[j-nsp] NAT Port translation on JUNOS, puzzled...
Stefan Fouant
sfouant at gmail.com
Tue Jun 17 10:46:40 EDT 2008
P.S. A book which has very good coverage of the subject matter and might
prove to be a valuable reference if you plan to support these types of
functions is "JUNOS Enterprise Routing" by Doug Marschke and Harry Reynolds.
Regards,
Stefan Fouant
Principal Network Engineer
NeuStar, Inc. - http://www.neustar.biz
On Tue, Jun 17, 2008 at 10:43 AM, Stefan Fouant <sfouant at gmail.com> wrote:
> A NAT rule similar to the following would accomplish your goal of outbound
> dynamic translation, assuming you wanted to use PAT (most likely if you only
> have a few public IPs):
>
> services {
> nat {
> pool nat-pool {
> address 50.0.0.1/32;
> port automatic
> }
> rule nat-set-outbound {
> match-direction output;
> term 1 {
> then {
> translated {
> source-pool nat-pool;
> translation-type source dynamic;
> }
> }
> }
> }
> }
> }
> Notice I used a pool here. This is not necessary but allows for future
> scalability if you get additional public IPs and want to add them to the
> pool. Also notice that I have not specified a from clause. This will
> essentially match on *all* outbound flows. If you want different behavior
> you should specify the match conditions appropriately.
>
> Regards,
>
> Stefan Fouant
> Principal Network Engineer
> NeuStar, Inc. - http://www.neustar.biz
> On Tue, Jun 17, 2008 at 10:22 AM, Remco Bressers <rbressers at signet.nl>
> wrote:
>
>> Hi,
>>
>> Thanks a million for this. I'll try it out lateron.
>> How do i combine this with the dynamic translation outbound for my
>> internal LAN to the Internet?
>>
>> Regards,
>>
>> Remco
>>
>>
>> Stefan Fouant wrote:
>> > Ok here are a few pointers... You can directly specify the destination
>> > using the 'destination-prefix' command as opposed to the
>> > 'destination-pool' command because in this configuration you are only
>> > translating for a single address. Furthermore, you need to specify the
>> > 'destination-address' and 'application' in the 'from' portion in order
>> > to properly match on the appropriate flow you want to apply destination
>> > NAT to.
>> >
>> > Give the following a try:
>> >
>> > services {
>> > nat {
>> > rule nat-set {
>> > match-direction input;
>> > term 1 {
>> > /* Matches on inbound to 50.0.0.10/32
>> > <http://50.0.0.10/32> Port 80 */
>> > from {
>> > destination-address {
>> > 50.0.0.10/32 <http://50.0.0.10/32>;
>> > }
>> > applications junos-http;
>> > }
>> > /* Static translation of Port 80 to 10.0.0.100/32
>> > <http://10.0.0.100/32> */
>> > then {
>> > translated {
>> > destination-prefix 10.0.0.100/32
>> > <http://10.0.0.100/32>;
>> > translation-type destination static;
>> > }
>> > }
>> > }
>> > }
>> > }
>> > service-set wan-service-set {
>> > nat-rules nat-set;
>> > interface-service {
>> > service-interface sp-0/0/0;
>> > }
>> > }
>> > }
>> >
>> > You also might want to consider moving to JUNOS Enhanced Services as the
>> > NAT configuration is greatly simplified and much more logical in nature
>> > than in normal JUNOS using 'services' configs.
>> >
>> > HTHs.
>> >
>> > Stefan Fouant
>> > Principal Network Engineer
>> > NeuStar, Inc. - http://www.neustar.biz <http://www.neustar.biz/>
>> >
>> > On Tue, Jun 17, 2008 at 9:31 AM, Remco Bressers <rbressers at signet.nl
>> > <mailto:rbressers at signet.nl>> wrote:
>> >
>> > Hi Stefan,
>> >
>> > It would be great to receive a full snippet of config. Thanks!
>> >
>> > Remco
>> >
>> >
>> > Stefan Fouant wrote:
>> > > I'm on my Blackberry so I can't give you the full config right now
>> but
>> > > you need to get rid of that 'port automatic' command as that will
>> > > enable PAT. Give me a few minutes and I will post the rest of the
>> > > configuration.
>> > >
>> > > Stefan Fouant
>> > > Principal Network Engineer
>> > > NeuStar, Inc. - http://www.neustar.biz <http://www.neustar.biz/>
>> > >
>> > >
>> > >
>> > > On 6/17/08, Remco Bressers <rbressers at signet.nl
>> > <mailto:rbressers at signet.nl>> wrote:
>> > >> I'm working on a NAT setup, which is actually very
>> > straightforward but i
>> > >> still am puzzled by the services documentation from Juniper.
>> > Please help :).
>> > >>
>> > >> It's a J2300 with 2 interfaces, in and out. One public IP address
>> > and a
>> > >> local subnet on the inside. I got the network translation from
>> the
>> > >> inside to the public ip working, but now i want to configure one
>> > single
>> > >> port-forward to an internal host (let's say 10.0.0.1
>> > <http://10.0.0.1/>) on port 80.
>> > >>
>> > >> But how? On a cheap $50 router it's a point-and-click, but it's
>> > not even
>> > >> in J-web?!
>> > >>
>> > >>
>> > >> The config i have now :
>> > >>
>> > >>
>> > >> services {
>> > >> service-set wan-service-set {
>> > >> nat-rules nat-set;
>> > >> interface-service {
>> > >> service-interface sp-0/0/0;
>> > >> }
>> > >> }
>> > >> nat {
>> > >> pool nat-pool {
>> > >> address-range low 217.21.x.x high 217.21.x.x;
>> > >> port automatic;
>> > >> }
>> > >> rule nat-set {
>> > >> match-direction input;
>> > >> term 1 {
>> > >> from
>> > >> then {
>> > >> translated {
>> > >> source-pool nat-pool;
>> > >> translation-type {
>> > >> source dynamic;
>> > >> }
>> > >> }
>> > >> }
>> > >> }
>> > >> }
>> > >> }
>> > >> }
>> > >>
>> > >>
>> > >>
>> > >> --
>> > >> Kind regards,
>> > >> Signet bv
>> > >>
>> > >>
>> > >> Remco Bressers
>> > >>
>> > >> T 040 - 707 4 907
>> > >> F 040 - 707 4 909
>> > >> E rbressers at signet.nl <mailto:rbressers at signet.nl>
>> > >> _______________________________________________
>> > >> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> > <mailto:juniper-nsp at puck.nether.net>
>> > >> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> > >>
>> > >
>> >
>> >
>> > --
>> > Met vriendelijke groet,
>> > Signet bv
>> >
>> >
>> > Remco Bressers
>> >
>> > T 040 - 707 4 907
>> > F 040 - 707 4 909
>> > E rbressers at signet.nl <mailto:rbressers at signet.nl>
>> > altijd online? www.signet.nl <http://www.signet.nl/>
>> >
>> >
>>
>>
>> --
>> Met vriendelijke groet,
>> Signet bv
>>
>>
>> Remco Bressers
>>
>> T 040 - 707 4 907
>> F 040 - 707 4 909
>> E rbressers at signet.nl
>> altijd online? www.signet.nl
>>
>
>
More information about the juniper-nsp
mailing list