[j-nsp] Static NAT

Jonathan Looney jonlooney at gmail.com
Fri Nov 2 12:11:15 EDT 2007 

Matt,

Now that you've gotten this far, adding inbound static NAT is pretty simple. :-)

Create a NAT pool with your internal address(es).

Add a new rule with a match-direction of "output".  In this rule, add
a term with a "from" clause that matches packets with a destination
address of your public address.  In the then clause, specify the NAT
pool with your internal addresses (as a destination-pool) and a
translation type of "destination static".

Here's an example which translates 172.17.39.18/32 (outside address)
to 192.168.200.1/32 (inside address):
services {
    nat {
        pool dest-pool {
            address 192.168.200.2/32;
        }
        rule dest-nat {
            match-direction output;
            term dest-nat {
                from {
                    destination-address {
                        172.17.39.18/32;
                    }
                }
                then {
                    translated {
                        destination-pool dest-pool;
                        translation-type {
                            destination static;
                        }
                    }
                }
            }
        }
    }
}

Don't forget to match on applications in the rule, if necessary, to
activate ALGs.

Now, you just add the new rule to the existing service-set and
everything should work!

-Jon


On 11/1/07, Matt Stevens <matt at elevate.org> wrote:
> I'm a recent Cisco convert - trying to wrap my head around the Juniper
> was of dealing with NAT.
>
> I'm trying to get a setup working where I can allow inbound traffic
> through the NAT to specific internal machines.
>
> Ideally I'd like to be able to map things at a port level - ie. port 80
> on external address X goes to port Y on internal address Z.
>
> I have things working to the point where I can NAT a specific internal
> address to a specific external address (see config at the end), with
> everyone else using PAT on a different address. But I can't seem to
> figure out how I allow inbound traffic through.
>
> This is on a J-4350, if that makes any difference...
>
> Any pointers in the right direction would be most appreciated!
> --
> matt
>
>
> Here's my service nat config. I have the service-set for this applied on
> the internal interface:
>      rule NAT {
>          match-direction input;
>          term static-matt {
>              from {
>                  source-address {
>                      192.168.1.238/32;
>                  }
>              }
>              then {
>                  translated {
>                      source-pool static-matt;
>                      translation-type {
>                          source static;
>                      }
>                  }
>              }
>          }
>          term dynamic {
>              then {
>                  translated {
>                      source-pool dynamic;
>                      translation-type {
>                          source dynamic;
>                      }
>                  }
>              }
>          }
>      }
> }
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list