[j-nsp] NAT Port translation on JUNOS, puzzled...
Stefan Fouant
sfouant at gmail.com
Tue Jun 17 10:43:48 EDT 2008
A NAT rule similar to the following would accomplish your goal of outbound
dynamic translation, assuming you wanted to use PAT (most likely if you only
have a few public IPs):
services {
nat {
pool nat-pool {
address 50.0.0.1/32;
port automatic
}
rule nat-set-outbound {
match-direction output;
term 1 {
then {
translated {
source-pool nat-pool;
translation-type source dynamic;
}
}
}
}
}
}
Notice I used a pool here. This is not necessary but allows for future
scalability if you get additional public IPs and want to add them to the
pool. Also notice that I have not specified a from clause. This will
essentially match on *all* outbound flows. If you want different behavior
you should specify the match conditions appropriately.
Regards,
Stefan Fouant
Principal Network Engineer
NeuStar, Inc. - http://www.neustar.biz
On Tue, Jun 17, 2008 at 10:22 AM, Remco Bressers <rbressers at signet.nl>
wrote:
> Hi,
>
> Thanks a million for this. I'll try it out lateron.
> How do i combine this with the dynamic translation outbound for my
> internal LAN to the Internet?
>
> Regards,
>
> Remco
>
>
> Stefan Fouant wrote:
> > Ok here are a few pointers... You can directly specify the destination
> > using the 'destination-prefix' command as opposed to the
> > 'destination-pool' command because in this configuration you are only
> > translating for a single address. Furthermore, you need to specify the
> > 'destination-address' and 'application' in the 'from' portion in order
> > to properly match on the appropriate flow you want to apply destination
> > NAT to.
> >
> > Give the following a try:
> >
> > services {
> > nat {
> > rule nat-set {
> > match-direction input;
> > term 1 {
> > /* Matches on inbound to 50.0.0.10/32
> > <http://50.0.0.10/32> Port 80 */
> > from {
> > destination-address {
> > 50.0.0.10/32 <http://50.0.0.10/32>;
> > }
> > applications junos-http;
> > }
> > /* Static translation of Port 80 to 10.0.0.100/32
> > <http://10.0.0.100/32> */
> > then {
> > translated {
> > destination-prefix 10.0.0.100/32
> > <http://10.0.0.100/32>;
> > translation-type destination static;
> > }
> > }
> > }
> > }
> > }
> > service-set wan-service-set {
> > nat-rules nat-set;
> > interface-service {
> > service-interface sp-0/0/0;
> > }
> > }
> > }
> >
> > You also might want to consider moving to JUNOS Enhanced Services as the
> > NAT configuration is greatly simplified and much more logical in nature
> > than in normal JUNOS using 'services' configs.
> >
> > HTHs.
> >
> > Stefan Fouant
> > Principal Network Engineer
> > NeuStar, Inc. - http://www.neustar.biz <http://www.neustar.biz/>
> >
> > On Tue, Jun 17, 2008 at 9:31 AM, Remco Bressers <rbressers at signet.nl
> > <mailto:rbressers at signet.nl>> wrote:
> >
> > Hi Stefan,
> >
> > It would be great to receive a full snippet of config. Thanks!
> >
> > Remco
> >
> >
> > Stefan Fouant wrote:
> > > I'm on my Blackberry so I can't give you the full config right now
> but
> > > you need to get rid of that 'port automatic' command as that will
> > > enable PAT. Give me a few minutes and I will post the rest of the
> > > configuration.
> > >
> > > Stefan Fouant
> > > Principal Network Engineer
> > > NeuStar, Inc. - http://www.neustar.biz <http://www.neustar.biz/>
> > >
> > >
> > >
> > > On 6/17/08, Remco Bressers <rbressers at signet.nl
> > <mailto:rbressers at signet.nl>> wrote:
> > >> I'm working on a NAT setup, which is actually very
> > straightforward but i
> > >> still am puzzled by the services documentation from Juniper.
> > Please help :).
> > >>
> > >> It's a J2300 with 2 interfaces, in and out. One public IP address
> > and a
> > >> local subnet on the inside. I got the network translation from the
> > >> inside to the public ip working, but now i want to configure one
> > single
> > >> port-forward to an internal host (let's say 10.0.0.1
> > <http://10.0.0.1/>) on port 80.
> > >>
> > >> But how? On a cheap $50 router it's a point-and-click, but it's
> > not even
> > >> in J-web?!
> > >>
> > >>
> > >> The config i have now :
> > >>
> > >>
> > >> services {
> > >> service-set wan-service-set {
> > >> nat-rules nat-set;
> > >> interface-service {
> > >> service-interface sp-0/0/0;
> > >> }
> > >> }
> > >> nat {
> > >> pool nat-pool {
> > >> address-range low 217.21.x.x high 217.21.x.x;
> > >> port automatic;
> > >> }
> > >> rule nat-set {
> > >> match-direction input;
> > >> term 1 {
> > >> from
> > >> then {
> > >> translated {
> > >> source-pool nat-pool;
> > >> translation-type {
> > >> source dynamic;
> > >> }
> > >> }
> > >> }
> > >> }
> > >> }
> > >> }
> > >> }
> > >>
> > >>
> > >>
> > >> --
> > >> Kind regards,
> > >> Signet bv
> > >>
> > >>
> > >> Remco Bressers
> > >>
> > >> T 040 - 707 4 907
> > >> F 040 - 707 4 909
> > >> E rbressers at signet.nl <mailto:rbressers at signet.nl>
> > >> _______________________________________________
> > >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> > <mailto:juniper-nsp at puck.nether.net>
> > >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> > >>
> > >
> >
> >
> > --
> > Met vriendelijke groet,
> > Signet bv
> >
> >
> > Remco Bressers
> >
> > T 040 - 707 4 907
> > F 040 - 707 4 909
> > E rbressers at signet.nl <mailto:rbressers at signet.nl>
> > altijd online? www.signet.nl <http://www.signet.nl/>
> >
> >
>
>
> --
> Met vriendelijke groet,
> Signet bv
>
>
> Remco Bressers
>
> T 040 - 707 4 907
> F 040 - 707 4 909
> E rbressers at signet.nl
> altijd online? www.signet.nl
>
More information about the juniper-nsp
mailing list