Determining Traffic Direction - Juniper ACX1000 Configuration Manual

Determining Traffic Direction

Copyright © 2017, Juniper Networks, Inc.
Chapter 31: Configuring Network Address Translation (NAT) and Stateful Firewall Services
When a next-hop service is configured, the IPsec or NAT engine is considered to be a
two-part interface, with one part configured to be the inside interface (inside the network)
and the other configured as the outside interface (outside the network).
To configure the service domain, include the
interfaces interface-name unit logical-unit-number]
[edit interfaces interface-name unit logical-unit-number]
service-domain (inside | outside);
The service-domain setting must match the configuration for the next-hop's inside and
outside services interfaces. To configure the inside and outside services interfaces, include
the statement at the
next-hop-service
level. The interfaces you specify must be logical interfaces on the same NAT engine. You
cannot configure for this purpose, and the logical interface you choose must not
unit 0
be used by another service set.
next-hop-service {
inside-service-interface interface-name.unit-number;
outside-service-interface interface-name.unit-number;
}
Traffic on which the service is applied is forced to the inside interface using a static route.
For example:
routing-options {
static {
route 10.1.2.3 next-hop si-0/0/0.1;
}
}
After the service is applied, traffic exits through the outside interface. A lookup is then
performed in the Packet Forwarding Engine to send the packet out of the NAT engine.
The reverse traffic enters the outside interface, is serviced, and sent to the inside interface.
The inside interface forwards the traffic out of the NAT engine.
When you configure next-hop service sets, the IPsec or NAT engine functions as a two-part
interface, in which one part is the inside interface and the other part is the outside interface.
The following sequence of actions takes place:
To associate the two parts with logical interfaces, you configure two logical interfaces
1.
with the
service-domain
value, to mark them as either an inside or outside service interface.
The router forwards the traffic to be serviced to the inside interface, using the next-hop
2.
lookup table.
After the service is applied, the traffic exits from the outside interface. A route lookup
3.
is then performed on the packets to be sent out of the router.
When the reverse traffic returns on the outside interface, the applied service is undone;
4.
for example, IPsec traffic is decrypted or NAT addresses are unmasked. The serviced
service-domain
hierarchy level:
[edit services service-set service-set-name]
statement, one with the
inside
statement at the
[edit
hierarchy
value and one with the
outside
1033