[j-nsp] PPTP VPN through NAT on M10i

Jo Rhett jrhett at netconsonance.com
Mon Jan 16 22:19:33 EST 2012


I've got a problem with NAT on an M10i with Junos 10.4. Simple PNAP interface, works fine for TCP and UDP.  Doesn't work for PPTP or IPSEC. Way back in my mind I remember something about having to create a second nat rule without port mapping, but its not working. I'm pretty sure I'm forgetting something here.  Can someone spare a 2x4 and clue me over the head?

---yes, I know that the filters in the configuration below aren't active.

Here's the configuration now:

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    ge-0/1/0 {
        unit 0 {
            family inet {
                service {
                    input {
                        service-set NAT;
                    }
                    output {            
                        service-set NAT;
                    }                   
                }                       
                address 192.168.2.1/24;
            }                           
        }                               
    }                                   
    sp-0/3/0 {                          
        unit 0 {                        
            family inet;                
        }                               
    }

….

firewall {
    filter UNTRUST-IN {
        term ICMP {
            from {
                destination-address {
                    192.168.2.1/4;
                }
                protocol icmp;
            }
            then accept;
        }
        term EVERYTHING-ELSE {
            then {
                discard;
            }
        }
    }
    filter TRUST-OUT {
        term IPOUT {
            from {
                source-address {
                    192.168.1.0/24;
                }
                destination-address {
                    0.0.0.0/0;
                }
            }
            then accept;
        }                               
    }                                   
}  
services {
   service-set NAT {
        nat-rules Outbound;
        interface-service {
            service-interface sp-0/3/0.0;
        }
    }
    nat {
        pool NATPOOL {
            address 192.168.2.3/32
            port {
                automatic;
            }
        }
        pool GRE-NATPOOL {
            address 192.168.2.3/32
        }                               
        rule Outbound {                 
            match-direction output;      
            term PPTP_VPNs {            
                from {                  
                    source-address {    
                        192.168.1.0/24;   
                    }                   
                    applications GRE-PPTP;
                }                       
                then {                  
                    translated {        
                        source-pool GRE-NATPOOL;
                        translation-type {
                            source dynamic;
                        }               
                    }                   
                }                       
            }                           
            term Else {                 
                from {                  
                    source-address {    
                        192.168.1.0/24;
                    }                   
                }                       
                then {                  
                    translated {
                        source-pool NATPOOL;
                        translation-type {
                            source dynamic;
                        }
                    }
                }
            }
        }
    }
    adaptive-services-pics {
        traceoptions {
            flag all;
        }
    }
}
applications {
    application GRE-PPTP {
        protocol gre;
    }
}

-- 
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other randomness



More information about the juniper-nsp mailing list