[j-nsp] Configuring NAT on J2300
Harry Reynolds
harry at juniper.net
Tue May 9 17:42:49 EDT 2006
Any chance you can use j-web wizard? When I did, the resulting basic
nat config that was generated is below, as taken from the j-series
training course.
HTHs:
Goals:
-Ensure that traffic originating on the 10.222.2.0/24 subnet is
delivered to Amsterdam with a 10.222.3.1 source address
-Assume that multiple sources will be active at the same time
-Permit all ingress traffic on the untrusted interface
[edit]
lab at London# show | compare base-static
[edit interfaces]
+ sp-0/0/0 {
+ unit 0 {
+ family inet;
+ }
+ }
[edit interfaces fe-0/0/1 unit 0 family inet]
+ service {
+ input {
+ service-set jweb-wan-sfw-service-set;
+ }
+ output {
+ service-set jweb-wan-sfw-service-set;
+ }
+ }
services {
+ stateful-firewall {
+ rule jweb-sfw-to-wan {
+ match-direction output;
+ term jweb-apply-alg {
+ from {
+ application-sets junos-algs-outbound;
+ }
+ then {
+ accept;
+ }
+ }
+ term jweb-accept-all {
+ then {
+ accept;
+ }
+ }
+ }
++ rule jweb-sfw-from-wan {
+ match-direction input;
+ term jweb-discard-all {
+ then {
+ accept;
+ }
+ }
+ }
+ }
+ nat {
+ pool jweb-nat-pool {
+ address-range low 10.222.3.1 high 10.222.3.1;
+ port automatic;
+ }
+ rule jweb-nat-to-wan {
+ match-direction output;
+ term jweb-nat-term {
+ then {
+ translated {
+ source-pool jweb-nat-pool;
+ translation-type source dynamic;
+ }
+ }
+ }
+ }
+ }
+ service-set jweb-wan-sfw-service-set {
+ stateful-firewall-rules jweb-sfw-to-wan;
+ stateful-firewall-rules jweb-sfw-from-wan;
+ nat-rules jweb-nat-to-wan;
+ interface-service {
+ service-interface sp-0/0/0;
+ }
+ }
+ }
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Chris Adams
> Sent: Tuesday, May 09, 2006 2:32 PM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] Configuring NAT on J2300
>
> I'm trying to set up a J2300 for NAT with a single public
> static IP. I haven't set up NAT on a Juniper before, and I'm
> having trouble figuring it out. Help?
> --
> Chris Adams <cmadams at hiwaay.net>
> Systems and Network Administrator - HiWAAY Internet Services
> I don't speak for anybody but myself - that's enough trouble.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list