[j-nsp] NAT & IPSEC on same interface of J-series
will at loopfree.net
will at loopfree.net
Fri Aug 19 00:24:46 EDT 2005
JUNOS Software Release [7.2R1.7]
I have a J2300 running with a remote office hanging off the T1. I used a stateful-FW+NAT
service-set (interface-service sp-0/0/0) applied to the T1 to source-nat some of the remote
office's traffic. That worked fine.
I created another service-set for IPSEC (next-hop-service sp-0/0/0.1001 and .2001) to
simply encrypt all traffic to & from the remote office, with a static route to
remote-office/23 next-hop sp-0/0/0.1001.
IPSEC works fine, but broke the NAT. Traffic flows without matching any of the
stateful-firewall rules and is therefore never matched to get NATed.
The only way I could get NAT working again was to move the NAT service-set to fe-0/0/0
instead of the T1. This seems silly -- what if I needed NAT and IPSEC on all interfaces? Is
there some way to define precedence of next-hop and service-interface service-sets
affecting traffic flowing on a given physical interface?
--
-Will :: AD6XL
Orton :: http://www.loopfree.net/
More information about the juniper-nsp
mailing list