the INTERNET-IN filter is applied on the peer links only. i have an "accept" for anything destined to the nat pool subnets, on both edge routers.
i have done what you advised, and that appears to have cleared up the second session. thank you. makes a lot more sense to me now in terms of how to get traffic in and out of the ms-mic. i also found a typo with my attempt to attract nat routes which you correctly doubted me on! =) if you are ever in SF, i'm buying beers. On Wed, Oct 8, 2014 at 1:51 PM, Alexander Arseniev <arsen...@btinternet.com> wrote: > Hello, > Thanks for posting this. > A few questions please if I may: > 1/ where this snippet is applied to/taken from? > > unit 0 { > description <snip>; > family inet { > filter { > input INTERNET-IN; > output INTERNET-OUT; > } > > Is it applied on (a) er2 interface connected to er1? (b) on er2 interface > connected to peer2, (c) on er2 interface connected to cs2/cs1? > You don't need all 3 application points on each router with same > service-set+service-filters combo. The most You need is 1 : er[12]-cs[12] > interfaces, on er[12] side only, where private clients are L3-terminated. > In fact, if this snippet is applied on er2-peer2 interface, it will cause > You issues, see below. > 2/ What this "term 2" is supposed to do? > term 2 { > from { > destination-address { > $natpool-ip/28; > } > } > then service; > } > I believe this is the root cause of Your issues because if a SYN-ACK > arrives to er2 via peer2, and hits this "term 2", it will attempt to create > a new session and will fail because it is a SYN-ACK. > Please remove term 2 from SFILTER-IN, and remove "family inet service" > altogether from er1-er2 interfaces on both sides, and er[12]-peer[12] > interfaces on er[12] side. Your SFILTER-IN must catch only private src.ips > for Your interface-style NAT to work properly. Your SFILTER-OUT does not > have any functionality apart from skipping uninterested traffic, as long as > everything is in same routing-instance. Return internet-> NAT pool traffic > is attracted by NAT routes which You supposedly advertise out. > HTH > thanks > Alex > > On 08/10/2014 21:20, ryanL wrote: > > unit 0 { > description <snip>; > family inet { > filter { > input INTERNET-IN; > output INTERNET-OUT; > } > > > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp