[j-nsp] Reaching public IP addresses 'behind' an MS-DPC based CGNAT config in a MX480

Octavio Alfageme octavio.alfageme at gmail.com
Tue Jun 30 05:48:31 EDT 2015

Hello everyone,

We have a pretty academic next-hop style CGNAT (deterministic NAT)
configuration based on MS-DPCs in a couple of MX480s. In our case, the
incoming routing instance is a VRF and the outgoing one is the default
routing-instance (inet.0).'Behind' the MS-DPCs there are specific customers
with public IP addressing that, obviously, are not translated by means of
the right nat-rule configuration. Additionally, using rib-groups these
addresses are 'leaked' to the inet.0.

With the described config everything works fine. Every customer 'behing'
the CGNAT has IP connectivity regardless he is NATed (customers with
private IP addressing) or he isn't NATed (customers with public IP
addressing), as far as they begin the IP communication from the CGNAT's
internal routing-instance. Some of these public IP address customers want
to be reachable from the internet and here comes my problem. This is not a
proper port-forwarding config as far as there is neither address nor port
translation. Could you, please, tell me what I must use to allow incoming
sessions from the default routing instance reach public IP addresses
connected to the CGNAT's internal routing instance traversing the MS-DPCs.

Thanks in advance

Kind regards


More information about the juniper-nsp mailing list