[j-nsp] Basic NAT44 on MS-MPC implementation help

Josh Reynolds josh at kyneticwifi.com
Tue Jul 12 13:28:57 EDT 2016 

Here's what I've got going on now...

set services nat pool centralolt01 address xx.yy.196.3/32
set services nat rule cgnat match-direction input
set services nat rule cgnat term THINGTONAT1 from source-address 100.64.1.0/24
set services nat rule cgnat term THINGTONAT1 from destination-address 0.0.0.0/0
set services nat rule cgnat term THINGTONAT1 then translated
source-pool centralolt01
set services nat rule cgnat term THINGTONAT1 then translated
translation-type dynamic-nat44

set services service-set cgnat nat-rules cgnat
set services service-set cgnat interface-service service-interface ms-4/0/0

set chassis fpc 4 pic 0 inline-services bandwidth 20g

set interfaces ms-4/0/0 unit 0 family inet

set interfaces ae1 unit 0 family inet service input service-set cgnat
service-filter sf-in
set interfaces ae1 unit 0 family inet service output service-set cgnat
service-filter sf-out

MAP: WAN <----- border mx -----><----- core mx (ms-mpc-128) ----->
transport routers

Between the border mx and core is a LAG group with OSPF running on it,
same goes between the core mx and the transport routers.

Filter: __service-cgnat:sf-in
Counters:
Name                                                Bytes              Packets
sf-in-filter-hit                                    54354                  824

Filter: __service-cgnat:sf-out
Counters:
Name                                                Bytes              Packets
sf-out-filter-excluded-from-nat                  10064529                19915

So my rule is getting hit, but for some reason traffic can't make it
past the core router to the border. Is it because this address pool
I'm using for SNAT is done inline, and doesn't actually exist
anywhere? If that's so, it makes sense, I just don't know how to go
about fixing that.

Any help or insight would be appreciated. Thank you.



On Mon, Jul 11, 2016 at 2:21 PM, Josh Reynolds <josh at kyneticwifi.com> wrote:
> Hi all.
>
> I've gone through quite a few pages of juniper techpubs, but I'm
> having a problem figuring out how to correctly implement your
> standard, run of the mill NAT (ipv4) using an MS-MPC-128
>
> Part of this may be design or topology related, and I was wondering if
> someone could help me figure out a solution.
>
>
> WAN-<----ae0----->CORE (MX960)<-----ae1----->EX4500
>
> So I have a couple of ports on the EX4500's with different RFC6598
> (CGNAT Range) subnets on them (routed ports), for various different
> things (say range1, range2, range3, etc)
>
> All I want to do, is route any traffic coming in to the CORE from
> range1/2/3/etc to  a certain /32 (a different /32 for each range).
> Pretty simple, your basic NAT setup.
>
> My problem I think is how to apply this in somewhat a transparent
> fashion. Currently, what I've pulled up off the web seems to break all
> the things, as it seems like everything is getting forwarded through
> the ms-mpc interface.
>
> Here's what I have so far, if somebody could help me out real quick or
> show me another method it would be greatly appreciated.
> -----
>
> customer ip range x.x.x.x
> range to snat to y.y.y.y
>
> set interfaces ae1 unit 0 family inet service input service-set CGNAT
> set interfaces ae1 unit 0 family inet service output service-set CGNAT
> set interfaces ms-3/0/0 unit 0 family inet
>
> set applications application-set accept-algs application junos-http
> set applications application-set accept-algs application junos-ftp
> set applications application-set accept-algs application junos-tftp
> set applications application-set accept-algs application junos-telnet
> set applications application-set accept-algs application junos-sip
>
> set services stateful-firewall rule centralolt01-data match-direction
> input-output
> set services stateful-firewall rule centralolt01-data term 1 from
> source-address x.x.x.x/24
> set services stateful-firewall rule centralolt01-data term 1 from
> application-sets accept-algs
> set services stateful-firewall rule centralolt01-data term 1 then accept
> set services nat pool napt-pool address y.y.y.y/32
> set services nat pool napt-pool port automatic auto
>
> set services nat rule nat-rule1 match-direction input
> set services nat rule nat-rule1 term nat-term1 from source-address
> x.x.x.x/24 // NAT for the customer side
> set services nat rule nat-rule1 term nat-term1 from application-sets accept-algs
> set services nat rule nat-rule1 term nat-term1 then translated
> source-pool napt-pool
> set services nat rule nat-rule1 term nat-term1 then translated
> translation-type napt-44

More information about the juniper-nsp mailing list