thanks for the replies, folks. indeed it was the no-translation thing that is hanging up the commit, and not the reported napt-44 statement. silly defect.
i'm using this now: rule NAT-RULE1 { match-direction input; term term-2 { from { source-address { 10.0.0.0/8; } destination-address { 0.0.0.0/0; 10.0.0.0/8 except; #<---- (good suggestion) } } then { translated { source-pool NP2; translation-type { napt-44; and that seems to commit ok. however, implementing this on customer-facing interfaces broke the customer, dropped BGP sessions, etc. my goal is to only nat traffic if it is sourced from 10/8 and destined to anything other than 10/8. the NAT pool is a static discard route exported in iBGP to ensure that this router attracts return internet traffic in order to keep proper state. what am i doing wrong? the documentation is quite poor for this module's implementation, and sadly i don't have a lab to play with. On Wed, Sep 24, 2014 at 2:13 AM, Alexander Arseniev <arsen...@btinternet.com > wrote: > napt44 is most definitely is supported on MS-MIC > http://www.juniper.net/techpubs/en_US/junos13.2/ > topics/reference/general/nat-implementations-feature-comparison.html > What is not supported is "no-translation" knob. > Please change Your config to (rough cut): > 1/ delete term-1, and > 2/ change term-2 to: > > + term term-2 { > + from { > + source-address { > + 10.0.0.0/8; > + } > + destination-address { > + 0.0.0.0/0; > + 10.0.0.0/8 except; > + } > + } > + then { > + translated { > + source-pool NP2; > + translation-type { > + napt-44; > + } > > - then re-test and report back please. > Thanks > Alex > > > On 24/09/2014 06:47, ryanL wrote: > >> has anyone been successful here? i'm getting the following error, even >> though juniper's docs seem to indicate this is supported on the ms-mic >> with >> 13.2. >> >> my ref guides are: >> http://www.juniper.net/techpubs/en_US/junos13.2/ >> information-products/topic-collections/config-guide- >> services/index.html?features-ms-mic.html >> http://www.juniper.net/techpubs/en_US/junos13.2/topics/example/nat-nat44- >> config-ms-mpc.html >> >> ry@iad1-er2# show | compare >> [edit] >> + services { >> + service-set SSET1 { >> + nat-rules NAT-RULE1; >> + interface-service { >> + service-interface ms-0/2/0; >> + } >> + } >> + nat { >> + pool NP2 { >> + address <pub_space>/28; >> + port { >> + automatic; >> + } >> + } >> + rule NAT-RULE1 { >> + match-direction input; >> + term term-1 { >> + from { >> + source-address { >> + 10.0.0.0/8; >> + } >> + destination-address { >> + 10.0.0.0/8; >> + } >> + } >> + then { >> + no-translation; >> + } >> + } >> + term term-2 { >> + from { >> + source-address { >> + 10.0.0.0/8; >> + } >> + } >> + then { >> + translated { >> + source-pool NP2; >> + translation-type { >> + napt-44; >> + } >> + } >> + } >> + } >> + } >> + } >> + } >> [edit interfaces] >> + ms-0/2/0 { >> + unit 0 { >> + family inet; >> + } >> + } >> >> [edit] >> ry@iad1-er2# commit check >> [edit services] >> 'service-set SSET1' >> translation type not supported on ms-interface >> error: configuration check-out failed >> >> [edit] >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp