[j-nsp] NAT Port translation on JUNOS, puzzled...
Remco Bressers
rbressers at signet.nl
Thu Jun 19 04:05:31 EDT 2008
No.. to bad :(
The portforwarder itself doesn't work either..
I'm completely lost. How can this easy setup be so freakin' hard to do
on a J box?
R.
Stefan Fouant wrote:
> Try adding something to your service-set along the following lines:
>
> services {
> service-set wan-service-set {
> stateful-firewall-rules allow-icmp;
> interface-service {
> service-interface sp-0/0/0;
> }
> }
> stateful-firewall {
> rule allow-icmp {
> match-direction input;
> term 1 {
> from {
> destination-address {
> 217.21.x.x/32;
> }
> applications junos-icmp--ping;
> }
> then {
> accept;
> }
> }
> }
> }
> }
>
> Let me know how that works out...
>
> Stefan Fouant
> Principal Network Engineer
> NeuStar, Inc. - http://www.neustar.biz <http://www.neustar.biz/>
> On Wed, Jun 18, 2008 at 7:11 AM, Remco Bressers <rbressers at signet.nl
> <mailto:rbressers at signet.nl>> wrote:
>
> Hi,
>
> Thanks a lot. I'm almost there i think, but i'm left with a question.
> When i commit the following configuration, i cannot ping the outside
> interface anymore (from the outside).
>
> Are there any gotcha's left in this config?
>
> interfaces {
> fe-0/0/0 {
> description "Outside interface";
> unit 0 {
> family inet {
> service {
> input {
> service-set wan-service-set;
> }
> output {
> service-set wan-service-set;
> }
> }
> address 217.21.x.x/29;
> }
> }
> }
> sp-0/0/0 {
> unit 0 {
> family inet;
> }
> }
> fe-0/0/1 {
> description "Inside interface";
> family inet {
> address 10.0.0.254/24 <http://10.0.0.254/24>;
> }
> }
> }
> routing-options {
> static {
> route 0.0.0.0/0 <http://0.0.0.0/0> next-hop 217.21.x.y;
> }
> }
> services {
> service-set wan-service-set {
> nat-rules nat-set;
> nat-rules server-nat;
> interface-service {
> service-interface sp-0/0/0;
> }
> }
> nat {
> pool nat-pool {
> address-range low 217.21.x.x high 217.21.x.x;
> port automatic;
> }
> rule nat-set {
> match-direction output;
> term 1 {
> then {
> translated {
> source-pool nat-pool;
> translation-type {
> source dynamic;
> }
> }
> }
> }
> }
> rule server-nat {
> match-direction input;
> term sip {
> from {
> destination-address {
> 217.21.x.x/32;
> }
> applications junos-sip;
> }
> then {
> translated {
> destination-prefix 10.0.0.1/32
> <http://10.0.0.1/32>;
> translation-type {
> destination static;
> }
> }
> }
> }
> term http {
> from {
> destination-address {
> 217.21.x.x/32;
> }
> applications junos-http;
> }
> then {
> translated {
> destination-prefix 10.0.0.1/32
> <http://10.0.0.1/32>;
> translation-type {
> destination static;
> }
> }
> }
> }
> }
> }
> }
>
>
>
> Stefan Fouant wrote:
> > A NAT rule similar to the following would accomplish your goal of
> > outbound dynamic translation, assuming you wanted to use PAT (most
> > likely if you only have a few public IPs):
> >
> > services {
> > nat {
> > pool nat-pool {
> > address 50.0.0.1/32 <http://50.0.0.1/32>
> <http://50.0.0.1/32>;
> > port automatic
> > }
> > rule nat-set-outbound {
> > match-direction output;
> > term 1 {
> > then {
> > translated {
> > source-pool nat-pool;
> > translation-type source dynamic;
> > }
> > }
> > }
> > }
> > }
> > }
> > Notice I used a pool here. This is not necessary but allows for
> future
> > scalability if you get additional public IPs and want to add them
> to the
> > pool. Also notice that I have not specified a from clause. This will
> > essentially match on *all* outbound flows. If you want different
> > behavior you should specify the match conditions appropriately.
> >
> > Regards,
> >
> > Stefan Fouant
> > Principal Network Engineer
> > NeuStar, Inc. - http://www.neustar.biz <http://www.neustar.biz/>
> <http://www.neustar.biz/>
> > On Tue, Jun 17, 2008 at 10:22 AM, Remco Bressers
> <rbressers at signet.nl <mailto:rbressers at signet.nl>
> > <mailto:rbressers at signet.nl <mailto:rbressers at signet.nl>>> wrote:
> >
> > Hi,
> >
> > Thanks a million for this. I'll try it out lateron.
> > How do i combine this with the dynamic translation outbound for my
> > internal LAN to the Internet?
> >
> > Regards,
> >
> > Remco
> >
> >
> > Stefan Fouant wrote:
> > > Ok here are a few pointers... You can directly specify the
> destination
> > > using the 'destination-prefix' command as opposed to the
> > > 'destination-pool' command because in this configuration you
> are only
> > > translating for a single address. Furthermore, you need to
> > specify the
> > > 'destination-address' and 'application' in the 'from'
> portion in order
> > > to properly match on the appropriate flow you want to apply
> > destination
> > > NAT to.
> > >
> > > Give the following a try:
> > >
> > > services {
> > > nat {
> > > rule nat-set {
> > > match-direction input;
> > > term 1 {
> > > /* Matches on inbound to 50.0.0.10/32
> <http://50.0.0.10/32>
> > <http://50.0.0.10/32>
> > > <http://50.0.0.10/32> Port 80 */
> > > from {
> > > destination-address {
> > > 50.0.0.10/32 <http://50.0.0.10/32>
> <http://50.0.0.10/32>
> > <http://50.0.0.10/32>;
> > > }
> > > applications junos-http;
> > > }
> > > /* Static translation of Port 80 to
> 10.0.0.100/32 <http://10.0.0.100/32>
> > <http://10.0.0.100/32>
> > > <http://10.0.0.100/32> */
> > > then {
> > > translated {
> > > destination-prefix 10.0.0.100/32
> <http://10.0.0.100/32>
> > <http://10.0.0.100/32>
> > > <http://10.0.0.100/32>;
> > > translation-type destination static;
> > > }
> > > }
> > > }
> > > }
> > > }
> > > service-set wan-service-set {
> > > nat-rules nat-set;
> > > interface-service {
> > > service-interface sp-0/0/0;
> > > }
> > > }
> > > }
> > >
> > > You also might want to consider moving to JUNOS Enhanced
> Services
> > as the
> > > NAT configuration is greatly simplified and much more logical in
> > nature
> > > than in normal JUNOS using 'services' configs.
> > >
> > > HTHs.
> > >
> > > Stefan Fouant
> > > Principal Network Engineer
> > > NeuStar, Inc. - http://www.neustar.biz
> <http://www.neustar.biz/> <http://www.neustar.biz/>
> > <http://www.neustar.biz/>
> > >
> > > On Tue, Jun 17, 2008 at 9:31 AM, Remco Bressers
> > <rbressers at signet.nl <mailto:rbressers at signet.nl>
> <mailto:rbressers at signet.nl <mailto:rbressers at signet.nl>>
> > > <mailto:rbressers at signet.nl <mailto:rbressers at signet.nl>
> <mailto:rbressers at signet.nl <mailto:rbressers at signet.nl>>>> wrote:
> > >
> > > Hi Stefan,
> > >
> > > It would be great to receive a full snippet of config.
> Thanks!
> > >
> > > Remco
> > >
> > >
> > > Stefan Fouant wrote:
> > > > I'm on my Blackberry so I can't give you the full config
> > right now but
> > > > you need to get rid of that 'port automatic' command
> as that
> > will
> > > > enable PAT. Give me a few minutes and I will post the rest
> > of the
> > > > configuration.
> > > >
> > > > Stefan Fouant
> > > > Principal Network Engineer
> > > > NeuStar, Inc. - http://www.neustar.biz
> <http://www.neustar.biz/>
> > <http://www.neustar.biz/> <http://www.neustar.biz/>
> > > >
> > > >
> > > >
> > > > On 6/17/08, Remco Bressers <rbressers at signet.nl
> <mailto:rbressers at signet.nl>
> > <mailto:rbressers at signet.nl <mailto:rbressers at signet.nl>>
> > > <mailto:rbressers at signet.nl <mailto:rbressers at signet.nl>
> <mailto:rbressers at signet.nl <mailto:rbressers at signet.nl>>>> wrote:
> > > >> I'm working on a NAT setup, which is actually very
> > > straightforward but i
> > > >> still am puzzled by the services documentation from
> Juniper.
> > > Please help :).
> > > >>
> > > >> It's a J2300 with 2 interfaces, in and out. One public IP
> > address
> > > and a
> > > >> local subnet on the inside. I got the network translation
> > from the
> > > >> inside to the public ip working, but now i want to
> > configure one
> > > single
> > > >> port-forward to an internal host (let's say 10.0.0.1
> <http://10.0.0.1/>
> > <http://10.0.0.1/>
> > > <http://10.0.0.1/>) on port 80.
> > > >>
> > > >> But how? On a cheap $50 router it's a
> point-and-click, but it's
> > > not even
> > > >> in J-web?!
> > > >>
> > > >>
> > > >> The config i have now :
> > > >>
> > > >>
> > > >> services {
> > > >> service-set wan-service-set {
> > > >> nat-rules nat-set;
> > > >> interface-service {
> > > >> service-interface sp-0/0/0;
> > > >> }
> > > >> }
> > > >> nat {
> > > >> pool nat-pool {
> > > >> address-range low 217.21.x.x high 217.21.x.x;
> > > >> port automatic;
> > > >> }
> > > >> rule nat-set {
> > > >> match-direction input;
> > > >> term 1 {
> > > >> from
> > > >> then {
> > > >> translated {
> > > >> source-pool nat-pool;
> > > >> translation-type {
> > > >> source dynamic;
> > > >> }
> > > >> }
> > > >> }
> > > >> }
> > > >> }
> > > >> }
> > > >> }
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> Kind regards,
> > > >> Signet bv
> > > >>
> > > >>
> > > >> Remco Bressers
> > > >>
> > > >> T 040 - 707 4 907
> > > >> F 040 - 707 4 909
> > > >> E rbressers at signet.nl <mailto:rbressers at signet.nl>
> <mailto:rbressers at signet.nl <mailto:rbressers at signet.nl>>
> > <mailto:rbressers at signet.nl <mailto:rbressers at signet.nl>
> <mailto:rbressers at signet.nl <mailto:rbressers at signet.nl>>>
> > > >> _______________________________________________
> > > >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> <mailto:juniper-nsp at puck.nether.net>
> > <mailto:juniper-nsp at puck.nether.net
> <mailto:juniper-nsp at puck.nether.net>>
> > > <mailto:juniper-nsp at puck.nether.net
> <mailto:juniper-nsp at puck.nether.net>
> > <mailto:juniper-nsp at puck.nether.net
> <mailto:juniper-nsp at puck.nether.net>>>
> > > >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> > > >>
> > > >
> > >
> > >
> > > --
> > > Met vriendelijke groet,
> > > Signet bv
> > >
> > >
> > > Remco Bressers
> > >
> > > T 040 - 707 4 907
> > > F 040 - 707 4 909
> > > E rbressers at signet.nl <mailto:rbressers at signet.nl>
> <mailto:rbressers at signet.nl <mailto:rbressers at signet.nl>>
> > <mailto:rbressers at signet.nl <mailto:rbressers at signet.nl>
> <mailto:rbressers at signet.nl <mailto:rbressers at signet.nl>>>
> > > altijd online? www.signet.nl <http://www.signet.nl/>
> <http://www.signet.nl/>
> > <http://www.signet.nl/>
> > >
> > >
> >
> >
> > --
> > Met vriendelijke groet,
> > Signet bv
> >
> >
> > Remco Bressers
> >
> > T 040 - 707 4 907
> > F 040 - 707 4 909
> > E rbressers at signet.nl <mailto:rbressers at signet.nl>
> <mailto:rbressers at signet.nl <mailto:rbressers at signet.nl>>
> > altijd online? www.signet.nl <http://www.signet.nl/>
> <http://www.signet.nl/>
> >
> >
>
>
> --
> Met vriendelijke groet,
> Signet bv
>
>
> Remco Bressers
>
> T 040 - 707 4 907
> F 040 - 707 4 909
> E rbressers at signet.nl <mailto:rbressers at signet.nl>
> altijd online? www.signet.nl <http://www.signet.nl/>
>
>
--
Met vriendelijke groet,
Signet bv
Remco Bressers
T 040 - 707 4 907
F 040 - 707 4 909
E rbressers at signet.nl
altijd online? www.signet.nl
More information about the juniper-nsp
mailing list