[j-nsp] NAT Port translation on JUNOS, puzzled...
Remco Bressers
rbressers at signet.nl
Wed Jun 18 07:11:51 EDT 2008
Hi,
Thanks a lot. I'm almost there i think, but i'm left with a question.
When i commit the following configuration, i cannot ping the outside
interface anymore (from the outside).
Are there any gotcha's left in this config?
interfaces {
fe-0/0/0 {
description "Outside interface";
unit 0 {
family inet {
service {
input {
service-set wan-service-set;
}
output {
service-set wan-service-set;
}
}
address 217.21.x.x/29;
}
}
}
sp-0/0/0 {
unit 0 {
family inet;
}
}
fe-0/0/1 {
description "Inside interface";
family inet {
address 10.0.0.254/24;
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 217.21.x.y;
}
}
services {
service-set wan-service-set {
nat-rules nat-set;
nat-rules server-nat;
interface-service {
service-interface sp-0/0/0;
}
}
nat {
pool nat-pool {
address-range low 217.21.x.x high 217.21.x.x;
port automatic;
}
rule nat-set {
match-direction output;
term 1 {
then {
translated {
source-pool nat-pool;
translation-type {
source dynamic;
}
}
}
}
}
rule server-nat {
match-direction input;
term sip {
from {
destination-address {
217.21.x.x/32;
}
applications junos-sip;
}
then {
translated {
destination-prefix 10.0.0.1/32;
translation-type {
destination static;
}
}
}
}
term http {
from {
destination-address {
217.21.x.x/32;
}
applications junos-http;
}
then {
translated {
destination-prefix 10.0.0.1/32;
translation-type {
destination static;
}
}
}
}
}
}
}
Stefan Fouant wrote:
> A NAT rule similar to the following would accomplish your goal of
> outbound dynamic translation, assuming you wanted to use PAT (most
> likely if you only have a few public IPs):
>
> services {
> nat {
> pool nat-pool {
> address 50.0.0.1/32 <http://50.0.0.1/32>;
> port automatic
> }
> rule nat-set-outbound {
> match-direction output;
> term 1 {
> then {
> translated {
> source-pool nat-pool;
> translation-type source dynamic;
> }
> }
> }
> }
> }
> }
> Notice I used a pool here. This is not necessary but allows for future
> scalability if you get additional public IPs and want to add them to the
> pool. Also notice that I have not specified a from clause. This will
> essentially match on *all* outbound flows. If you want different
> behavior you should specify the match conditions appropriately.
>
> Regards,
>
> Stefan Fouant
> Principal Network Engineer
> NeuStar, Inc. - http://www.neustar.biz <http://www.neustar.biz/>
> On Tue, Jun 17, 2008 at 10:22 AM, Remco Bressers <rbressers at signet.nl
> <mailto:rbressers at signet.nl>> wrote:
>
> Hi,
>
> Thanks a million for this. I'll try it out lateron.
> How do i combine this with the dynamic translation outbound for my
> internal LAN to the Internet?
>
> Regards,
>
> Remco
>
>
> Stefan Fouant wrote:
> > Ok here are a few pointers... You can directly specify the destination
> > using the 'destination-prefix' command as opposed to the
> > 'destination-pool' command because in this configuration you are only
> > translating for a single address. Furthermore, you need to
> specify the
> > 'destination-address' and 'application' in the 'from' portion in order
> > to properly match on the appropriate flow you want to apply
> destination
> > NAT to.
> >
> > Give the following a try:
> >
> > services {
> > nat {
> > rule nat-set {
> > match-direction input;
> > term 1 {
> > /* Matches on inbound to 50.0.0.10/32
> <http://50.0.0.10/32>
> > <http://50.0.0.10/32> Port 80 */
> > from {
> > destination-address {
> > 50.0.0.10/32 <http://50.0.0.10/32>
> <http://50.0.0.10/32>;
> > }
> > applications junos-http;
> > }
> > /* Static translation of Port 80 to 10.0.0.100/32
> <http://10.0.0.100/32>
> > <http://10.0.0.100/32> */
> > then {
> > translated {
> > destination-prefix 10.0.0.100/32
> <http://10.0.0.100/32>
> > <http://10.0.0.100/32>;
> > translation-type destination static;
> > }
> > }
> > }
> > }
> > }
> > service-set wan-service-set {
> > nat-rules nat-set;
> > interface-service {
> > service-interface sp-0/0/0;
> > }
> > }
> > }
> >
> > You also might want to consider moving to JUNOS Enhanced Services
> as the
> > NAT configuration is greatly simplified and much more logical in
> nature
> > than in normal JUNOS using 'services' configs.
