[j-nsp] mx80 napt-44 with ms-mic on 13.2R5
ryanL
ryan.landry at gmail.com
Wed Sep 24 12:37:52 EDT 2014
thanks for the replies, folks. indeed it was the no-translation thing that
is hanging up the commit, and not the reported napt-44 statement. silly
defect.
i'm using this now:
rule NAT-RULE1 {
match-direction input;
term term-2 {
from {
source-address {
10.0.0.0/8;
}
destination-address {
0.0.0.0/0;
10.0.0.0/8 except; #<---- (good suggestion)
}
}
then {
translated {
source-pool NP2;
translation-type {
napt-44;
and that seems to commit ok.
however, implementing this on customer-facing interfaces broke the
customer, dropped BGP sessions, etc. my goal is to only nat traffic if it
is sourced from 10/8 and destined to anything other than 10/8. the NAT pool
is a static discard route exported in iBGP to ensure that this router
attracts return internet traffic in order to keep proper state.
what am i doing wrong? the documentation is quite poor for this module's
implementation, and sadly i don't have a lab to play with.
On Wed, Sep 24, 2014 at 2:13 AM, Alexander Arseniev <arseniev at btinternet.com
> wrote:
> napt44 is most definitely is supported on MS-MIC
> http://www.juniper.net/techpubs/en_US/junos13.2/
> topics/reference/general/nat-implementations-feature-comparison.html
> What is not supported is "no-translation" knob.
> Please change Your config to (rough cut):
> 1/ delete term-1, and
> 2/ change term-2 to:
>
> + term term-2 {
> + from {
> + source-address {
> + 10.0.0.0/8;
> + }
> + destination-address {
> + 0.0.0.0/0;
> + 10.0.0.0/8 except;
> + }
> + }
> + then {
> + translated {
> + source-pool NP2;
> + translation-type {
> + napt-44;
> + }
>
> - then re-test and report back please.
> Thanks
> Alex
>
>
> On 24/09/2014 06:47, ryanL wrote:
>
>> has anyone been successful here? i'm getting the following error, even
>> though juniper's docs seem to indicate this is supported on the ms-mic
>> with
>> 13.2.
>>
>> my ref guides are:
>> http://www.juniper.net/techpubs/en_US/junos13.2/
>> information-products/topic-collections/config-guide-
>> services/index.html?features-ms-mic.html
>> http://www.juniper.net/techpubs/en_US/junos13.2/topics/example/nat-nat44-
>> config-ms-mpc.html
>>
>> ry at iad1-er2# show | compare
>> [edit]
>> + services {
>> + service-set SSET1 {
>> + nat-rules NAT-RULE1;
>> + interface-service {
>> + service-interface ms-0/2/0;
>> + }
>> + }
>> + nat {
>> + pool NP2 {
>> + address <pub_space>/28;
>> + port {
>> + automatic;
>> + }
>> + }
>> + rule NAT-RULE1 {
>> + match-direction input;
>> + term term-1 {
>> + from {
>> + source-address {
>> + 10.0.0.0/8;
>> + }
>> + destination-address {
>> + 10.0.0.0/8;
>> + }
>> + }
>> + then {
>> + no-translation;
>> + }
>> + }
>> + term term-2 {
>> + from {
>> + source-address {
>> + 10.0.0.0/8;
>> + }
>> + }
>> + then {
>> + translated {
>> + source-pool NP2;
>> + translation-type {
>> + napt-44;
>> + }
>> + }
>> + }
>> + }
>> + }
>> + }
>> + }
>> [edit interfaces]
>> + ms-0/2/0 {
>> + unit 0 {
>> + family inet;
>> + }
>> + }
>>
>> [edit]
>> ry at iad1-er2# commit check
>> [edit services]
>> 'service-set SSET1'
>> translation type not supported on ms-interface
>> error: configuration check-out failed
>>
>> [edit]
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list