[j-nsp] Configuring NAT on J2300

[Harry Reynolds]

<update to the list>

It seems the issue related to the NAT rule set direction and the
interface to which that rule-set is applied. In my example the NAT rule
was applied to the OP interface, as an output rule. This supports use of
the assigned IP as the nat pool.  Seems that Chris applied his nat rule
as input to the input (trusted LAN) interface, which did not work for
assigned WAN IP as nat pool, but does work for some arbitrary IP as NAT
pool.

I am not sure if this is expected behavior and plan to investigate; at
least the mystery is solved.

I'll look into whether this is expected behavior.

Regards




 

> -----Original Message-----
> From: Harry Reynolds 
> Sent: Wednesday, May 10, 2006 8:44 AM
> To: Chris Adams
> Cc: juniper-nsp at puck.nether.net
> Subject: RE: [j-nsp] Configuring NAT on J2300
> 
> Hmmm. Could there be a FW or filter blocking return traffic 
> to .203?  Also, are you even seeing return traffic being 
> generated at far end?  Maybe there is no route back causing 
> discard of replies.
> 
> The cli op, and remote dump indicates PAT seems to be working.
> 
> Regards
> 
>  
> 
> > -----Original Message-----
> > From: Chris Adams [mailto:cmadams at hiwaay.net]
> > Sent: Wednesday, May 10, 2006 8:41 AM
> > To: Harry Reynolds
> > Cc: juniper-nsp at puck.nether.net
> > Subject: Re: [j-nsp] Configuring NAT on J2300
> > 
> > Once upon a time, Harry Reynolds <harry at juniper.net> said:
> > > I am not 100% sure, but believe you can use the IP 
> assigned to the 
> > > interfaces as a NAT pool. In fact, the j-series training material 
> > > NAT/SFW lab does just this. AFAIK it still works, but I have not 
> > > messed with it for over a year now.
> > > 
> > > What does the show services nat pool command display when you 
> > > encounter the problem?
> > 
> > Working on .205:
> > 
> > admin at offgw> show services nat pool one-ip detail    
> > Interface: sp-0/0/0, Service set: do-nat
> >   NAT pool: one-ip, Translation type: dynamic
> >     Address range: x.x.x.205-x.x.x.205
> >     Port range: 512-65535, Ports in use: 1, Out of port errors: 0,
> >     Max ports used: 8
> > 
> > Not working on .203:
> > 
> > admin at offgw> show services nat pool one-ip detail    
> > Interface: sp-0/0/0, Service set: do-nat
> >   NAT pool: one-ip, Translation type: dynamic
> >     Address range: x.x.x.203-x.x.x.203
> >     Port range: 512-65535, Ports in use: 1, Out of port errors: 0,
> >     Max ports used: 8
> > 
> > If I dump the traffic at the far end, I see translated 
> traffic getting 
> > to the far end (e.g. if I "ssh remotehost"
> > from the private LAN while running tcpdump on "remotehost", I see 
> > traffic from x.x.x.203).
> > 
> > --
> > Chris Adams <cmadams at hiwaay.net>
> > Systems and Network Administrator - HiWAAY Internet 
> Services I don't 
> > speak for anybody but myself - that's enough trouble.
> > 
>