[j-nsp] Configuring NAT on J2300

Harry Reynolds harry at juniper.net
Wed May 10 10:33:59 EDT 2006


NP Chris.

As to your remaining points. Yes, a license is needed to use the
j-series' SW instantiation of the ASP, which is mimics the HW assist
non-j-series boxes get with installation of an ASP. Upside is you loose
no functionality, so you are free to test. Downside is you will not get
(JTAC) support and will have to suffer through log/cli warnings until
you license the feature.

The wording you point out does seem to describe 1:1 NAT, as opposed to
n:1 PAT.  The key is inclusion of port automatic, as per the example I
sent, which evokes PAT to allow a single external IP to be shared by
many internal IPs.

This below example is from the 7.6 docs on services interfaces.

HTHs


[begin]

Oversubscribed Pool with a Fallback to NAPT
The following configuration shows dynamic address translation from a
large prefix
to a small pool, translating a /24 subnet to a pool of 10 addresses.
When the
addresses in the source pool (src-pool) are exhausted, network address
translation is
provided by the NAPT overload pool (pat-pool).
[edit services nat]
pool src-pool {
address-range low 192.16.2.1 high 192.16.2.10;
}
pool pat-pool {
address-range low 192.2.11 high 192.16.2.12;
port automatic; <<<<<<<<<<<<<<<<<<<
}
rule myrule {
match-direction input;
term myterm {
from {
source-address 10.150.1.0/24;
}
then {
translated {
source-pool src-pool;
overload-pool pat-pool;
translation-type source dynamic;
}
}
}
}
 

> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net 
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Chris Adams
> Sent: Wednesday, May 10, 2006 6:47 AM
> To: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Configuring NAT on J2300
> 
> Once upon a time, Harshit Kumar <harshit at juniper.net> said:
> > Docs might help too
> > 
> > 
> http://www.juniper.net/techpubs/software/junos/junos76/swconfig76-serv
> > ic
> > es/frameset.htm
> 
> Thanks to both responses.  I had read through the docs for a 
> while and tried some configuration, but my mistake was I went 
> straight to the NAT section.  I haven't done any firewalling 
> on a Juniper either, so I skipped those sections, and didn't 
> realize how NAT related to it (so I couldn't figure out how 
> to apply my NAT config to an actual interface).
> 
> Oh, now I get "warning: requires 'firewall' license".
> 
> Also, the docs for translation-type statement say:
> 
>   * source dynamic -- Implement address translation for source
>     traffic with Network Address Port Translation (NAPT). You must
>     specify a source-pool name. The referenced pool must 
> include a port
>     or address configuration.
> 
>   This option supports translating a large range of addresses to a
>   smaller size pool. The requests from the source address range are
>   assigned to the addresses in the pool until the pool is used up, and
>   any additional requests are rejected. A NAT address 
> assigned to a host
>   is used for all concurrent sessions from that host. The address is
>   released to the pool only after all the sessions for that 
> host expire.
>   This feature enables the router to share a few public IP addresses
>   between several private hosts. Since all the private hosts might not
>   simultaneously create sessions, they can share a few public IP
>   addresses.
> 
> That sounded to me like a pool IP was matched with a private 
> IP for as long as a private IP had associated sessions, so if 
> I only specified one public IP, I could only have one private 
> IP accessing the outside world at a time.
> 
> --
> Chris Adams <cmadams at hiwaay.net>
> Systems and Network Administrator - HiWAAY Internet Services 
> I don't speak for anybody but myself - that's enough trouble.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net 
> http://puck.nether.net/mailman/listinfo/juniper-nsp
> 



More information about the juniper-nsp mailing list