[j-nsp] Basic NAT44 on MS-MPC implementation help

Josh Reynolds josh at kyneticwifi.com
Mon Jul 11 15:21:25 EDT 2016


Hi all.

I've gone through quite a few pages of juniper techpubs, but I'm
having a problem figuring out how to correctly implement your
standard, run of the mill NAT (ipv4) using an MS-MPC-128

Part of this may be design or topology related, and I was wondering if
someone could help me figure out a solution.


WAN-<----ae0----->CORE (MX960)<-----ae1----->EX4500

So I have a couple of ports on the EX4500's with different RFC6598
(CGNAT Range) subnets on them (routed ports), for various different
things (say range1, range2, range3, etc)

All I want to do, is route any traffic coming in to the CORE from
range1/2/3/etc to  a certain /32 (a different /32 for each range).
Pretty simple, your basic NAT setup.

My problem I think is how to apply this in somewhat a transparent
fashion. Currently, what I've pulled up off the web seems to break all
the things, as it seems like everything is getting forwarded through
the ms-mpc interface.

Here's what I have so far, if somebody could help me out real quick or
show me another method it would be greatly appreciated.
-----

customer ip range x.x.x.x
range to snat to y.y.y.y

set interfaces ae1 unit 0 family inet service input service-set CGNAT
set interfaces ae1 unit 0 family inet service output service-set CGNAT
set interfaces ms-3/0/0 unit 0 family inet

set applications application-set accept-algs application junos-http
set applications application-set accept-algs application junos-ftp
set applications application-set accept-algs application junos-tftp
set applications application-set accept-algs application junos-telnet
set applications application-set accept-algs application junos-sip

set services stateful-firewall rule centralolt01-data match-direction
input-output
set services stateful-firewall rule centralolt01-data term 1 from
source-address x.x.x.x/24
set services stateful-firewall rule centralolt01-data term 1 from
application-sets accept-algs
set services stateful-firewall rule centralolt01-data term 1 then accept
set services nat pool napt-pool address y.y.y.y/32
set services nat pool napt-pool port automatic auto

set services nat rule nat-rule1 match-direction input
set services nat rule nat-rule1 term nat-term1 from source-address
x.x.x.x/24 // NAT for the customer side
set services nat rule nat-rule1 term nat-term1 from application-sets accept-algs
set services nat rule nat-rule1 term nat-term1 then translated
source-pool napt-pool
set services nat rule nat-rule1 term nat-term1 then translated
translation-type napt-44


More information about the juniper-nsp mailing list