[j-nsp] NAT & IPSEC on same interface of J-series

will at loopfree.net will at loopfree.net
Fri Aug 19 00:24:46 EDT 2005

JUNOS Software Release [7.2R1.7]

I have a J2300 running with a remote office hanging off the T1. I used a stateful-FW+NAT
service-set (interface-service sp-0/0/0) applied to the T1 to source-nat some of the remote
office's traffic. That worked fine.

I created another service-set for IPSEC (next-hop-service sp-0/0/0.1001 and .2001) to
simply encrypt all traffic to & from the remote office, with a static route to
remote-office/23 next-hop sp-0/0/0.1001.

IPSEC works fine, but broke the NAT. Traffic flows without matching any of the 
stateful-firewall rules and is therefore never matched to get NATed.

The only way I could get NAT working again was to move the NAT service-set to fe-0/0/0
instead of the T1. This seems silly -- what if I needed NAT and IPSEC on all interfaces? Is
there some way to define precedence of next-hop and service-interface service-sets
affecting traffic flowing on a given physical interface?

-Will  :: AD6XL
 Orton :: http://www.loopfree.net/

More information about the juniper-nsp mailing list