Hello,
https://www.juniper.net/uk/en/training/jnbooks/day-one/networking-technologies-series/deploying-cgnat/
has all necessary info for MS-DPC CGNAT.
To adapt CGNAT config for MS-MPC "MS" interfaces, all You need is to
substitute SP interfaces for MS interfaces.
Your service filters part looks correct to me.
You don't need this part: "set chassis fpc 4 pic 0 inline-services
bandwidth 20g"
Below is the other part You need to add. Assuming Your MS-MPC-128 is in
slot 4 and You want to use NPU 0:
set interfaces ae1 unit 0 family inet service input service-set CGNAT
service-filter sf-in
set interfaces ae1 unit 0 family inet service output service-set CGNAT
service-filter sf-out
set interfaces ms-4/0/0 unit 0 family inet
set services service-set CGNAT nat-rules nat-rule1
set services service-set CGNAT interface-service service-interface
ms-4/0/0.0
set applications application-set accept-algs application junos-http
set applications application-set accept-algs application junos-ftp
set applications application-set accept-algs application junos-tftp
set applications application-set accept-algs application junos-telnet
set applications application-set accept-algs application junos-sip
set services nat pool napt-pool address y.y.y.y/32
set services nat pool napt-pool port automatic random-allocation
set services nat rule nat-rule1 match-direction input
set services nat rule nat-rule1 term alg-term1 from source-address
100.64.0.0/10
set services nat rule nat-rule1 term alg-term1 from application-sets
accept-algs
set services nat rule nat-rule1 term alg-term1 then translated
source-pool napt-pool
set services nat rule nat-rule1 term alg-term1 then translated
translation-type napt-44
set services nat rule nat-rule1 term nat-term2 from source-address
100.64.0.0/10
set services nat rule nat-rule1 term nat-term2 then translated
source-pool napt-pool
set services nat rule nat-rule1 term nat-term2 then translated
translation-type napt-44
Do not forget to announce Your NAT pool to the outside world. On MX, it
is represented as [Static/1] route. You need to explicitly redistribute
it into routing protocol of Your choice.
HTH
Thanks
Alex
On 12/07/2016 18:45, Josh Reynolds wrote:
Oops, forgot service filter part:
set firewall family inet service-filter sf-in term 1 from
source-address 100.64.0.0/10
set firewall family inet service-filter sf-in term 1 from
destination-address 0.0.0.0/0
set firewall family inet service-filter sf-in term 1 from
destination-address 100.64.0.0/10 except
set firewall family inet service-filter sf-in term 1 then count sf-in-filter-hit
set firewall family inet service-filter sf-in term 1 then service
set firewall family inet service-filter sf-in term 2 then skip
set firewall family inet service-filter sf-out term 1 then count
sf-out-filter-excluded-from-nat
set firewall family inet service-filter sf-out term 1 then skip
On Tue, Jul 12, 2016 at 12:28 PM, Josh Reynolds <j...@kyneticwifi.com> wrote:
Here's what I've got going on now...
set services nat pool centralolt01 address xx.yy.196.3/32
set services nat rule cgnat match-direction input
set services nat rule cgnat term THINGTONAT1 from source-address 100.64.1.0/24
set services nat rule cgnat term THINGTONAT1 from destination-address 0.0.0.0/0
set services nat rule cgnat term THINGTONAT1 then translated
source-pool centralolt01
set services nat rule cgnat term THINGTONAT1 then translated
translation-type dynamic-nat44
set services service-set cgnat nat-rules cgnat
set services service-set cgnat interface-service service-interface ms-4/0/0
set chassis fpc 4 pic 0 inline-services bandwidth 20g
set interfaces ms-4/0/0 unit 0 family inet
set interfaces ae1 unit 0 family inet service input service-set cgnat
service-filter sf-in
set interfaces ae1 unit 0 family inet service output service-set cgnat
service-filter sf-out
MAP: WAN <----- border mx -----><----- core mx (ms-mpc-128) ----->
transport routers
Between the border mx and core is a LAG group with OSPF running on it,
same goes between the core mx and the transport routers.
Filter: __service-cgnat:sf-in
Counters:
Name Bytes Packets
sf-in-filter-hit 54354 824
Filter: __service-cgnat:sf-out
Counters:
Name Bytes Packets
sf-out-filter-excluded-from-nat 10064529 19915
So my rule is getting hit, but for some reason traffic can't make it
past the core router to the border. Is it because this address pool
I'm using for SNAT is done inline, and doesn't actually exist
anywhere? If that's so, it makes sense, I just don't know how to go
about fixing that.
Any help or insight would be appreciated. Thank you.
On Mon, Jul 11, 2016 at 2:21 PM, Josh Reynolds <j...@kyneticwifi.com> wrote:
Hi all.
I've gone through quite a few pages of juniper techpubs, but I'm
having a problem figuring out how to correctly implement your
standard, run of the mill NAT (ipv4) using an MS-MPC-128
Part of this may be design or topology related, and I was wondering if
someone could help me figure out a solution.
WAN-<----ae0----->CORE (MX960)<-----ae1----->EX4500
So I have a couple of ports on the EX4500's with different RFC6598
(CGNAT Range) subnets on them (routed ports), for various different
things (say range1, range2, range3, etc)
All I want to do, is route any traffic coming in to the CORE from
range1/2/3/etc to a certain /32 (a different /32 for each range).
Pretty simple, your basic NAT setup.
My problem I think is how to apply this in somewhat a transparent
fashion. Currently, what I've pulled up off the web seems to break all
the things, as it seems like everything is getting forwarded through
the ms-mpc interface.
Here's what I have so far, if somebody could help me out real quick or
show me another method it would be greatly appreciated.
-----
customer ip range x.x.x.x
range to snat to y.y.y.y
set interfaces ae1 unit 0 family inet service input service-set CGNAT
set interfaces ae1 unit 0 family inet service output service-set CGNAT
set interfaces ms-3/0/0 unit 0 family inet
set applications application-set accept-algs application junos-http
set applications application-set accept-algs application junos-ftp
set applications application-set accept-algs application junos-tftp
set applications application-set accept-algs application junos-telnet
set applications application-set accept-algs application junos-sip
set services stateful-firewall rule centralolt01-data match-direction
input-output
set services stateful-firewall rule centralolt01-data term 1 from
source-address x.x.x.x/24
set services stateful-firewall rule centralolt01-data term 1 from
application-sets accept-algs
set services stateful-firewall rule centralolt01-data term 1 then accept
set services nat pool napt-pool address y.y.y.y/32
set services nat pool napt-pool port automatic auto
set services nat rule nat-rule1 match-direction input
set services nat rule nat-rule1 term nat-term1 from source-address
x.x.x.x/24 // NAT for the customer side
set services nat rule nat-rule1 term nat-term1 from application-sets accept-algs
set services nat rule nat-rule1 term nat-term1 then translated
source-pool napt-pool
set services nat rule nat-rule1 term nat-term1 then translated
translation-type napt-44
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp