Router configuration samples to set up and manage NAT
This article provides NAT configuration samples for Cisco ASA and Juniper SRX series routers when working with ExpressRoute. These router configurations are intended to be samples for guidance only and must not be used as is. You need to work with your vendor to come up with appropriate configurations for your network.
Important
Samples in this page are intended to be purely for guidance. You must work with your vendor's sales / technical team and your networking team to come up with appropriate configurations to meet your needs. Microsoft will not support issues related to configurations listed in this page. You must contact your device vendor for support issues.
The following router configuration samples apply to Azure Public and Microsoft peerings. You don't configure NAT for Azure private peering. Review ExpressRoute peerings and ExpressRoute NAT requirements for more details.
You MUST use separate NAT IP pools for connectivity to the internet and ExpressRoute. Using the same NAT IP pool across the internet and ExpressRoute results in asymmetric routing and loss of connectivity.
Cisco ASA firewalls
PAT configuration for traffic from customer network to Microsoft
object network MSFT-PAT
range <SNAT-START-IP> <SNAT-END-IP>
object-group network MSFT-Range
network-object <IP> <Subnet_Mask>
object-group network on-prem-range-1
network-object <IP> <Subnet-Mask>
object-group network on-prem-range-2
network-object <IP> <Subnet-Mask>
object-group network on-prem
network-object object on-prem-range-1
network-object object on-prem-range-2
nat (outside,inside) source dynamic on-prem pat-pool MSFT-PAT destination static MSFT-Range MSFT-Range
PAT configuration for traffic from Microsoft to customer network
Interfaces and Direction:
Source Interface (where the traffic enters the ASA): inside Destination Interface (where the traffic exits the ASA): outside
Configuration:
NAT Pool:
object network outbound-PAT
host <NAT-IP>
Target Server:
object network Customer-Network
network-object <IP> <Subnet-Mask>
Object Group for Customer IP Addresses:
object-group network MSFT-Network-1
network-object <MSFT-IP> <Subnet-Mask>
object-group network MSFT-PAT-Networks
network-object object MSFT-Network-1
NAT Commands:
nat (inside,outside) source dynamic MSFT-PAT-Networks pat-pool outbound-PAT destination static Customer-Network Customer-Network
Juniper SRX series routers
1. Create redundant Ethernet interfaces for the cluster
interfaces {
reth0 {
description "To Internal Network";
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
}
unit 100 {
vlan-id 100;
family inet {
address <IP-Address/Subnet-mask>;
}
}
}
reth1 {
description "To Microsoft via Edge Router";
vlan-tagging;
redundant-ether-options {
redundancy-group 2;
}
unit 100 {
description "To Microsoft via Edge Router";
vlan-id 100;
family inet {
address <IP-Address/Subnet-mask>;
}
}
}
}
2. Create two security zones
- Trust Zone for internal network and Untrust Zone for external network facing Edge Routers
- Assign appropriate interfaces to the zones
- Allow services on the interfaces
security {
zones {
security-zone Trust {
host-inbound-traffic {
system-services {
ping;
}
protocols {
bgp;
}
}
interfaces {
reth0.100;
}
}
security-zone Untrust {
host-inbound-traffic {
system-services {
ping;
}
protocols {
bgp;
}
}
interfaces {
reth1.100;
}
}
}
}
3. Create security policies between zones
security {
policies {
from-zone Trust to-zone Untrust {
policy allow-any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Untrust to-zone Trust {
policy allow-any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
}
4. Configure NAT policies
- Create two NAT pools. One is used to NAT traffic outbound to Microsoft and other from Microsoft to the customer.
- Create rules to NAT the respective traffic
security {
nat {
source {
pool SNAT-To-ExpressRoute {
routing-instance {
External-ExpressRoute;
}
address {
<NAT-IP-address/Subnet-mask>;
}
}
pool SNAT-From-ExpressRoute {
routing-instance {
Internal;
}
address {
<NAT-IP-address/Subnet-mask>;
}
}
rule-set Outbound_NAT {
from routing-instance Internal;
to routing-instance External-ExpressRoute;
rule SNAT-Out {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
pool {
SNAT-To-ExpressRoute;
}
}
}
}
}
rule-set Inbound-NAT {
from routing-instance External-ExpressRoute;
to routing-instance Internal;
rule SNAT-In {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
pool {
SNAT-From-ExpressRoute;
}
}
}
}
}
}
}
}
5. Configure BGP to advertise selective prefixes in each direction
Refer to samples in Routing configuration samples page.
6. Create policies
routing-options {
autonomous-system <Customer-ASN>;
}
policy-options {
prefix-list Microsoft-Prefixes {
<IP-Address/Subnet-Mask;
<IP-Address/Subnet-Mask;
}
prefix-list private-ranges {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
100.64.0.0/10;
}
policy-statement Advertise-NAT-Pools {
from {
protocol static;
route-filter <NAT-Pool-Address/Subnet-mask> prefix-length-range /32-/32;
}
then accept;
}
policy-statement Accept-from-Microsoft {
term 1 {
from {
instance External-ExpressRoute;
prefix-list-filter Microsoft-Prefixes orlonger;
}
then accept;
}
term deny {
then reject;
}
}
policy-statement Accept-from-Internal {
term no-private {
from {
instance Internal;
prefix-list-filter private-ranges orlonger;
}
then reject;
}
term bgp {
from {
instance Internal;
protocol bgp;
}
then accept;
}
term deny {
then reject;
}
}
}
routing-instances {
Internal {
instance-type virtual-router;
interface reth0.100;
routing-options {
static {
route <NAT-Pool-IP-Address/Subnet-mask> discard;
}
instance-import Accept-from-Microsoft;
}
protocols {
bgp {
group customer {
export <Advertise-NAT-Pools>;
peer-as <Customer-ASN-1>;
neighbor <BGP-Neighbor-IP-Address>;
}
}
}
}
External-ExpressRoute {
instance-type virtual-router;
interface reth1.100;
routing-options {
static {
route <NAT-Pool-IP-Address/Subnet-mask> discard;
}
instance-import Accept-from-Internal;
}
protocols {
bgp {
group edge-router {
export <Advertise-NAT-Pools>;
peer-as <Customer-Public-ASN>;
neighbor <BGP-Neighbor-IP-Address>;
}
}
}
}
}
Next steps
For more information, see ExpressRoute FAQ.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for