[j-nsp] mx80 napt-44 with ms-mic on 13.2R5

Alexander Arseniev arseniev at btinternet.com
Wed Oct 8 16:51:33 EDT 2014

Thanks for posting this.
A few questions please if I may:
1/ where this snippet is applied to/taken from?

unit 0 {
     description <snip>;
     family inet {
         filter {
             input INTERNET-IN;
             output INTERNET-OUT;

Is it applied on (a) er2 interface connected to er1? (b) on er2 
interface connected to peer2, (c) on er2 interface connected to cs2/cs1?
You don't need all 3 application points on each router with same 
service-set+service-filters combo. The most You need is 1 : 
er[12]-cs[12] interfaces, on er[12] side only, where private clients are 
L3-terminated. In fact, if this snippet is applied on er2-peer2 
interface, it will cause You issues, see below.
2/ What this "term 2" is supposed to do?
     term 2 {
         from {
             destination-address {
         then service;
I believe this is the root cause  of Your issues because if a SYN-ACK 
arrives to er2 via peer2, and hits this "term 2", it will attempt to 
create a new session and will fail because it is a SYN-ACK.
Please remove term 2 from SFILTER-IN, and remove "family inet service" 
altogether from er1-er2 interfaces on both sides, and er[12]-peer[12] 
interfaces on er[12] side. Your SFILTER-IN must catch only private 
src.ips for Your interface-style NAT to work properly. Your SFILTER-OUT 
does not have any functionality apart from skipping uninterested 
traffic, as long as everything is in same routing-instance.  Return 
internet-> NAT pool traffic is attracted by NAT routes which You 
supposedly advertise out.

On 08/10/2014 21:20, ryanL wrote:
> unit 0 {
>     description <snip>;
>     family inet {
>         filter {
>             input INTERNET-IN;
>             output INTERNET-OUT;
>         }

More information about the juniper-nsp mailing list