[j-nsp] PPTP VPN through NAT on M10i

Jo Rhett jrhett at netconsonance.com
Tue Jan 17 23:49:26 EST 2012 

Great, thanks Alex.

When I get this working I'll post a working configuration for anyone searching for this ;-)

On Jan 17, 2012, at 8:27 PM, Alex Arseniev wrote:
> The link You supplied is for JUNOSE, not JUNOS.
> If you have 100s of users and 1s of public IPs means You need NAPT44.
> The way to use PPTP through NAPT44 on JUNOS is to activate PPTP ALG (more specifically, match on application "junos-pptp" in NAT rule or SFW rule) and PPTP ALG ALG is supported from JUNOS 11.2R1.
> HTH
> Rgds
> Alex
>  
> ----- Original Message -----
> From: Jo Rhett
> To: Alex Arseniev
> Cc: juniper-nsp at puck.nether.net
> Sent: Tuesday, January 17, 2012 7:09 PM
> Subject: Re: [j-nsp] PPTP VPN through NAT on M10i
> 
> Does that mean that it is supported from 11.2R1 up, or does that mean it's never supported this way?  Did I misread this page, which says that outside source dynamic nat is supported?
>    https://www.juniper.net/techpubs/en_US/junose10.1/information-products/topic-collections/swconfig-ip-services/id-67401.html
> 
> Is there any way to do this without 1:1 static mapping? This site has very few external addresses, and hundreds of internal users. Mapping each    possible VPN user to a static external IP is not possible here.  It's possible I'm just implementing this the wrong way...
> 
> On Jan 16, 2012, at 11:33 PM, Alex Arseniev wrote:
>> PPTP ALG is supported from JUNOS 11.2R1
>> GRE is not supported with "nat source dynamic"
>> HTH
>> Rgds
>> Alex
>> 
>> ----- Original Message ----- From: "Jo Rhett" <jrhett at netconsonance.com>
>> To: <juniper-nsp at puck.nether.net>
>> Sent: Tuesday, January 17, 2012 3:19 AM
>> Subject: [j-nsp] PPTP VPN through NAT on M10i
>> 
>> 
>> I've got a problem with NAT on an M10i with Junos 10.4. Simple PNAP interface, works fine for TCP and UDP.  Doesn't work for PPTP or IPSEC. Way back in my mind I remember something about having to create a second nat rule without port mapping, but its not working. I'm pretty sure I'm forgetting something here.  Can someone spare a 2x4 and clue me over the head?
>> 
>> ---yes, I know that the filters in the configuration below aren't active.
>> 
>> Here's the configuration now:
>> 
>> interfaces {
>>   ge-0/0/0 {
>>       unit 0 {
>>           family inet {
>>               address 192.168.1.1/24;
>>           }
>>       }
>>   }
>>   ge-0/1/0 {
>>       unit 0 {
>>           family inet {
>>               service {
>>                   input {
>>                       service-set NAT;
>>                   }
>>                   output {
>>                       service-set NAT;
>>                   }
>>               }
>>               address 192.168.2.1/24;
>>           }
>>       }
>>   }
>>   sp-0/3/0 {
>>       unit 0 {
>>           family inet;
>>       }
>>   }
>> 
>> ….
>> 
>> firewall {
>>   filter UNTRUST-IN {
>>       term ICMP {
>>           from {
>>               destination-address {
>>                   192.168.2.1/4;
>>               }
>>               protocol icmp;
>>           }
>>           then accept;
>>       }
>>       term EVERYTHING-ELSE {
>>           then {
>>               discard;
>>           }
>>       }
>>   }
>>   filter TRUST-OUT {
>>       term IPOUT {
>>           from {
>>               source-address {
>>                   192.168.1.0/24;
>>               }
>>               destination-address {
>>                   0.0.0.0/0;
>>               }
>>           }
>>           then accept;
>>       }
>>   }
>> }
>> services {
>>  service-set NAT {
>>       nat-rules Outbound;
>>       interface-service {
>>           service-interface sp-0/3/0.0;
>>       }
>>   }
>>   nat {
>>       pool NATPOOL {
>>           address 192.168.2.3/32
>>           port {
>>               automatic;
>>           }
>>       }
>>       pool GRE-NATPOOL {
>>           address 192.168.2.3/32
>>       }
>>       rule Outbound {
>>           match-direction output;
>>           term PPTP_VPNs {
>>               from {
>>                   source-address {
>>                       192.168.1.0/24;
>>                   }
>>                   applications GRE-PPTP;
>>               }
>>               then {
>>                   translated {
>>                       source-pool GRE-NATPOOL;
>>                       translation-type {
>>                           source dynamic;
>>                       }
>>                   }
>>               }
>>           }
>>           term Else {
>>               from {
>>                   source-address {
>>                       192.168.1.0/24;
>>                   }
>>               }
>>               then {
>>                   translated {
>>                       source-pool NATPOOL;
>>                       translation-type {
>>                           source dynamic;
>>                       }
>>                   }
>>               }
>>           }
>>       }
>>   }
>>   adaptive-services-pics {
>>       traceoptions {
>>           flag all;
>>       }
>>   }
>> }
>> applications {
>>   application GRE-PPTP {
>>       protocol gre;
>>   }
>> }
>> 
>> -- 
>> Jo Rhett
>> Net Consonance : consonant endings by net philanthropy, open source and other randomness
>> 
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> 
> 
> -- 
> Jo Rhett
> Net Consonance : consonant endings by net philanthropy, open source and other randomness

-- 
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other randomness

More information about the juniper-nsp mailing list