[j-nsp] PPTP VPN through NAT on M10i
Jo Rhett
jrhett at netconsonance.com
Tue Jan 17 14:09:45 EST 2012
Does that mean that it is supported from 11.2R1 up, or does that mean it's never supported this way? Did I misread this page, which says that outside source dynamic nat is supported?
https://www.juniper.net/techpubs/en_US/junose10.1/information-products/topic-collections/swconfig-ip-services/id-67401.html
Is there any way to do this without 1:1 static mapping? This site has very few external addresses, and hundreds of internal users. Mapping each possible VPN user to a static external IP is not possible here. It's possible I'm just implementing this the wrong way...
On Jan 16, 2012, at 11:33 PM, Alex Arseniev wrote:
> PPTP ALG is supported from JUNOS 11.2R1
> GRE is not supported with "nat source dynamic"
> HTH
> Rgds
> Alex
>
> ----- Original Message ----- From: "Jo Rhett" <jrhett at netconsonance.com>
> To: <juniper-nsp at puck.nether.net>
> Sent: Tuesday, January 17, 2012 3:19 AM
> Subject: [j-nsp] PPTP VPN through NAT on M10i
>
>
> I've got a problem with NAT on an M10i with Junos 10.4. Simple PNAP interface, works fine for TCP and UDP. Doesn't work for PPTP or IPSEC. Way back in my mind I remember something about having to create a second nat rule without port mapping, but its not working. I'm pretty sure I'm forgetting something here. Can someone spare a 2x4 and clue me over the head?
>
> ---yes, I know that the filters in the configuration below aren't active.
>
> Here's the configuration now:
>
> interfaces {
> ge-0/0/0 {
> unit 0 {
> family inet {
> address 192.168.1.1/24;
> }
> }
> }
> ge-0/1/0 {
> unit 0 {
> family inet {
> service {
> input {
> service-set NAT;
> }
> output {
> service-set NAT;
> }
> }
> address 192.168.2.1/24;
> }
> }
> }
> sp-0/3/0 {
> unit 0 {
> family inet;
> }
> }
>
> ….
>
> firewall {
> filter UNTRUST-IN {
> term ICMP {
> from {
> destination-address {
> 192.168.2.1/4;
> }
> protocol icmp;
> }
> then accept;
> }
> term EVERYTHING-ELSE {
> then {
> discard;
> }
> }
> }
> filter TRUST-OUT {
> term IPOUT {
> from {
> source-address {
> 192.168.1.0/24;
> }
> destination-address {
> 0.0.0.0/0;
> }
> }
> then accept;
> }
> }
> }
> services {
> service-set NAT {
> nat-rules Outbound;
> interface-service {
> service-interface sp-0/3/0.0;
> }
> }
> nat {
> pool NATPOOL {
> address 192.168.2.3/32
> port {
> automatic;
> }
> }
> pool GRE-NATPOOL {
> address 192.168.2.3/32
> }
> rule Outbound {
> match-direction output;
> term PPTP_VPNs {
> from {
> source-address {
> 192.168.1.0/24;
> }
> applications GRE-PPTP;
> }
> then {
> translated {
> source-pool GRE-NATPOOL;
> translation-type {
> source dynamic;
> }
> }
> }
> }
> term Else {
> from {
> source-address {
> 192.168.1.0/24;
> }
> }
> then {
> translated {
> source-pool NATPOOL;
> translation-type {
> source dynamic;
> }
> }
> }
> }
> }
> }
> adaptive-services-pics {
> traceoptions {
> flag all;
> }
> }
> }
> applications {
> application GRE-PPTP {
> protocol gre;
> }
> }
>
> --
> Jo Rhett
> Net Consonance : consonant endings by net philanthropy, open source and other randomness
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other randomness
More information about the juniper-nsp
mailing list