[j-nsp] Doing SNAT only for destinations learned from a specific BGP peering
Andrey Kostin
ankost at podolsk.ru
Mon May 4 13:58:41 EDT 2026
Emmanuel Halbwachs via juniper-nsp писал(а) 2026-05-04 08:52:
> Sorry for the delay.
>
> Thanks Alex, Tom and Martin. If I understand correctly, the summary is:
>
> - MX204 does not support SNAT on interface (could have been the elegant
> configuration)
> - MX204 does not support PAT at all
> - SNAT is doable with routing instances
> - PAT is doable by offloading the work to a Linux box
Or any other device capable of doing PAT and BGP, like Juniper SRX or a
firewall from another vendor. If you already have one, you can implement
this connection in a separate routing instance, aka VRF-Lite in Cisco
world. Then re-advertise the prefixes received from the peer to your
MX204 or MX80 router, and, depending on restrictions what hosts are
allowed to access them you can land them either in inet.0 or in a VRF
with FBF etc.
Kind regards,
Andrey Kostin
> - SNAT + PAT is not doable elegantly on a sole MX204 box
>
> And thanks Martin for the time you put in writing your thorough and
> detailed example.
>
> Have a nice day,
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list