[j-nsp] Static NAT
Matt Stevens
matt at elevate.org
Fri Nov 2 16:08:42 EDT 2007
Thanks Jon!
I actually got it working another way. There's a new option in 8.4,
nat-type. It's not documented anywhere that I can find, other than the
release notes for 8.4. And it's only available for the J-Series
rule NAT {
match-direction input;
term static-matt {
nat-type full-cone;
Now to figure out how I can map an external tcp port to a different
internal tcp port so I can reuse an IP multiple times for different
services.
--
matt
Jonathan Looney wrote:
> Matt,
>
> Now that you've gotten this far, adding inbound static NAT is pretty simple. :-)
>
> Create a NAT pool with your internal address(es).
>
> Add a new rule with a match-direction of "output". In this rule, add
> a term with a "from" clause that matches packets with a destination
> address of your public address. In the then clause, specify the NAT
> pool with your internal addresses (as a destination-pool) and a
> translation type of "destination static".
>
> Here's an example which translates 172.17.39.18/32 (outside address)
> to 192.168.200.1/32 (inside address):
> services {
> nat {
> pool dest-pool {
> address 192.168.200.2/32;
> }
> rule dest-nat {
> match-direction output;
> term dest-nat {
> from {
> destination-address {
> 172.17.39.18/32;
> }
> }
> then {
> translated {
> destination-pool dest-pool;
> translation-type {
> destination static;
> }
> }
> }
> }
> }
> }
> }
>
> Don't forget to match on applications in the rule, if necessary, to
> activate ALGs.
>
> Now, you just add the new rule to the existing service-set and
> everything should work!
>
> -Jon
>
>
> On 11/1/07, Matt Stevens <matt at elevate.org> wrote:
>> I'm a recent Cisco convert - trying to wrap my head around the Juniper
>> was of dealing with NAT.
>>
>> I'm trying to get a setup working where I can allow inbound traffic
>> through the NAT to specific internal machines.
>>
>> Ideally I'd like to be able to map things at a port level - ie. port 80
>> on external address X goes to port Y on internal address Z.
>>
>> I have things working to the point where I can NAT a specific internal
>> address to a specific external address (see config at the end), with
>> everyone else using PAT on a different address. But I can't seem to
>> figure out how I allow inbound traffic through.
>>
>> This is on a J-4350, if that makes any difference...
>>
>> Any pointers in the right direction would be most appreciated!
>> --
>> matt
>>
>>
>> Here's my service nat config. I have the service-set for this applied on
>> the internal interface:
>> rule NAT {
>> match-direction input;
>> term static-matt {
>> from {
>> source-address {
>> 192.168.1.238/32;
>> }
>> }
>> then {
>> translated {
>> source-pool static-matt;
>> translation-type {
>> source static;
>> }
>> }
>> }
>> }
>> term dynamic {
>> then {
>> translated {
>> source-pool dynamic;
>> translation-type {
>> source dynamic;
>> }
>> }
>> }
>> }
>> }
>> }
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
More information about the juniper-nsp
mailing list