[j-nsp] PPTP VPN through NAT on M10i
Jo Rhett
jrhett at netconsonance.com
Mon Jan 23 13:41:51 EST 2012
For anyone who hits this thread looking for an answer, upgrading to 11.2 and then using the following NAT match rule worked perfectly:
match-direction output;
term PPTP_VPNs {
from {
source-address {
192.168.1.0/24;
}
applications junos-pptp;
}
then {
translated {
source-pool NATPOOL; # same pool as used by other rules
translation-type {
napt-44;
}
}
}
}
I was able to remove the application definition at the bottom and the separate GRE-NATPOOL, streamlining the config.
> On Jan 17, 2012, at 8:27 PM, Alex Arseniev wrote:
>> If you have 100s of users and 1s of public IPs means You need NAPT44.
>> The way to use PPTP through NAPT44 on JUNOS is to activate PPTP ALG (more specifically, match on application "junos-pptp" in NAT rule or SFW rule) and PPTP ALG ALG is supported from JUNOS 11.2R1.
>> HTH
>> Rgds
>> Alex
> ----- Original Message ----- From: "Jo Rhett" <jrhett at netconsonance.com>
> To: <juniper-nsp at puck.nether.net>
> Sent: Tuesday, January 17, 2012 3:19 AM
> Subject: [j-nsp] PPTP VPN through NAT on M10i
>
>
> I've got a problem with NAT on an M10i with Junos 10.4. Simple PNAP interface, works fine for TCP and UDP. Doesn't work for PPTP or IPSEC. Way back in my mind I remember something about having to create a second nat rule without port mapping, but its not working. I'm pretty sure I'm forgetting something here. Can someone spare a 2x4 and clue me over the head?
>
> ---yes, I know that the filters in the configuration below aren't active.
>
> Here's the configuration now:
>
> interfaces {
> ge-0/0/0 {
> unit 0 {
> family inet {
> address 192.168.1.1/24;
> }
> }
> }
> ge-0/1/0 {
> unit 0 {
> family inet {
> service {
> input {
> service-set NAT;
> }
> output {
> service-set NAT;
> }
> }
> address 192.168.2.1/24;
> }
> }
> }
> sp-0/3/0 {
> unit 0 {
> family inet;
> }
> }
>
> ….
>
> firewall {
> filter UNTRUST-IN {
> term ICMP {
> from {
> destination-address {
> 192.168.2.1/4;
> }
> protocol icmp;
> }
> then accept;
> }
> term EVERYTHING-ELSE {
> then {
> discard;
> }
> }
> }
> filter TRUST-OUT {
> term IPOUT {
> from {
> source-address {
> 192.168.1.0/24;
> }
> destination-address {
> 0.0.0.0/0;
> }
> }
> then accept;
> }
> }
> }
> services {
> service-set NAT {
> nat-rules Outbound;
> interface-service {
> service-interface sp-0/3/0.0;
> }
> }
> nat {
> pool NATPOOL {
> address 192.168.2.3/32
> port {
> automatic;
> }
> }
> pool GRE-NATPOOL {
> address 192.168.2.3/32
> }
> rule Outbound {
> match-direction output;
> term PPTP_VPNs {
> from {
> source-address {
> 192.168.1.0/24;
> }
> applications GRE-PPTP;
> }
> then {
> translated {
> source-pool GRE-NATPOOL;
> translation-type {
> source dynamic;
> }
> }
> }
> }
> term Else {
> from {
> source-address {
> 192.168.1.0/24;
> }
> }
> then {
> translated {
> source-pool NATPOOL;
> translation-type {
> source dynamic;
> }
> }
> }
> }
> }
> }
> adaptive-services-pics {
> traceoptions {
> flag all;
> }
> }
> }
> applications {
> application GRE-PPTP {
> protocol gre;
> }
> }
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other randomness
More information about the juniper-nsp
mailing list