Oops, forgot service filter part: set firewall family inet service-filter sf-in term 1 from source-address 100.64.0.0/10 set firewall family inet service-filter sf-in term 1 from destination-address 0.0.0.0/0 set firewall family inet service-filter sf-in term 1 from destination-address 100.64.0.0/10 except set firewall family inet service-filter sf-in term 1 then count sf-in-filter-hit set firewall family inet service-filter sf-in term 1 then service set firewall family inet service-filter sf-in term 2 then skip set firewall family inet service-filter sf-out term 1 then count sf-out-filter-excluded-from-nat set firewall family inet service-filter sf-out term 1 then skip
On Tue, Jul 12, 2016 at 12:28 PM, Josh Reynolds <j...@kyneticwifi.com> wrote: > Here's what I've got going on now... > > set services nat pool centralolt01 address xx.yy.196.3/32 > set services nat rule cgnat match-direction input > set services nat rule cgnat term THINGTONAT1 from source-address 100.64.1.0/24 > set services nat rule cgnat term THINGTONAT1 from destination-address > 0.0.0.0/0 > set services nat rule cgnat term THINGTONAT1 then translated > source-pool centralolt01 > set services nat rule cgnat term THINGTONAT1 then translated > translation-type dynamic-nat44 > > set services service-set cgnat nat-rules cgnat > set services service-set cgnat interface-service service-interface ms-4/0/0 > > set chassis fpc 4 pic 0 inline-services bandwidth 20g > > set interfaces ms-4/0/0 unit 0 family inet > > set interfaces ae1 unit 0 family inet service input service-set cgnat > service-filter sf-in > set interfaces ae1 unit 0 family inet service output service-set cgnat > service-filter sf-out > > MAP: WAN <----- border mx -----><----- core mx (ms-mpc-128) -----> > transport routers > > Between the border mx and core is a LAG group with OSPF running on it, > same goes between the core mx and the transport routers. > > Filter: __service-cgnat:sf-in > Counters: > Name Bytes Packets > sf-in-filter-hit 54354 824 > > Filter: __service-cgnat:sf-out > Counters: > Name Bytes Packets > sf-out-filter-excluded-from-nat 10064529 19915 > > So my rule is getting hit, but for some reason traffic can't make it > past the core router to the border. Is it because this address pool > I'm using for SNAT is done inline, and doesn't actually exist > anywhere? If that's so, it makes sense, I just don't know how to go > about fixing that. > > Any help or insight would be appreciated. Thank you. > > > > On Mon, Jul 11, 2016 at 2:21 PM, Josh Reynolds <j...@kyneticwifi.com> wrote: >> Hi all. >> >> I've gone through quite a few pages of juniper techpubs, but I'm >> having a problem figuring out how to correctly implement your >> standard, run of the mill NAT (ipv4) using an MS-MPC-128 >> >> Part of this may be design or topology related, and I was wondering if >> someone could help me figure out a solution. >> >> >> WAN-<----ae0----->CORE (MX960)<-----ae1----->EX4500 >> >> So I have a couple of ports on the EX4500's with different RFC6598 >> (CGNAT Range) subnets on them (routed ports), for various different >> things (say range1, range2, range3, etc) >> >> All I want to do, is route any traffic coming in to the CORE from >> range1/2/3/etc to a certain /32 (a different /32 for each range). >> Pretty simple, your basic NAT setup. >> >> My problem I think is how to apply this in somewhat a transparent >> fashion. Currently, what I've pulled up off the web seems to break all >> the things, as it seems like everything is getting forwarded through >> the ms-mpc interface. >> >> Here's what I have so far, if somebody could help me out real quick or >> show me another method it would be greatly appreciated. >> ----- >> >> customer ip range x.x.x.x >> range to snat to y.y.y.y >> >> set interfaces ae1 unit 0 family inet service input service-set CGNAT >> set interfaces ae1 unit 0 family inet service output service-set CGNAT >> set interfaces ms-3/0/0 unit 0 family inet >> >> set applications application-set accept-algs application junos-http >> set applications application-set accept-algs application junos-ftp >> set applications application-set accept-algs application junos-tftp >> set applications application-set accept-algs application junos-telnet >> set applications application-set accept-algs application junos-sip >> >> set services stateful-firewall rule centralolt01-data match-direction >> input-output >> set services stateful-firewall rule centralolt01-data term 1 from >> source-address x.x.x.x/24 >> set services stateful-firewall rule centralolt01-data term 1 from >> application-sets accept-algs >> set services stateful-firewall rule centralolt01-data term 1 then accept >> set services nat pool napt-pool address y.y.y.y/32 >> set services nat pool napt-pool port automatic auto >> >> set services nat rule nat-rule1 match-direction input >> set services nat rule nat-rule1 term nat-term1 from source-address >> x.x.x.x/24 // NAT for the customer side >> set services nat rule nat-rule1 term nat-term1 from application-sets >> accept-algs >> set services nat rule nat-rule1 term nat-term1 then translated >> source-pool napt-pool >> set services nat rule nat-rule1 term nat-term1 then translated >> translation-type napt-44 _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp