[j-nsp] Basic NAT44 on MS-MPC implementation help

Alexander Arseniev arseniev at btinternet.com
Thu Jul 14 07:17:48 EDT 2016 

Hello,

https://www.juniper.net/uk/en/training/jnbooks/day-one/networking-technologies-series/deploying-cgnat/ 
has all necessary info for MS-DPC CGNAT.

To adapt CGNAT config for MS-MPC "MS" interfaces, all You need is to 
substitute SP interfaces for MS interfaces.

Your service filters part looks correct to me.

You don't need this part: "set chassis fpc 4 pic 0 inline-services 
bandwidth 20g"

Below is the other part You need to add. Assuming Your MS-MPC-128 is in 
slot 4 and You want to use NPU 0:

set interfaces ae1 unit 0 family inet service input service-set CGNAT 
service-filter sf-in
set interfaces ae1 unit 0 family inet service output service-set CGNAT 
service-filter sf-out
set interfaces ms-4/0/0 unit 0 family inet

set services service-set CGNAT nat-rules nat-rule1
set services service-set CGNAT interface-service service-interface 
ms-4/0/0.0

set applications application-set accept-algs application junos-http
set applications application-set accept-algs application junos-ftp
set applications application-set accept-algs application junos-tftp
set applications application-set accept-algs application junos-telnet
set applications application-set accept-algs application junos-sip

set services nat pool napt-pool address y.y.y.y/32
set services nat pool napt-pool port automatic random-allocation

set services nat rule nat-rule1 match-direction input
set services nat rule nat-rule1 term alg-term1 from source-address 
100.64.0.0/10
set services nat rule nat-rule1 term alg-term1 from application-sets 
accept-algs
set services nat rule nat-rule1 term alg-term1 then translated 
source-pool napt-pool
set services nat rule nat-rule1 term alg-term1 then translated 
translation-type napt-44
set services nat rule nat-rule1 term nat-term2 from source-address 
100.64.0.0/10
set services nat rule nat-rule1 term nat-term2 then translated 
source-pool napt-pool
set services nat rule nat-rule1 term nat-term2 then translated 
translation-type napt-44


Do not forget to announce Your NAT pool to the outside world. On MX, it 
is represented as [Static/1] route. You need to explicitly redistribute 
it into routing protocol of Your choice.

HTH

Thanks

Alex



On 12/07/2016 18:45, Josh Reynolds wrote:
> Oops, forgot service filter part:
>
> set firewall family inet service-filter sf-in term 1 from
> source-address 100.64.0.0/10
> set firewall family inet service-filter sf-in term 1 from
> destination-address 0.0.0.0/0
> set firewall family inet service-filter sf-in term 1 from
> destination-address 100.64.0.0/10 except
> set firewall family inet service-filter sf-in term 1 then count sf-in-filter-hit
> set firewall family inet service-filter sf-in term 1 then service
> set firewall family inet service-filter sf-in term 2 then skip
> set firewall family inet service-filter sf-out term 1 then count
> sf-out-filter-excluded-from-nat
> set firewall family inet service-filter sf-out term 1 then skip
>
> On Tue, Jul 12, 2016 at 12:28 PM, Josh Reynolds <josh at kyneticwifi.com> wrote:
>> Here's what I've got going on now...
>>
>> set services nat pool centralolt01 address xx.yy.196.3/32
>> set services nat rule cgnat match-direction input
>> set services nat rule cgnat term THINGTONAT1 from source-address 100.64.1.0/24
>> set services nat rule cgnat term THINGTONAT1 from destination-address 0.0.0.0/0
>> set services nat rule cgnat term THINGTONAT1 then translated
>> source-pool centralolt01
>> set services nat rule cgnat term THINGTONAT1 then translated
>> translation-type dynamic-nat44
>>
>> set services service-set cgnat nat-rules cgnat
>> set services service-set cgnat interface-service service-interface ms-4/0/0
>>
>> set chassis fpc 4 pic 0 inline-services bandwidth 20g
>>
>> set interfaces ms-4/0/0 unit 0 family inet
>>
>> set interfaces ae1 unit 0 family inet service input service-set cgnat
>> service-filter sf-in
>> set interfaces ae1 unit 0 family inet service output service-set cgnat
>> service-filter sf-out
>>
>> MAP: WAN <----- border mx -----><----- core mx (ms-mpc-128) ----->
>> transport routers
>>
>> Between the border mx and core is a LAG group with OSPF running on it,
>> same goes between the core mx and the transport routers.
>>
>> Filter: __service-cgnat:sf-in
>> Counters:
>> Name                                                Bytes              Packets
>> sf-in-filter-hit                                    54354                  824
>>
>> Filter: __service-cgnat:sf-out
>> Counters:
>> Name                                                Bytes              Packets
>> sf-out-filter-excluded-from-nat                  10064529                19915
>>
>> So my rule is getting hit, but for some reason traffic can't make it
>> past the core router to the border. Is it because this address pool
>> I'm using for SNAT is done inline, and doesn't actually exist
>> anywhere? If that's so, it makes sense, I just don't know how to go
>> about fixing that.
>>
>> Any help or insight would be appreciated. Thank you.
>>
>>
>>
>> On Mon, Jul 11, 2016 at 2:21 PM, Josh Reynolds <josh at kyneticwifi.com> wrote:
>>> Hi all.
>>>
>>> I've gone through quite a few pages of juniper techpubs, but I'm
>>> having a problem figuring out how to correctly implement your
>>> standard, run of the mill NAT (ipv4) using an MS-MPC-128
>>>
>>> Part of this may be design or topology related, and I was wondering if
>>> someone could help me figure out a solution.
>>>
>>>
>>> WAN-<----ae0----->CORE (MX960)<-----ae1----->EX4500
>>>
>>> So I have a couple of ports on the EX4500's with different RFC6598
>>> (CGNAT Range) subnets on them (routed ports), for various different
>>> things (say range1, range2, range3, etc)
>>>
>>> All I want to do, is route any traffic coming in to the CORE from
>>> range1/2/3/etc to  a certain /32 (a different /32 for each range).
>>> Pretty simple, your basic NAT setup.
>>>
>>> My problem I think is how to apply this in somewhat a transparent
>>> fashion. Currently, what I've pulled up off the web seems to break all
>>> the things, as it seems like everything is getting forwarded through
>>> the ms-mpc interface.
>>>
>>> Here's what I have so far, if somebody could help me out real quick or
>>> show me another method it would be greatly appreciated.
>>> -----
>>>
>>> customer ip range x.x.x.x
>>> range to snat to y.y.y.y
>>>
>>> set interfaces ae1 unit 0 family inet service input service-set CGNAT
>>> set interfaces ae1 unit 0 family inet service output service-set CGNAT
>>> set interfaces ms-3/0/0 unit 0 family inet
>>>
>>> set applications application-set accept-algs application junos-http
>>> set applications application-set accept-algs application junos-ftp
>>> set applications application-set accept-algs application junos-tftp
>>> set applications application-set accept-algs application junos-telnet
>>> set applications application-set accept-algs application junos-sip
>>>
>>> set services stateful-firewall rule centralolt01-data match-direction
>>> input-output
>>> set services stateful-firewall rule centralolt01-data term 1 from
>>> source-address x.x.x.x/24
>>> set services stateful-firewall rule centralolt01-data term 1 from
>>> application-sets accept-algs
>>> set services stateful-firewall rule centralolt01-data term 1 then accept
>>> set services nat pool napt-pool address y.y.y.y/32
>>> set services nat pool napt-pool port automatic auto
>>>
>>> set services nat rule nat-rule1 match-direction input
>>> set services nat rule nat-rule1 term nat-term1 from source-address
>>> x.x.x.x/24 // NAT for the customer side
>>> set services nat rule nat-rule1 term nat-term1 from application-sets accept-algs
>>> set services nat rule nat-rule1 term nat-term1 then translated
>>> source-pool napt-pool
>>> set services nat rule nat-rule1 term nat-term1 then translated
>>> translation-type napt-44
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list