[j-nsp] Reaching public IP addresses 'behind' an MS-DPC based CGNAT config in a MX480

Alexander Arseniev arseniev at btinternet.com
Tue Jun 30 09:18:28 EDT 2015 

Hello,
You just need a MSDPC SFW rule to allow that, also explicit SFW rule is 
required for other subs if You don't have any:

set services stateful-f rule  Allow-subs-2-inet match-direction input
set services stateful-f rule  Allow-subs-2-inet term 1 then accept

set services stateful-f rule  Allow-fm-inet-2-subs match-direction output
set services stateful-f rule  Allow-fm-inet-2-subs term 1 from 
destination-address <your public sub IP here>
set services stateful-f rule  Allow-fm-inet-2-subs term 1 then accept

set services service-set <Your SVC-set processing public subs> 
stateful-firewall-rules Allow-subs-2-inet
set services service-set <Your SVC-set processing public subs> 
stateful-firewall-rules Allow-fm-inet-2-subs

HTH
Thanks
Alex

On 30/06/2015 10:48, Octavio Alfageme wrote:
> Hello everyone,
>
> We have a pretty academic next-hop style CGNAT (deterministic NAT)
> configuration based on MS-DPCs in a couple of MX480s. In our case, the
> incoming routing instance is a VRF and the outgoing one is the default
> routing-instance (inet.0).'Behind' the MS-DPCs there are specific customers
> with public IP addressing that, obviously, are not translated by means of
> the right nat-rule configuration. Additionally, using rib-groups these
> addresses are 'leaked' to the inet.0.
>
> With the described config everything works fine. Every customer 'behing'
> the CGNAT has IP connectivity regardless he is NATed (customers with
> private IP addressing) or he isn't NATed (customers with public IP
> addressing), as far as they begin the IP communication from the CGNAT's
> internal routing-instance. Some of these public IP address customers want
> to be reachable from the internet and here comes my problem. This is not a
> proper port-forwarding config as far as there is neither address nor port
> translation. Could you, please, tell me what I must use to allow incoming
> sessions from the default routing instance reach public IP addresses
> connected to the CGNAT's internal routing instance traversing the MS-DPCs.
>
> Thanks in advance
>
> Kind regards
>
> Octavio
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list