Hi, Thanks a million for this. I'll try it out lateron. How do i combine this with the dynamic translation outbound for my internal LAN to the Internet?
Regards, Remco Stefan Fouant wrote: > Ok here are a few pointers... You can directly specify the destination > using the 'destination-prefix' command as opposed to the > 'destination-pool' command because in this configuration you are only > translating for a single address. Furthermore, you need to specify the > 'destination-address' and 'application' in the 'from' portion in order > to properly match on the appropriate flow you want to apply destination > NAT to. > > Give the following a try: > > services { > nat { > rule nat-set { > match-direction input; > term 1 { > /* Matches on inbound to 50.0.0.10/32 > <http://50.0.0.10/32> Port 80 */ > from { > destination-address { > 50.0.0.10/32 <http://50.0.0.10/32>; > } > applications junos-http; > } > /* Static translation of Port 80 to 10.0.0.100/32 > <http://10.0.0.100/32> */ > then { > translated { > destination-prefix 10.0.0.100/32 > <http://10.0.0.100/32>; > translation-type destination static; > } > } > } > } > } > service-set wan-service-set { > nat-rules nat-set; > interface-service { > service-interface sp-0/0/0; > } > } > } > > You also might want to consider moving to JUNOS Enhanced Services as the > NAT configuration is greatly simplified and much more logical in nature > than in normal JUNOS using 'services' configs. > > HTHs. > > Stefan Fouant > Principal Network Engineer > NeuStar, Inc. - http://www.neustar.biz <http://www.neustar.biz/> > > On Tue, Jun 17, 2008 at 9:31 AM, Remco Bressers <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Hi Stefan, > > It would be great to receive a full snippet of config. Thanks! > > Remco > > > Stefan Fouant wrote: > > I'm on my Blackberry so I can't give you the full config right now but > > you need to get rid of that 'port automatic' command as that will > > enable PAT. Give me a few minutes and I will post the rest of the > > configuration. > > > > Stefan Fouant > > Principal Network Engineer > > NeuStar, Inc. - http://www.neustar.biz <http://www.neustar.biz/> > > > > > > > > On 6/17/08, Remco Bressers <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > >> I'm working on a NAT setup, which is actually very > straightforward but i > >> still am puzzled by the services documentation from Juniper. > Please help :). > >> > >> It's a J2300 with 2 interfaces, in and out. One public IP address > and a > >> local subnet on the inside. I got the network translation from the > >> inside to the public ip working, but now i want to configure one > single > >> port-forward to an internal host (let's say 10.0.0.1 > <http://10.0.0.1/>) on port 80. > >> > >> But how? On a cheap $50 router it's a point-and-click, but it's > not even > >> in J-web?! > >> > >> > >> The config i have now : > >> > >> > >> services { > >> service-set wan-service-set { > >> nat-rules nat-set; > >> interface-service { > >> service-interface sp-0/0/0; > >> } > >> } > >> nat { > >> pool nat-pool { > >> address-range low 217.21.x.x high 217.21.x.x; > >> port automatic; > >> } > >> rule nat-set { > >> match-direction input; > >> term 1 { > >> from > >> then { > >> translated { > >> source-pool nat-pool; > >> translation-type { > >> source dynamic; > >> } > >> } > >> } > >> } > >> } > >> } > >> } > >> > >> > >> > >> -- > >> Kind regards, > >> Signet bv > >> > >> > >> Remco Bressers > >> > >> T 040 - 707 4 907 > >> F 040 - 707 4 909 > >> E [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > >> _______________________________________________ > >> juniper-nsp mailing list juniper-nsp@puck.nether.net > <mailto:juniper-nsp@puck.nether.net> > >> https://puck.nether.net/mailman/listinfo/juniper-nsp > >> > > > > > -- > Met vriendelijke groet, > Signet bv > > > Remco Bressers > > T 040 - 707 4 907 > F 040 - 707 4 909 > E [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > altijd online? www.signet.nl <http://www.signet.nl/> > > -- Met vriendelijke groet, Signet bv Remco Bressers T 040 - 707 4 907 F 040 - 707 4 909 E [EMAIL PROTECTED] altijd online? www.signet.nl _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp