Thanks Jon! I actually got it working another way. There's a new option in 8.4, nat-type. It's not documented anywhere that I can find, other than the release notes for 8.4. And it's only available for the J-Series
rule NAT { match-direction input; term static-matt { nat-type full-cone; Now to figure out how I can map an external tcp port to a different internal tcp port so I can reuse an IP multiple times for different services. -- matt Jonathan Looney wrote: > Matt, > > Now that you've gotten this far, adding inbound static NAT is pretty simple. > :-) > > Create a NAT pool with your internal address(es). > > Add a new rule with a match-direction of "output". In this rule, add > a term with a "from" clause that matches packets with a destination > address of your public address. In the then clause, specify the NAT > pool with your internal addresses (as a destination-pool) and a > translation type of "destination static". > > Here's an example which translates 172.17.39.18/32 (outside address) > to 192.168.200.1/32 (inside address): > services { > nat { > pool dest-pool { > address 192.168.200.2/32; > } > rule dest-nat { > match-direction output; > term dest-nat { > from { > destination-address { > 172.17.39.18/32; > } > } > then { > translated { > destination-pool dest-pool; > translation-type { > destination static; > } > } > } > } > } > } > } > > Don't forget to match on applications in the rule, if necessary, to > activate ALGs. > > Now, you just add the new rule to the existing service-set and > everything should work! > > -Jon > > > On 11/1/07, Matt Stevens <[EMAIL PROTECTED]> wrote: >> I'm a recent Cisco convert - trying to wrap my head around the Juniper >> was of dealing with NAT. >> >> I'm trying to get a setup working where I can allow inbound traffic >> through the NAT to specific internal machines. >> >> Ideally I'd like to be able to map things at a port level - ie. port 80 >> on external address X goes to port Y on internal address Z. >> >> I have things working to the point where I can NAT a specific internal >> address to a specific external address (see config at the end), with >> everyone else using PAT on a different address. But I can't seem to >> figure out how I allow inbound traffic through. >> >> This is on a J-4350, if that makes any difference... >> >> Any pointers in the right direction would be most appreciated! >> -- >> matt >> >> >> Here's my service nat config. I have the service-set for this applied on >> the internal interface: >> rule NAT { >> match-direction input; >> term static-matt { >> from { >> source-address { >> 192.168.1.238/32; >> } >> } >> then { >> translated { >> source-pool static-matt; >> translation-type { >> source static; >> } >> } >> } >> } >> term dynamic { >> then { >> translated { >> source-pool dynamic; >> translation-type { >> source dynamic; >> } >> } >> } >> } >> } >> } >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp