[j-nsp] NAT Port translation on JUNOS, puzzled...

Remco Bressers rbressers at signet.nl
Tue Jun 17 10:22:15 EDT 2008 

Hi,

Thanks a million for this. I'll try it out lateron.
How do i combine this with the dynamic translation outbound for my
internal LAN to the Internet?

Regards,

Remco


Stefan Fouant wrote:
> Ok here are a few pointers... You can directly specify the destination
> using the 'destination-prefix' command as opposed to the
> 'destination-pool' command because in this configuration you are only
> translating for a single address.  Furthermore, you need to specify the
> 'destination-address' and 'application' in the 'from' portion in order
> to properly match on the appropriate flow you want to apply destination
> NAT to.
>  
> Give the following a try:
>  
> services {
>     nat {
>         rule nat-set {
>             match-direction input;
>             term 1 {
>                 /* Matches on inbound to 50.0.0.10/32
> <http://50.0.0.10/32> Port 80 */
>                 from {
>                     destination-address {
>                         50.0.0.10/32 <http://50.0.0.10/32>;
>                     }
>                     applications junos-http;
>                 }
>                 /* Static translation of Port 80 to 10.0.0.100/32
> <http://10.0.0.100/32> */
>                 then {
>                     translated {
>                         destination-prefix 10.0.0.100/32
> <http://10.0.0.100/32>;
>                         translation-type destination static;
>                     }
>                 }
>             }
>         }
>     }
>     service-set wan-service-set {
>         nat-rules nat-set;
>         interface-service {
>             service-interface sp-0/0/0;
>         }
>     }
> }
>  
> You also might want to consider moving to JUNOS Enhanced Services as the
> NAT configuration is greatly simplified and much more logical in nature
> than in normal JUNOS using 'services' configs.
>  
> HTHs.
>  
> Stefan Fouant
> Principal Network Engineer
> NeuStar, Inc. - http://www.neustar.biz <http://www.neustar.biz/>
>  
> On Tue, Jun 17, 2008 at 9:31 AM, Remco Bressers <rbressers at signet.nl
> <mailto:rbressers at signet.nl>> wrote:
> 
>     Hi Stefan,
> 
>     It would be great to receive a full snippet of config. Thanks!
> 
>     Remco
> 
> 
>     Stefan Fouant wrote:
>     > I'm on my Blackberry so I can't give you the full config right now but
>     > you need to get rid of that 'port automatic' command as that will
>     > enable PAT. Give me a few minutes and I will post the rest of the
>     > configuration.
>     >
>     > Stefan Fouant
>     > Principal Network Engineer
>     > NeuStar, Inc. - http://www.neustar.biz <http://www.neustar.biz/>
>     >
>     >
>     >
>     > On 6/17/08, Remco Bressers <rbressers at signet.nl
>     <mailto:rbressers at signet.nl>> wrote:
>     >> I'm working on a NAT setup, which is actually very
>     straightforward but i
>     >> still am puzzled by the services documentation from Juniper.
>     Please help :).
>     >>
>     >> It's a J2300 with 2 interfaces, in and out. One public IP address
>     and a
>     >> local subnet on the inside. I got the network translation from the
>     >> inside to the public ip working, but now i want to configure one
>     single
>     >> port-forward to an internal host (let's say 10.0.0.1
>     <http://10.0.0.1/>) on port 80.
>     >>
>     >> But how? On a cheap $50 router it's a point-and-click, but it's
>     not even
>     >> in J-web?!
>     >>
>     >>
>     >> The config i have now :
>     >>
>     >>
>     >> services {
>     >>     service-set wan-service-set {
>     >>         nat-rules nat-set;
>     >>         interface-service {
>     >>             service-interface sp-0/0/0;
>     >>         }
>     >>     }
>     >>     nat {
>     >>         pool nat-pool {
>     >>             address-range low 217.21.x.x high 217.21.x.x;
>     >>             port automatic;
>     >>         }
>     >>         rule nat-set {
>     >>             match-direction input;
>     >>             term 1 {
>     >>              from
>     >>                 then {
>     >>                     translated {
>     >>                         source-pool nat-pool;
>     >>                         translation-type {
>     >>                             source dynamic;
>     >>                         }
>     >>                     }
>     >>                 }
>     >>             }
>     >>         }
>     >>     }
>     >> }
>     >>
>     >>
>     >>
>     >> --
>     >> Kind regards,
>     >> Signet bv
>     >>
>     >>
>     >> Remco Bressers
>     >>
>     >> T 040 - 707 4 907
>     >> F 040 - 707 4 909
>     >> E rbressers at signet.nl <mailto:rbressers at signet.nl>
>     >> _______________________________________________
>     >> juniper-nsp mailing list juniper-nsp at puck.nether.net
>     <mailto:juniper-nsp at puck.nether.net>
>     >> https://puck.nether.net/mailman/listinfo/juniper-nsp
>     >>
>     >
> 
> 
>     --
>     Met vriendelijke groet,
>     Signet bv
> 
> 
>     Remco Bressers
> 
>     T 040 - 707 4 907
>     F 040 - 707 4 909
>     E rbressers at signet.nl <mailto:rbressers at signet.nl>
>     altijd online? www.signet.nl <http://www.signet.nl/>
> 
> 


-- 
Met vriendelijke groet,
Signet bv


Remco Bressers

T 040 - 707 4 907
F 040 - 707 4 909
E rbressers at signet.nl
altijd online? www.signet.nl

More information about the juniper-nsp mailing list