0.0.255 any
Hit Count:         0  seq 15 permit ip host 6.6.6.6 any
Hit Count:         0  seq 20 permit ip any any
 
[LAN]Redback# ping 192.168.1.2 source 5.5.5.5
PING 192.168.1.2 (192.168.1.2): source 5.5.5.5, 36 data bytes,
timeout is 1 second
!!!!!
[LAN]Redback# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2): source 1.1.2.2, 36 data bytes,
timeout is 1 second
!!!!!
[WAN]Redback# show access-group ip-filter interface to-local in counters
 
Circuit 2/4, slot 2, IPv4 access-list dyn, in, 3 rules
 
Hit Count:         0  No Match (Default)
Hit Count:         5  seq 10 permit ip 2.2.2.0 0.0.0.255 any
Hit Count:         5  seq 15 permit ip host 6.6.6.6 any
Hit Count:         0  seq 20 permit ip any any
redback smartedge nat napt configuration
6 years ago by

Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

  • Disagreement on rewards
  • Fraud or plagiarism
  • Hate speech or trolling
  • Miscategorized content or spam

Submit
$0.00
    1 vote
    0
    Authors get paid when people like you upvote their post.
    If you enjoyed what you read here, create your account today and start earning FREE STEEM!