[j-nsp] mx80 napt-44 with ms-mic on 13.2R5
Alexander Arseniev
arseniev at btinternet.com
Wed Sep 24 13:00:05 EDT 2014
I see You are using interface-style NAT - please exclude all control
traffic in the service-filters from being diverted to MS-MIC, like below
(rough cut, only BGP and BFD are excluded as an example):
set firewall family inet service-filter sf-in term 1 from protocol tcp
set firewall family inet service-filter sf-in term 1 from port 179
set firewall family inet service-filter sf-in term 1 then skip
set firewall family inet service-filter sf-in term 2 from protocol udp
set firewall family inet service-filter sf-in term 2 from port [ 3784 4784 ]
set firewall family inet service-filter sf-in term 2 then skip
set firewall family inet service-filter sf-in term 3 then service
set firewall family inet service-filter sf-out term 1 from protocol tcp
set firewall family inet service-filter sf-out term 1 from port 179
set firewall family inet service-filter sf-out term 1 then skip
set firewall family inet service-filter sf-out term 2 from protocol udp
set firewall family inet service-filter sf-out term 2 from port [ 3784
4784 ]
set firewall family inet service-filter sf-out term 2 then skip
set firewall family inet service-filter sf-out term 3 then service
set interfaces ge-0/0/0.0 family inet service input service-set SSET1
service-filter sf-in
set interfaces ge-0/0/0.0 family inet service output service-set SSET1
service-filter sf-out
Alternatively, You can construct service-filters in such a way that only
"interested" traffic is diverted to MS-MIC:
set firewall family inet service-filter sf-in term 1 from source-address
10/8
set firewall family inet service-filter sf-in term 1 from
destination-address 0/0
set firewall family inet service-filter sf-in term 1 from
destination-address 10/8 except
set firewall family inet service-filter sf-in term 1 then service
set firewall family inet service-filter sf-in term 2 then skip
set firewall family inet service-filter sf-out term 1 from
destination-address <your nat pool route here>
set firewall family inet service-filter sf-out term 1 then service
set firewall family inet service-filter sf-out term 2 then skip
set interfaces ge-0/0/0.0 family inet service input service-set SSET1
service-filter sf-in
set interfaces ge-0/0/0.0 family inet service output service-set SSET1
service-filter sf-out
HTH
Thanks
Alex
On 24/09/2014 17:37, ryanL wrote:
> thanks for the replies, folks. indeed it was the no-translation thing
> that is hanging up the commit, and not the reported napt-44 statement.
> silly defect.
>
> i'm using this now:
>
> rule NAT-RULE1 {
> match-direction input;
> term term-2 {
> from {
> source-address {
> 10.0.0.0/8 <http://10.0.0.0/8>;
> }
> destination-address {
> 0.0.0.0/0 <http://0.0.0.0/0>;
> 10.0.0.0/8 <http://10.0.0.0/8> except; #<---- (good suggestion)
> }
> }
> then {
> translated {
> source-pool NP2;
> translation-type {
> napt-44;
>
> and that seems to commit ok.
>
> however, implementing this on customer-facing interfaces broke the
> customer, dropped BGP sessions, etc. my goal is to only nat traffic if
> it is sourced from 10/8 and destined to anything other than 10/8. the
> NAT pool is a static discard route exported in iBGP to ensure that
> this router attracts return internet traffic in order to keep proper
> state.
>
> what am i doing wrong? the documentation is quite poor for this
> module's implementation, and sadly i don't have a lab to play with.
>
> On Wed, Sep 24, 2014 at 2:13 AM, Alexander Arseniev
> <arseniev at btinternet.com <mailto:arseniev at btinternet.com>> wrote:
>
> napt44 is most definitely is supported on MS-MIC
> http://www.juniper.net/techpubs/en_US/junos13.2/topics/reference/general/nat-implementations-feature-comparison.html
>
> What is not supported is "no-translation" knob.
> Please change Your config to (rough cut):
> 1/ delete term-1, and
> 2/ change term-2 to:
>
> + term term-2 {
> + from {
> + source-address {
> + 10.0.0.0/8 <http://10.0.0.0/8>;
> + }
> + destination-address {
> + 0.0.0.0/0 <http://0.0.0.0/0>;
> + 10.0.0.0/8 <http://10.0.0.0/8> except;
> + }
> + }
> + then {
> + translated {
> + source-pool NP2;
> + translation-type {
> + napt-44;
> + }
>
> - then re-test and report back please.
> Thanks
> Alex
>
>
> On 24/09/2014 06:47, ryanL wrote:
>
> has anyone been successful here? i'm getting the following
> error, even
> though juniper's docs seem to indicate this is supported on
> the ms-mic with
> 13.2.
>
> my ref guides are:
> http://www.juniper.net/techpubs/en_US/junos13.2/information-products/topic-collections/config-guide-services/index.html?features-ms-mic.html
> http://www.juniper.net/techpubs/en_US/junos13.2/topics/example/nat-nat44-config-ms-mpc.html
>
> ry at iad1-er2# show | compare
> [edit]
> + services {
> + service-set SSET1 {
> + nat-rules NAT-RULE1;
> + interface-service {
> + service-interface ms-0/2/0;
> + }
> + }
> + nat {
> + pool NP2 {
> + address <pub_space>/28;
> + port {
> + automatic;
> + }
> + }
> + rule NAT-RULE1 {
> + match-direction input;
> + term term-1 {
> + from {
> + source-address {
> + 10.0.0.0/8 <http://10.0.0.0/8>;
> + }
> + destination-address {
> + 10.0.0.0/8 <http://10.0.0.0/8>;
> + }
> + }
> + then {
> + no-translation;
> + }
> + }
> + term term-2 {
> + from {
> + source-address {
> + 10.0.0.0/8 <http://10.0.0.0/8>;
> + }
> + }
> + then {
> + translated {
> + source-pool NP2;
> + translation-type {
> + napt-44;
> + }
> + }
> + }
> + }
> + }
> + }
> + }
> [edit interfaces]
> + ms-0/2/0 {
> + unit 0 {
> + family inet;
> + }
> + }
>
> [edit]
> ry at iad1-er2# commit check
> [edit services]
> 'service-set SSET1'
> translation type not supported on ms-interface
> error: configuration check-out failed
>
> [edit]
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> <mailto:juniper-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> <mailto:juniper-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
More information about the juniper-nsp
mailing list