[j-nsp] NAT for vrf-instance!

Harshit Kumar harshit at juniper.net
Tue Jan 17 18:52:31 EST 2006 

Gokhan,
              I had a brief look at it. Packets destined to 192.168.10.6 wont 
hit the "sp" static route since they find a longer match (as shown below), 
so destination NAT wont kick in. Also your rules don't look right, first rule Kisik_Balik will match everything and second rule would never kick in. You can try using different
terms in the same rule or different service-sets. You can use "show services
stateful-firewall flows" to see whats flowing thru the ASP PIC. JTAC can help
 you further.


routing-options {
    static {
        route 192.168.10.0/24 next-hop 84.51.42.102; <<<<<<<<<<<<<<
        route 192.168.20.0/24 next-hop 84.51.42.106;
        route 0.0.0.0/0 next-hop sp-0/2/0.39; 


HTHs
harshit

> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net 
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Gökhan Gümüs
> Sent: Tuesday, January 17, 2006 5:11 AM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] NAT for vrf-instance!
> 
> Hi to all,
> 
> I have a problem about NAT configuration(especially translation-type
> destination-static) on vrf-instance.I have two location in a 
> Layer3 VPN and
> also they have Internet Access with AS PIC2.They use illegal 
> ip in their
> local network such as (192.168.10.0/24 , 192.168.20.0/24) and they are
> natted on my AS PIC and exit to Internet.But our customer wants that
> everybody can access to my local server through "Remote Desktop" from
> port 3389 which ip address is 192.168.10.6(server's ip address)
> 
> I must set a destination translation but i think it doesn't work
> properly.This is the configuration:
> 
> 
> 
> 
> 
> alev at fulya-M10i-re0> show configuration services nat pool Kisik_Balik
> address 84.51.42.136/30;
> port automatic;
> 
> alev at fulya-M10i-re0> show configuration services nat pool 
> Kisik_Balik_2
> -------------------->that is for accessing to local server 
> and destination
> translation
> address 84.51.42.141/32;
> 
> --------------------------------------------------------------
> --------------------------------------------------------------
> --------------------------------------------
> 
> alev at fulya-M10i-re0> show configuration services nat rule
> Kisik_Balik
> match-direction input;
> term 1 {
>     then {
>         translated {
>             source-pool Kisik_Balik;
>             translation-type source dynamic;
>         }
>     }
> }
> 
> alev at fulya-M10i-re0> show configuration services nat rule 
> Kisik_Balik_output
> 
> match-direction output;
> term 1 {
>     from {
>         destination-address {
>             192.168.10.6/32;
>         }
>         inactive: applications junos-http;
>     }
>     then {
>         translated {
>             destination-pool Kisik_Balik_2;
>             translation-type destination static;
> 
> --------------------------------------------------------------
> --------------------------------------------------------------
> -----------------------------------
> 
> alev at fulya-M10i-re0> show configuration services service-set 
> Kisik_Balik
> 
> stateful-firewall-rules allow_all;
> nat-rules Kisik_Balik;
> nat-rules Kisik_Balik_output;
> next-hop-service {
>     inside-service-interface sp-0/2/0.39;
>     outside-service-interface sp-0/2/0.40;
> 
> --------------------------------------------------------------
> --------------------------------------------------------------
> -------------------------------------
> 
> alev at fulya-M10i-re0> show configuration interfaces sp-0/2/0.39
> family inet;
> service-domain inside;
> 
> alev at fulya-M10i-re0> show configuration interfaces sp-0/2/0.40
> family inet;
> service-domain outside;
> 
> --------------------------------------------------------------
> --------------------------------------------------------------
> ----------------------------------------
> 
> alev at fulya-M10i-re0> show configuration routing-instances Kisik
> instance-type vrf;
> interface at-1/2/0.64;
> interface at-1/2/0.65;
> interface sp-0/2/0.39;
> route-distinguisher 84.51.0.2:109;
> vrf-import Kisik_Import;
> vrf-export Kisik_Export;
> routing-options {
>     static {
>         route 192.168.10.0/24 next-hop 84.51.42.102;
>         route 192.168.20.0/24 next-hop 84.51.42.106;
>         route 0.0.0.0/0 next-hop sp-0/2/0.39;
> 
> --------------------------------------------------------------
> --------------------------------------------------------------
> ----------------------------------------------
> 
> -In that situation my instance work properly and locations 
> can access to the
> Internet but i want that everybody can access to local 
> server(as defined
> above)
> 
> Also how can i test that it is working or not working..Must i type "
> 84.51.42.141" to the my Windows Remote Desktop Section to 
> reach to the local
> server(192.168.10.6)
> 
> Thanks and best regards
> 
> 
> Gokhan Gumus JNCIA
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list