[j-nsp] mx80 napt-44 with ms-mic on 13.2R5

ryanL ryan.landry at gmail.com
Wed Oct 8 18:49:37 EDT 2014 

the INTERNET-IN filter is applied on the peer links only. i have an
"accept" for anything destined to the nat pool subnets, on both edge
routers.

i have done what you advised, and that appears to have cleared up the
second session. thank you. makes a lot more sense to me now in terms of how
to get traffic in and out of the ms-mic. i also found a typo with my
attempt to attract nat routes which you correctly doubted me on! =)

if you are ever in SF, i'm buying beers.


On Wed, Oct 8, 2014 at 1:51 PM, Alexander Arseniev <arseniev at btinternet.com>
wrote:

>  Hello,
> Thanks for posting this.
> A few questions please if I may:
> 1/ where this snippet is applied to/taken from?
>
> unit 0 {
>     description <snip>;
>     family inet {
>         filter {
>             input INTERNET-IN;
>             output INTERNET-OUT;
>         }
>
> Is it applied on (a) er2 interface connected to er1? (b) on er2 interface
> connected to peer2, (c) on er2 interface connected to cs2/cs1?
> You don't need all 3 application points on each router with same
> service-set+service-filters combo. The most You need is 1 : er[12]-cs[12]
> interfaces, on er[12] side only, where private clients are L3-terminated.
> In fact, if this snippet is applied on er2-peer2 interface, it will cause
> You issues, see below.
> 2/ What this "term 2" is supposed to do?
>     term 2 {
>         from {
>             destination-address {
>                 $natpool-ip/28;
>             }
>         }
>         then service;
>     }
> I believe this is the root cause  of Your issues because if a SYN-ACK
> arrives to er2 via peer2, and hits this "term 2", it will attempt to create
> a new session and will fail because it is a SYN-ACK.
> Please remove term 2 from SFILTER-IN, and remove "family inet service"
> altogether from er1-er2 interfaces on both sides, and er[12]-peer[12]
> interfaces on er[12] side. Your SFILTER-IN must catch only private src.ips
> for Your interface-style NAT to work properly. Your SFILTER-OUT does not
> have any functionality apart from skipping uninterested traffic, as long as
> everything is in same routing-instance.  Return internet-> NAT pool traffic
> is attracted by NAT routes which You supposedly advertise out.
> HTH
> thanks
> Alex
>
>  On 08/10/2014 21:20, ryanL wrote:
>
> unit 0 {
>     description <snip>;
>     family inet {
>         filter {
>             input INTERNET-IN;
>             output INTERNET-OUT;
>         }
>
>
>

More information about the juniper-nsp mailing list