> >
> > HTHs.
> >
> > Stefan Fouant
> > Principal Network Engineer
> > NeuStar, Inc. - http://www.neustar.biz <http://www.neustar.biz/>
> <http://www.neustar.biz/>
> >
> > On Tue, Jun 17, 2008 at 9:31 AM, Remco Bressers
> <rbressers at signet.nl <mailto:rbressers at signet.nl>
> > <mailto:rbressers at signet.nl <mailto:rbressers at signet.nl>>> wrote:
> >
> > Hi Stefan,
> >
> > It would be great to receive a full snippet of config. Thanks!
> >
> > Remco
> >
> >
> > Stefan Fouant wrote:
> > > I'm on my Blackberry so I can't give you the full config
> right now but
> > > you need to get rid of that 'port automatic' command as that
> will
> > > enable PAT. Give me a few minutes and I will post the rest
> of the
> > > configuration.
> > >
> > > Stefan Fouant
> > > Principal Network Engineer
> > > NeuStar, Inc. - http://www.neustar.biz
> <http://www.neustar.biz/> <http://www.neustar.biz/>
> > >
> > >
> > >
> > > On 6/17/08, Remco Bressers <rbressers at signet.nl
> <mailto:rbressers at signet.nl>
> > <mailto:rbressers at signet.nl <mailto:rbressers at signet.nl>>> wrote:
> > >> I'm working on a NAT setup, which is actually very
> > straightforward but i
> > >> still am puzzled by the services documentation from Juniper.
> > Please help :).
> > >>
> > >> It's a J2300 with 2 interfaces, in and out. One public IP
> address
> > and a
> > >> local subnet on the inside. I got the network translation
> from the
> > >> inside to the public ip working, but now i want to
> configure one
> > single
> > >> port-forward to an internal host (let's say 10.0.0.1
> <http://10.0.0.1/>
> > <http://10.0.0.1/>) on port 80.
> > >>
> > >> But how? On a cheap $50 router it's a point-and-click, but it's
> > not even
> > >> in J-web?!
> > >>
> > >>
> > >> The config i have now :
> > >>
> > >>
> > >> services {
> > >> service-set wan-service-set {
> > >> nat-rules nat-set;
> > >> interface-service {
> > >> service-interface sp-0/0/0;
> > >> }
> > >> }
> > >> nat {
> > >> pool nat-pool {
> > >> address-range low 217.21.x.x high 217.21.x.x;
> > >> port automatic;
> > >> }
> > >> rule nat-set {
> > >> match-direction input;
> > >> term 1 {
> > >> from
> > >> then {
> > >> translated {
> > >> source-pool nat-pool;
> > >> translation-type {
> > >> source dynamic;
> > >> }
> > >> }
> > >> }
> > >> }
> > >> }
> > >> }
> > >> }
> > >>
> > >>
> > >>
> > >> --
> > >> Kind regards,
> > >> Signet bv
> > >>
> > >>
> > >> Remco Bressers
> > >>
> > >> T 040 - 707 4 907
> > >> F 040 - 707 4 909
> > >> E rbressers at signet.nl <mailto:rbressers at signet.nl>
> <mailto:rbressers at signet.nl <mailto:rbressers at signet.nl>>
> > >> _______________________________________________
> > >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> <mailto:juniper-nsp at puck.nether.net>
> > <mailto:juniper-nsp at puck.nether.net
> <mailto:juniper-nsp at puck.nether.net>>
> > >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> > >>
> > >
> >
> >
> > --
> > Met vriendelijke groet,
> > Signet bv
> >
> >
> > Remco Bressers
> >
> > T 040 - 707 4 907
> > F 040 - 707 4 909
> > E rbressers at signet.nl <mailto:rbressers at signet.nl>
> <mailto:rbressers at signet.nl <mailto:rbressers at signet.nl>>
> > altijd online? www.signet.nl <http://www.signet.nl/>
> <http://www.signet.nl/>
> >
> >
>
>
> --
> Met vriendelijke groet,
> Signet bv
>
>
> Remco Bressers
>
> T 040 - 707 4 907
> F 040 - 707 4 909
> E rbressers at signet.nl <mailto:rbressers at signet.nl>
> altijd online? www.signet.nl <http://www.signet.nl/>
>
>
--
Met vriendelijke groet,
Signet bv
Remco Bressers
T 040 - 707 4 907
F 040 - 707 4 909
E rbressers at signet.nl
altijd online? www.signet.nl
More information about the juniper-nsp
mailing list