[j-nsp] Doing SNAT only for destinations learned from a specific BGP peering

[Krasimir Avramski]

Hello,

Trio6 is going to support IPsec and CGNAT:
Inline IPsec
<https://www.juniper.net/documentation/us/en/software/junos/interfaces-adaptive-services/topics/topic-map/inline-ipsec.html>
 (Junos 24.2R1)
Inline Carrier-Grade Network Address Translation
<https://apps.juniper.net/feature-explorer/feature/8905?fn=Inline%20Carrier-Grade%20Network%20Address%20Translation>
(Junos 25.2)

Best regards,
Krasimir Avramski

On Mon, May 4, 2026 at 8:59 PM Andrey Kostin via juniper-nsp <
juniper-nsp at puck.nether.net> wrote:

> Emmanuel Halbwachs via juniper-nsp писал(а) 2026-05-04 08:52:
> > Sorry for the delay.
> >
> > Thanks Alex, Tom and Martin. If I understand correctly, the summary is:
> >
> > - MX204 does not support SNAT on interface (could have been the elegant
> > configuration)
> > - MX204 does not support PAT at all
> > - SNAT is doable with routing instances
> > - PAT is doable by offloading the work to a Linux box
>
> Or any other device capable of doing PAT and BGP, like Juniper SRX or a
> firewall from another vendor. If you already have one, you can implement
> this connection in a separate routing instance, aka VRF-Lite in Cisco
> world. Then re-advertise the prefixes received from the peer to your
> MX204 or MX80 router, and, depending on restrictions what hosts are
> allowed to access them you can land them either in inet.0 or in a VRF
> with FBF etc.
>
> Kind regards,
> Andrey Kostin
>
> > - SNAT + PAT is not doable elegantly on a sole MX204 box
> >
> > And thanks Martin for the time you put in writing your thorough and
> > detailed example.
> >
> > Have a nice day,
> >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>