[j-nsp] PPTP VPN through NAT on M10i

Jo Rhett jrhett at netconsonance.com
Mon Jan 23 13:41:51 EST 2012


For anyone who hits this thread looking for an answer, upgrading to 11.2 and then using the following NAT match rule worked perfectly:
match-direction output;
          term PPTP_VPNs {
              from {
                  source-address {
                      192.168.1.0/24;
                  }
                  applications junos-pptp;
              }
              then {
                  translated {
                      source-pool NATPOOL;   # same pool as used by other rules
                      translation-type {
                          napt-44;
                      }
                  }
              }
          }

I was able to remove the application definition at the bottom and the separate GRE-NATPOOL, streamlining the config.

> On Jan 17, 2012, at 8:27 PM, Alex Arseniev wrote:
>> If you have 100s of users and 1s of public IPs means You need NAPT44.
>> The way to use PPTP through NAPT44 on JUNOS is to activate PPTP ALG (more specifically, match on application "junos-pptp" in NAT rule or SFW rule) and PPTP ALG ALG is supported from JUNOS 11.2R1.
>> HTH
>> Rgds
>> Alex
> ----- Original Message ----- From: "Jo Rhett" <jrhett at netconsonance.com>
> To: <juniper-nsp at puck.nether.net>
> Sent: Tuesday, January 17, 2012 3:19 AM
> Subject: [j-nsp] PPTP VPN through NAT on M10i
> 
> 
> I've got a problem with NAT on an M10i with Junos 10.4. Simple PNAP interface, works fine for TCP and UDP.  Doesn't work for PPTP or IPSEC. Way back in my mind I remember something about having to create a second nat rule without port mapping, but its not working. I'm pretty sure I'm forgetting something here.  Can someone spare a 2x4 and clue me over the head?
> 
> ---yes, I know that the filters in the configuration below aren't active.
> 
> Here's the configuration now:
> 
> interfaces {
>   ge-0/0/0 {
>       unit 0 {
>           family inet {
>               address 192.168.1.1/24;
>           }
>       }
>   }
>   ge-0/1/0 {
>       unit 0 {
>           family inet {
>               service {
>                   input {
>                       service-set NAT;
>                   }
>                   output {
>                       service-set NAT;
>                   }
>               }
>               address 192.168.2.1/24;
>           }
>       }
>   }
>   sp-0/3/0 {
>       unit 0 {
>           family inet;
>       }
>   }
> 
> ….
> 
> firewall {
>   filter UNTRUST-IN {
>       term ICMP {
>           from {
>               destination-address {
>                   192.168.2.1/4;
>               }
>               protocol icmp;
>           }
>           then accept;
>       }
>       term EVERYTHING-ELSE {
>           then {
>               discard;
>           }
>       }
>   }
>   filter TRUST-OUT {
>       term IPOUT {
>           from {
>               source-address {
>                   192.168.1.0/24;
>               }
>               destination-address {
>                   0.0.0.0/0;
>               }
>           }
>           then accept;
>       }
>   }
> }
> services {
>  service-set NAT {
>       nat-rules Outbound;
>       interface-service {
>           service-interface sp-0/3/0.0;
>       }
>   }
>   nat {
>       pool NATPOOL {
>           address 192.168.2.3/32
>           port {
>               automatic;
>           }
>       }
>       pool GRE-NATPOOL {
>           address 192.168.2.3/32
>       }
>       rule Outbound {
>           match-direction output;
>           term PPTP_VPNs {
>               from {
>                   source-address {
>                       192.168.1.0/24;
>                   }
>                   applications GRE-PPTP;
>               }
>               then {
>                   translated {
>                       source-pool GRE-NATPOOL;
>                       translation-type {
>                           source dynamic;
>                       }
>                   }
>               }
>           }
>           term Else {
>               from {
>                   source-address {
>                       192.168.1.0/24;
>                   }
>               }
>               then {
>                   translated {
>                       source-pool NATPOOL;
>                       translation-type {
>                           source dynamic;
>                       }
>                   }
>               }
>           }
>       }
>   }
>   adaptive-services-pics {
>       traceoptions {
>           flag all;
>       }
>   }
> }
> applications {
>   application GRE-PPTP {
>       protocol gre;
>   }
> }


-- 
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other randomness



More information about the juniper-nsp mailing list