When using a next hop service set, remember that the packet must go through the “two-legged table” of the inside and outside interfaces. Regardless of which interface the packet enters, two route table lookups will always be performed. To avoid a routing loop, the pre- and post-service lookups must return different next hop values. You can accomplish this in a few ways:

VRs are the most preferred method, followed by FBF and destination NAT. VRs and FBF solve the double next hop issue by using multiple route tables, whereas destination NAT attempts to use a single route table.

With destination NAT, the forward direction can be fairly cut and dried, as Figure 8-1 demonstrates; simply perform a lookup on the original destination address, which causes the packet to be serviced, and then change the destination address and perform a second lookup on the new destination address to be used for forwarding. Issues arise in the reverse direction, where the destination address would normally stay the same. In this case, you would have to use a method such as FBF to solve this problem.

Figure 8-1. Destination NAT

FBF uses JUNOS software packet filters to redirect traffic to a new route table. These filters are applied to a physical interface ...