[j-nsp] PPTP VPN through NAT on M10i
Alex Arseniev
alex.arseniev at gmail.com
Tue Jan 17 23:27:26 EST 2012
The link You supplied is for JUNOSE, not JUNOS.
If you have 100s of users and 1s of public IPs means You need NAPT44.
The way to use PPTP through NAPT44 on JUNOS is to activate PPTP ALG (more specifically, match on application "junos-pptp" in NAT rule or SFW rule) and PPTP ALG ALG is supported from JUNOS 11.2R1.
HTH
Rgds
Alex
----- Original Message -----
From: Jo Rhett
To: Alex Arseniev
Cc: juniper-nsp at puck.nether.net
Sent: Tuesday, January 17, 2012 7:09 PM
Subject: Re: [j-nsp] PPTP VPN through NAT on M10i
Does that mean that it is supported from 11.2R1 up, or does that mean it's never supported this way? Did I misread this page, which says that outside source dynamic nat is supported?
https://www.juniper.net/techpubs/en_US/junose10.1/information-products/topic-collections/swconfig-ip-services/id-67401.html
Is there any way to do this without 1:1 static mapping? This site has very few external addresses, and hundreds of internal users. Mapping each possible VPN user to a static external IP is not possible here. It's possible I'm just implementing this the wrong way...
On Jan 16, 2012, at 11:33 PM, Alex Arseniev wrote:
PPTP ALG is supported from JUNOS 11.2R1
GRE is not supported with "nat source dynamic"
HTH
Rgds
Alex
----- Original Message ----- From: "Jo Rhett" <jrhett at netconsonance.com>
To: <juniper-nsp at puck.nether.net>
Sent: Tuesday, January 17, 2012 3:19 AM
Subject: [j-nsp] PPTP VPN through NAT on M10i
I've got a problem with NAT on an M10i with Junos 10.4. Simple PNAP interface, works fine for TCP and UDP. Doesn't work for PPTP or IPSEC. Way back in my mind I remember something about having to create a second nat rule without port mapping, but its not working. I'm pretty sure I'm forgetting something here. Can someone spare a 2x4 and clue me over the head?
---yes, I know that the filters in the configuration below aren't active.
Here's the configuration now:
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
ge-0/1/0 {
unit 0 {
family inet {
service {
input {
service-set NAT;
}
output {
service-set NAT;
}
}
address 192.168.2.1/24;
}
}
}
sp-0/3/0 {
unit 0 {
family inet;
}
}
….
firewall {
filter UNTRUST-IN {
term ICMP {
from {
destination-address {
192.168.2.1/4;
}
protocol icmp;
}
then accept;
}
term EVERYTHING-ELSE {
then {
discard;
}
}
}
filter TRUST-OUT {
term IPOUT {
from {
source-address {
192.168.1.0/24;
}
destination-address {
0.0.0.0/0;
}
}
then accept;
}
}
}
services {
service-set NAT {
nat-rules Outbound;
interface-service {
service-interface sp-0/3/0.0;
}
}
nat {
pool NATPOOL {
address 192.168.2.3/32
port {
automatic;
}
}
pool GRE-NATPOOL {
address 192.168.2.3/32
}
rule Outbound {
match-direction output;
term PPTP_VPNs {
from {
source-address {
192.168.1.0/24;
}
applications GRE-PPTP;
}
then {
translated {
source-pool GRE-NATPOOL;
translation-type {
source dynamic;
}
}
}
}
term Else {
from {
source-address {
192.168.1.0/24;
}
}
then {
translated {
source-pool NATPOOL;
translation-type {
source dynamic;
}
}
}
}
}
}
adaptive-services-pics {
traceoptions {
flag all;
}
}
}
applications {
application GRE-PPTP {
protocol gre;
}
}
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other randomness
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other randomness
More information about the juniper-nsp
mailing list