[j-nsp] Configuring NAT on J2300

Harshit Kumar harshit at juniper.net
Thu May 11 20:24:38 EDT 2006


For the benefit of everyone, here is the possible reasoning 
to the mystery:

Harry,
       I think you are hitting this problem:
        
There is a reverse-route created for the pool address automatically (for
reverse translation) something like:

3.3.3.0/24 -> [static/1] sp-x/y/z.outside_ifl  (if your pool was
3.3.3.0/24)

If your interface address was also 3.3.3.0/24 you will have
a direct or local route pointing to the phy interface.

3.3.3.0/24 -> [direct or local/0] phy-intf (ge-x/y/z.W)

Direct/local route will have more preference and RE will consume the
packets and packets wont get reverse-translated, which breaks NAT.

thx
Harshit 


> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net 
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of 
> Harry Reynolds
> Sent: Wednesday, May 10, 2006 10:54 AM
> To: Harry Reynolds; Chris Adams
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Configuring NAT on J2300
> 
> <update to the list>
> 
> It seems the issue related to the NAT rule set direction and the
> interface to which that rule-set is applied. In my example 
> the NAT rule
> was applied to the OP interface, as an output rule. This 
> supports use of
> the assigned IP as the nat pool.  Seems that Chris applied 
> his nat rule
> as input to the input (trusted LAN) interface, which did not work for
> assigned WAN IP as nat pool, but does work for some arbitrary 
> IP as NAT
> pool.
> 
> I am not sure if this is expected behavior and plan to investigate; at
> least the mystery is solved.
> 
> I'll look into whether this is expected behavior.
> 
> Regards
> 
> 
> 
> 
>  
> 
> > -----Original Message-----
> > From: Harry Reynolds 
> > Sent: Wednesday, May 10, 2006 8:44 AM
> > To: Chris Adams
> > Cc: juniper-nsp at puck.nether.net
> > Subject: RE: [j-nsp] Configuring NAT on J2300
> > 
> > Hmmm. Could there be a FW or filter blocking return traffic 
> > to .203?  Also, are you even seeing return traffic being 
> > generated at far end?  Maybe there is no route back causing 
> > discard of replies.
> > 
> > The cli op, and remote dump indicates PAT seems to be working.
> > 
> > Regards
> > 
> >  
> > 
> > > -----Original Message-----
> > > From: Chris Adams [mailto:cmadams at hiwaay.net]
> > > Sent: Wednesday, May 10, 2006 8:41 AM
> > > To: Harry Reynolds
> > > Cc: juniper-nsp at puck.nether.net
> > > Subject: Re: [j-nsp] Configuring NAT on J2300
> > > 
> > > Once upon a time, Harry Reynolds <harry at juniper.net> said:
> > > > I am not 100% sure, but believe you can use the IP 
> > assigned to the 
> > > > interfaces as a NAT pool. In fact, the j-series 
> training material 
> > > > NAT/SFW lab does just this. AFAIK it still works, but I 
> have not 
> > > > messed with it for over a year now.
> > > > 
> > > > What does the show services nat pool command display when you 
> > > > encounter the problem?
> > > 
> > > Working on .205:
> > > 
> > > admin at offgw> show services nat pool one-ip detail    
> > > Interface: sp-0/0/0, Service set: do-nat
> > >   NAT pool: one-ip, Translation type: dynamic
> > >     Address range: x.x.x.205-x.x.x.205
> > >     Port range: 512-65535, Ports in use: 1, Out of port errors: 0,
> > >     Max ports used: 8
> > > 
> > > Not working on .203:
> > > 
> > > admin at offgw> show services nat pool one-ip detail    
> > > Interface: sp-0/0/0, Service set: do-nat
> > >   NAT pool: one-ip, Translation type: dynamic
> > >     Address range: x.x.x.203-x.x.x.203
> > >     Port range: 512-65535, Ports in use: 1, Out of port errors: 0,
> > >     Max ports used: 8
> > > 
> > > If I dump the traffic at the far end, I see translated 
> > traffic getting 
> > > to the far end (e.g. if I "ssh remotehost"
> > > from the private LAN while running tcpdump on "remotehost", I see 
> > > traffic from x.x.x.203).
> > > 
> > > --
> > > Chris Adams <cmadams at hiwaay.net>
> > > Systems and Network Administrator - HiWAAY Internet 
> > Services I don't 
> > > speak for anybody but myself - that's enough trouble.
> > > 
> > 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
> 



More information about the juniper-nsp mailing list