[j-nsp] PPTP VPN through NAT on M10i

Jo Rhett jrhett at netconsonance.com
Tue Jan 17 14:09:45 EST 2012


Does that mean that it is supported from 11.2R1 up, or does that mean it's never supported this way?  Did I misread this page, which says that outside source dynamic nat is supported?
   https://www.juniper.net/techpubs/en_US/junose10.1/information-products/topic-collections/swconfig-ip-services/id-67401.html

Is there any way to do this without 1:1 static mapping? This site has very few external addresses, and hundreds of internal users. Mapping each possible VPN user to a static external IP is not possible here.  It's possible I'm just implementing this the wrong way...

On Jan 16, 2012, at 11:33 PM, Alex Arseniev wrote:
> PPTP ALG is supported from JUNOS 11.2R1
> GRE is not supported with "nat source dynamic"
> HTH
> Rgds
> Alex
> 
> ----- Original Message ----- From: "Jo Rhett" <jrhett at netconsonance.com>
> To: <juniper-nsp at puck.nether.net>
> Sent: Tuesday, January 17, 2012 3:19 AM
> Subject: [j-nsp] PPTP VPN through NAT on M10i
> 
> 
> I've got a problem with NAT on an M10i with Junos 10.4. Simple PNAP interface, works fine for TCP and UDP.  Doesn't work for PPTP or IPSEC. Way back in my mind I remember something about having to create a second nat rule without port mapping, but its not working. I'm pretty sure I'm forgetting something here.  Can someone spare a 2x4 and clue me over the head?
> 
> ---yes, I know that the filters in the configuration below aren't active.
> 
> Here's the configuration now:
> 
> interfaces {
>   ge-0/0/0 {
>       unit 0 {
>           family inet {
>               address 192.168.1.1/24;
>           }
>       }
>   }
>   ge-0/1/0 {
>       unit 0 {
>           family inet {
>               service {
>                   input {
>                       service-set NAT;
>                   }
>                   output {
>                       service-set NAT;
>                   }
>               }
>               address 192.168.2.1/24;
>           }
>       }
>   }
>   sp-0/3/0 {
>       unit 0 {
>           family inet;
>       }
>   }
> 
> ….
> 
> firewall {
>   filter UNTRUST-IN {
>       term ICMP {
>           from {
>               destination-address {
>                   192.168.2.1/4;
>               }
>               protocol icmp;
>           }
>           then accept;
>       }
>       term EVERYTHING-ELSE {
>           then {
>               discard;
>           }
>       }
>   }
>   filter TRUST-OUT {
>       term IPOUT {
>           from {
>               source-address {
>                   192.168.1.0/24;
>               }
>               destination-address {
>                   0.0.0.0/0;
>               }
>           }
>           then accept;
>       }
>   }
> }
> services {
>  service-set NAT {
>       nat-rules Outbound;
>       interface-service {
>           service-interface sp-0/3/0.0;
>       }
>   }
>   nat {
>       pool NATPOOL {
>           address 192.168.2.3/32
>           port {
>               automatic;
>           }
>       }
>       pool GRE-NATPOOL {
>           address 192.168.2.3/32
>       }
>       rule Outbound {
>           match-direction output;
>           term PPTP_VPNs {
>               from {
>                   source-address {
>                       192.168.1.0/24;
>                   }
>                   applications GRE-PPTP;
>               }
>               then {
>                   translated {
>                       source-pool GRE-NATPOOL;
>                       translation-type {
>                           source dynamic;
>                       }
>                   }
>               }
>           }
>           term Else {
>               from {
>                   source-address {
>                       192.168.1.0/24;
>                   }
>               }
>               then {
>                   translated {
>                       source-pool NATPOOL;
>                       translation-type {
>                           source dynamic;
>                       }
>                   }
>               }
>           }
>       }
>   }
>   adaptive-services-pics {
>       traceoptions {
>           flag all;
>       }
>   }
> }
> applications {
>   application GRE-PPTP {
>       protocol gre;
>   }
> }
> 
> -- 
> Jo Rhett
> Net Consonance : consonant endings by net philanthropy, open source and other randomness
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 

-- 
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other randomness



More information about the juniper-nsp mailing list