[j-nsp] NAT Port translation on JUNOS, puzzled...
Stefan Fouant
sfouant at gmail.com
Tue Jun 17 10:20:19 EDT 2008
Ok here are a few pointers... You can directly specify the destination
using the 'destination-prefix' command as opposed to the 'destination-pool'
command because in this configuration you are only translating for a single
address. Furthermore, you need to specify the 'destination-address' and
'application' in the 'from' portion in order to properly match on the
appropriate flow you want to apply destination NAT to.
Give the following a try:
services {
nat {
rule nat-set {
match-direction input;
term 1 {
/* Matches on inbound to 50.0.0.10/32 Port 80 */
from {
destination-address {
50.0.0.10/32;
}
applications junos-http;
}
/* Static translation of Port 80 to 10.0.0.100/32 */
then {
translated {
destination-prefix 10.0.0.100/32;
translation-type destination static;
}
}
}
}
}
service-set wan-service-set {
nat-rules nat-set;
interface-service {
service-interface sp-0/0/0;
}
}
}
You also might want to consider moving to JUNOS Enhanced Services as the NAT
configuration is greatly simplified and much more logical in nature than in
normal JUNOS using 'services' configs.
HTHs.
Stefan Fouant
Principal Network Engineer
NeuStar, Inc. - http://www.neustar.biz
On Tue, Jun 17, 2008 at 9:31 AM, Remco Bressers <rbressers at signet.nl> wrote:
> Hi Stefan,
>
> It would be great to receive a full snippet of config. Thanks!
>
> Remco
>
>
> Stefan Fouant wrote:
> > I'm on my Blackberry so I can't give you the full config right now but
> > you need to get rid of that 'port automatic' command as that will
> > enable PAT. Give me a few minutes and I will post the rest of the
> > configuration.
> >
> > Stefan Fouant
> > Principal Network Engineer
> > NeuStar, Inc. - http://www.neustar.biz
> >
> >
> >
> > On 6/17/08, Remco Bressers <rbressers at signet.nl> wrote:
> >> I'm working on a NAT setup, which is actually very straightforward but i
> >> still am puzzled by the services documentation from Juniper. Please help
> :).
> >>
> >> It's a J2300 with 2 interfaces, in and out. One public IP address and a
> >> local subnet on the inside. I got the network translation from the
> >> inside to the public ip working, but now i want to configure one single
> >> port-forward to an internal host (let's say 10.0.0.1) on port 80.
> >>
> >> But how? On a cheap $50 router it's a point-and-click, but it's not even
> >> in J-web?!
> >>
> >>
> >> The config i have now :
> >>
> >>
> >> services {
> >> service-set wan-service-set {
> >> nat-rules nat-set;
> >> interface-service {
> >> service-interface sp-0/0/0;
> >> }
> >> }
> >> nat {
> >> pool nat-pool {
> >> address-range low 217.21.x.x high 217.21.x.x;
> >> port automatic;
> >> }
> >> rule nat-set {
> >> match-direction input;
> >> term 1 {
> >> from
> >> then {
> >> translated {
> >> source-pool nat-pool;
> >> translation-type {
> >> source dynamic;
> >> }
> >> }
> >> }
> >> }
> >> }
> >> }
> >> }
> >>
> >>
> >>
> >> --
> >> Kind regards,
> >> Signet bv
> >>
> >>
> >> Remco Bressers
> >>
> >> T 040 - 707 4 907
> >> F 040 - 707 4 909
> >> E rbressers at signet.nl
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> >
>
>
> --
> Met vriendelijke groet,
> Signet bv
>
>
> Remco Bressers
>
> T 040 - 707 4 907
> F 040 - 707 4 909
> E rbressers at signet.nl
> altijd online? www.signet.nl
>
More information about the juniper-nsp
mailing list