[j-nsp] NAT & IPSEC on same interface of J-series

Matt Yaklin myaklin at g4.net
Fri Aug 19 00:31:44 EDT 2005

On Thu, 18 Aug 2005 will at loopfree.net wrote:

> JUNOS Software Release [7.2R1.7]
> I have a J2300 running with a remote office hanging off the T1. I used a stateful-FW+NAT
> service-set (interface-service sp-0/0/0) applied to the T1 to source-nat some of the remote
> office's traffic. That worked fine.
> I created another service-set for IPSEC (next-hop-service sp-0/0/0.1001 and .2001) to
> simply encrypt all traffic to & from the remote office, with a static route to
> remote-office/23 next-hop sp-0/0/0.1001.
> IPSEC works fine, but broke the NAT. Traffic flows without matching any of the
> stateful-firewall rules and is therefore never matched to get NATed.
> The only way I could get NAT working again was to move the NAT service-set to fe-0/0/0

this is how i would have solved the issue on a regular fbsd box.
reverse natd is what they call it. it works great.

> instead of the T1. This seems silly -- what if I needed NAT and IPSEC on all interfaces? Is
> there some way to define precedence of next-hop and service-interface service-sets
> affecting traffic flowing on a given physical interface?

I am now curious how others solve the problem of nat/ipsec on a single


> --
> -Will  :: AD6XL
>  Orton :: http://www.loopfree.net/
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list