[j-nsp] Basic NAT44 on MS-MPC implementation help

Josh Reynolds josh at kyneticwifi.com
Tue Jul 12 13:45:53 EDT 2016 

Oops, forgot service filter part:

set firewall family inet service-filter sf-in term 1 from
source-address 100.64.0.0/10
set firewall family inet service-filter sf-in term 1 from
destination-address 0.0.0.0/0
set firewall family inet service-filter sf-in term 1 from
destination-address 100.64.0.0/10 except
set firewall family inet service-filter sf-in term 1 then count sf-in-filter-hit
set firewall family inet service-filter sf-in term 1 then service
set firewall family inet service-filter sf-in term 2 then skip
set firewall family inet service-filter sf-out term 1 then count
sf-out-filter-excluded-from-nat
set firewall family inet service-filter sf-out term 1 then skip

On Tue, Jul 12, 2016 at 12:28 PM, Josh Reynolds <josh at kyneticwifi.com> wrote:
> Here's what I've got going on now...
>
> set services nat pool centralolt01 address xx.yy.196.3/32
> set services nat rule cgnat match-direction input
> set services nat rule cgnat term THINGTONAT1 from source-address 100.64.1.0/24
> set services nat rule cgnat term THINGTONAT1 from destination-address 0.0.0.0/0
> set services nat rule cgnat term THINGTONAT1 then translated
> source-pool centralolt01
> set services nat rule cgnat term THINGTONAT1 then translated
> translation-type dynamic-nat44
>
> set services service-set cgnat nat-rules cgnat
> set services service-set cgnat interface-service service-interface ms-4/0/0
>
> set chassis fpc 4 pic 0 inline-services bandwidth 20g
>
> set interfaces ms-4/0/0 unit 0 family inet
>
> set interfaces ae1 unit 0 family inet service input service-set cgnat
> service-filter sf-in
> set interfaces ae1 unit 0 family inet service output service-set cgnat
> service-filter sf-out
>
> MAP: WAN <----- border mx -----><----- core mx (ms-mpc-128) ----->
> transport routers
>
> Between the border mx and core is a LAG group with OSPF running on it,
> same goes between the core mx and the transport routers.
>
> Filter: __service-cgnat:sf-in
> Counters:
> Name                                                Bytes              Packets
> sf-in-filter-hit                                    54354                  824
>
> Filter: __service-cgnat:sf-out
> Counters:
> Name                                                Bytes              Packets
> sf-out-filter-excluded-from-nat                  10064529                19915
>
> So my rule is getting hit, but for some reason traffic can't make it
> past the core router to the border. Is it because this address pool
> I'm using for SNAT is done inline, and doesn't actually exist
> anywhere? If that's so, it makes sense, I just don't know how to go
> about fixing that.
>
> Any help or insight would be appreciated. Thank you.
>
>
>
> On Mon, Jul 11, 2016 at 2:21 PM, Josh Reynolds <josh at kyneticwifi.com> wrote:
>> Hi all.
>>
>> I've gone through quite a few pages of juniper techpubs, but I'm
>> having a problem figuring out how to correctly implement your
>> standard, run of the mill NAT (ipv4) using an MS-MPC-128
>>
>> Part of this may be design or topology related, and I was wondering if
>> someone could help me figure out a solution.
>>
>>
>> WAN-<----ae0----->CORE (MX960)<-----ae1----->EX4500
>>
>> So I have a couple of ports on the EX4500's with different RFC6598
>> (CGNAT Range) subnets on them (routed ports), for various different
>> things (say range1, range2, range3, etc)
>>
>> All I want to do, is route any traffic coming in to the CORE from
>> range1/2/3/etc to  a certain /32 (a different /32 for each range).
>> Pretty simple, your basic NAT setup.
>>
>> My problem I think is how to apply this in somewhat a transparent
>> fashion. Currently, what I've pulled up off the web seems to break all
>> the things, as it seems like everything is getting forwarded through
>> the ms-mpc interface.
>>
>> Here's what I have so far, if somebody could help me out real quick or
>> show me another method it would be greatly appreciated.
>> -----
>>
>> customer ip range x.x.x.x
>> range to snat to y.y.y.y
>>
>> set interfaces ae1 unit 0 family inet service input service-set CGNAT
>> set interfaces ae1 unit 0 family inet service output service-set CGNAT
>> set interfaces ms-3/0/0 unit 0 family inet
>>
>> set applications application-set accept-algs application junos-http
>> set applications application-set accept-algs application junos-ftp
>> set applications application-set accept-algs application junos-tftp
>> set applications application-set accept-algs application junos-telnet
>> set applications application-set accept-algs application junos-sip
>>
>> set services stateful-firewall rule centralolt01-data match-direction
>> input-output
>> set services stateful-firewall rule centralolt01-data term 1 from
>> source-address x.x.x.x/24
>> set services stateful-firewall rule centralolt01-data term 1 from
>> application-sets accept-algs
>> set services stateful-firewall rule centralolt01-data term 1 then accept
>> set services nat pool napt-pool address y.y.y.y/32
>> set services nat pool napt-pool port automatic auto
>>
>> set services nat rule nat-rule1 match-direction input
>> set services nat rule nat-rule1 term nat-term1 from source-address
>> x.x.x.x/24 // NAT for the customer side
>> set services nat rule nat-rule1 term nat-term1 from application-sets accept-algs
>> set services nat rule nat-rule1 term nat-term1 then translated
>> source-pool napt-pool
>> set services nat rule nat-rule1 term nat-term1 then translated
>> translation-type napt-44

More information about the juniper-nsp mailing list