Hi, Thanks a lot. I'm almost there i think, but i'm left with a question. When i commit the following configuration, i cannot ping the outside interface anymore (from the outside).
Are there any gotcha's left in this config? interfaces { fe-0/0/0 { description "Outside interface"; unit 0 { family inet { service { input { service-set wan-service-set; } output { service-set wan-service-set; } } address 217.21.x.x/29; } } } sp-0/0/0 { unit 0 { family inet; } } fe-0/0/1 { description "Inside interface"; family inet { address 10.0.0.254/24; } } } routing-options { static { route 0.0.0.0/0 next-hop 217.21.x.y; } } services { service-set wan-service-set { nat-rules nat-set; nat-rules server-nat; interface-service { service-interface sp-0/0/0; } } nat { pool nat-pool { address-range low 217.21.x.x high 217.21.x.x; port automatic; } rule nat-set { match-direction output; term 1 { then { translated { source-pool nat-pool; translation-type { source dynamic; } } } } } rule server-nat { match-direction input; term sip { from { destination-address { 217.21.x.x/32; } applications junos-sip; } then { translated { destination-prefix 10.0.0.1/32; translation-type { destination static; } } } } term http { from { destination-address { 217.21.x.x/32; } applications junos-http; } then { translated { destination-prefix 10.0.0.1/32; translation-type { destination static; } } } } } } } Stefan Fouant wrote: > A NAT rule similar to the following would accomplish your goal of > outbound dynamic translation, assuming you wanted to use PAT (most > likely if you only have a few public IPs): > > services { > nat { > pool nat-pool { > address 50.0.0.1/32 <http://50.0.0.1/32>; > port automatic > } > rule nat-set-outbound { > match-direction output; > term 1 { > then { > translated { > source-pool nat-pool; > translation-type source dynamic; > } > } > } > } > } > } > Notice I used a pool here. This is not necessary but allows for future > scalability if you get additional public IPs and want to add them to the > pool. Also notice that I have not specified a from clause. This will > essentially match on *all* outbound flows. If you want different > behavior you should specify the match conditions appropriately. > > Regards, > > Stefan Fouant > Principal Network Engineer > NeuStar, Inc. - http://www.neustar.biz <http://www.neustar.biz/> > On Tue, Jun 17, 2008 at 10:22 AM, Remco Bressers <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Hi, > > Thanks a million for this. I'll try it out lateron. > How do i combine this with the dynamic translation outbound for my > internal LAN to the Internet? > > Regards, > > Remco > > > Stefan Fouant wrote: > > Ok here are a few pointers... You can directly specify the destination > > using the 'destination-prefix' command as opposed to the > > 'destination-pool' command because in this configuration you are only > > translating for a single address. Furthermore, you need to > specify the > > 'destination-address' and 'application' in the 'from' portion in order > > to properly match on the appropriate flow you want to apply > destination > > NAT to. > > > > Give the following a try: > > > > services { > > nat { > > rule nat-set { > > match-direction input; > > term 1 { > > /* Matches on inbound to 50.0.0.10/32 > <http://50.0.0.10/32> > > <http://50.0.0.10/32> Port 80 */ > > from { > > destination-address { > > 50.0.0.10/32 <http://50.0.0.10/32> > <http://50.0.0.10/32>; > > } > > applications junos-http; > > } > > /* Static translation of Port 80 to 10.0.0.100/32 > <http://10.0.0.100/32> > > <http://10.0.0.100/32> */ > > then { > > translated { > > destination-prefix 10.0.0.100/32 > <http://10.0.0.100/32> > > <http://10.0.0.100/32>; > > translation-type destination static; > > } > > } > > } > > } > > } > > service-set wan-service-set { > > nat-rules nat-set; > > interface-service { > > service-interface sp-0/0/0; > > } > > } > > } > > > > You also might want to consider moving to JUNOS Enhanced Services > as the > > NAT configuration is greatly simplified and much more logical in > nature > > than in normal JUNOS using 'services' configs. > > > > HTHs. > > > > Stefan Fouant > > Principal Network Engineer > > NeuStar, Inc. - http://www.neustar.biz <http://www.neustar.biz/> > <http://www.neustar.biz/> > > > > On Tue, Jun 17, 2008 at 9:31 AM, Remco Bressers > <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>> wrote: > > > > Hi Stefan, > > > > It would be great to receive a full snippet of config. Thanks! > > > > Remco > > > > > > Stefan Fouant wrote: > > > I'm on my Blackberry so I can't give you the full config > right now but > > > you need to get rid of that 'port automatic' command as that > will > > > enable PAT. Give me a few minutes and I will post the rest > of the > > > configuration. > > > > > > Stefan Fouant > > > Principal Network Engineer > > > NeuStar, Inc. - http://www.neustar.biz > <http://www.neustar.biz/> <http://www.neustar.biz/> > > > > > > > > > > > > On 6/17/08, Remco Bressers <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > > <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>> wrote: > > >> I'm working on a NAT setup, which is actually very > > straightforward but i > > >> still am puzzled by the services documentation from Juniper. > > Please help :). > > >> > > >> It's a J2300 with 2 interfaces, in and out. One public IP > address > > and a > > >> local subnet on the inside. I got the network translation > from the > > >> inside to the public ip working, but now i want to > configure one > > single > > >> port-forward to an internal host (let's say 10.0.0.1 > <http://10.0.0.1/> > > <http://10.0.0.1/>) on port 80. > > >> > > >> But how? On a cheap $50 router it's a point-and-click, but it's > > not even > > >> in J-web?! > > >> > > >> > > >> The config i have now : > > >> > > >> > > >> services { > > >> service-set wan-service-set { > > >> nat-rules nat-set; > > >> interface-service { > > >> service-interface sp-0/0/0; > > >> } > > >> } > > >> nat { > > >> pool nat-pool { > > >> address-range low 217.21.x.x high 217.21.x.x; > > >> port automatic; > > >> } > > >> rule nat-set { > > >> match-direction input; > > >> term 1 { > > >> from > > >> then { > > >> translated { > > >> source-pool nat-pool; > > >> translation-type { > > >> source dynamic; > > >> } > > >> } > > >> } > > >> } > > >> } > > >> } > > >> } > > >> > > >> > > >> > > >> -- > > >> Kind regards, > > >> Signet bv > > >> > > >> > > >> Remco Bressers > > >> > > >> T 040 - 707 4 907 > > >> F 040 - 707 4 909 > > >> E [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> > > >> _______________________________________________ > > >> juniper-nsp mailing list juniper-nsp@puck.nether.net > <mailto:juniper-nsp@puck.nether.net> > > <mailto:juniper-nsp@puck.nether.net > <mailto:juniper-nsp@puck.nether.net>> > > >> https://puck.nether.net/mailman/listinfo/juniper-nsp > > >> > > > > > > > > > -- > > Met vriendelijke groet, > > Signet bv > > > > > > Remco Bressers > > > > T 040 - 707 4 907 > > F 040 - 707 4 909 > > E [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> > > altijd online? www.signet.nl <http://www.signet.nl/> > <http://www.signet.nl/> > > > > > > > -- > Met vriendelijke groet, > Signet bv > > > Remco Bressers > > T 040 - 707 4 907 > F 040 - 707 4 909 > E [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > altijd online? www.signet.nl <http://www.signet.nl/> > > -- Met vriendelijke groet, Signet bv Remco Bressers T 040 - 707 4 907 F 040 - 707 4 909 E [EMAIL PROTECTED] altijd online? www.signet.nl _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp