Re: [j-nsp] Static NAT
Thanks Jon!
I actually got it working another way. There's a new option in 8.4,
nat-type. It's not documented anywhere that I can find, other than the
release notes for 8.4. And it's only available for the J-Series
rule NAT {
match-direction input;
term static-matt {
nat-type full-cone;
Now to figure out how I can map an external tcp port to a different
internal tcp port so I can reuse an IP multiple times for different
services.
--
matt
Jonathan Looney wrote:
> Matt,
>
> Now that you've gotten this far, adding inbound static NAT is pretty simple.
> :-)
>
> Create a NAT pool with your internal address(es).
>
> Add a new rule with a match-direction of "output". In this rule, add
> a term with a "from" clause that matches packets with a destination
> address of your public address. In the then clause, specify the NAT
> pool with your internal addresses (as a destination-pool) and a
> translation type of "destination static".
>
> Here's an example which translates 172.17.39.18/32 (outside address)
> to 192.168.200.1/32 (inside address):
> services {
> nat {
> pool dest-pool {
> address 192.168.200.2/32;
> }
> rule dest-nat {
> match-direction output;
> term dest-nat {
> from {
> destination-address {
> 172.17.39.18/32;
> }
> }
> then {
> translated {
> destination-pool dest-pool;
> translation-type {
> destination static;
> }
> }
> }
> }
> }
> }
> }
>
> Don't forget to match on applications in the rule, if necessary, to
> activate ALGs.
>
> Now, you just add the new rule to the existing service-set and
> everything should work!
>
> -Jon
>
>
> On 11/1/07, Matt Stevens <[EMAIL PROTECTED]> wrote:
>> I'm a recent Cisco convert - trying to wrap my head around the Juniper
>> was of dealing with NAT.
>>
>> I'm trying to get a setup working where I can allow inbound traffic
>> through the NAT to specific internal machines.
>>
>> Ideally I'd like to be able to map things at a port level - ie. port 80
>> on external address X goes to port Y on internal address Z.
>>
>> I have things working to the point where I can NAT a specific internal
>> address to a specific external address (see config at the end), with
>> everyone else using PAT on a different address. But I can't seem to
>> figure out how I allow inbound traffic through.
>>
>> This is on a J-4350, if that makes any difference...
>>
>> Any pointers in the right direction would be most appreciated!
>> --
>> matt
>>
>>
>> Here's my service nat config. I have the service-set for this applied on
>> the internal interface:
>> rule NAT {
>> match-direction input;
>> term static-matt {
>> from {
>> source-address {
>> 192.168.1.238/32;
>> }
>> }
>> then {
>> translated {
>> source-pool static-matt;
>> translation-type {
>> source static;
>> }
>> }
>> }
>> }
>> term dynamic {
>> then {
>> translated {
>> source-pool dynamic;
>> translation-type {
>> source dynamic;
>> }
>> }
>> }
>> }
>> }
>> }
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SNMP OID for "ip description"
--- [EMAIL PROTECTED] wrote: I have been unable to find what is the OID for Junose (E-Series) for the interfaces ip description. All I've been able to get is the name of the interfaces which is not exactly what I want. Can anyone help me here? --- Just to add one more thing... Maybe this'll work: http://www.oidview.com/mibs/0/IF-MIB.html 1.3.6.1.2.1.31.1.1.1.18 There're two different interface identifiers. One is the IP interface, so I believe it's: 1.3.6.1.2.1.31.1.1.1.18. For example, in my network I see this: ifAlias.268435463 ifAlias.53366 Then, I look for the interface identifier: ifDescr.268435463 = STRING: FR13/9.183 ifName.53366 = STRING: IP13/9.183 So, in this case, I believe you'd want 1.3.6.1.2.1.31.1.1.1.18.53366 scott ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Static NAT
Matt,
Now that you've gotten this far, adding inbound static NAT is pretty simple. :-)
Create a NAT pool with your internal address(es).
Add a new rule with a match-direction of "output". In this rule, add
a term with a "from" clause that matches packets with a destination
address of your public address. In the then clause, specify the NAT
pool with your internal addresses (as a destination-pool) and a
translation type of "destination static".
Here's an example which translates 172.17.39.18/32 (outside address)
to 192.168.200.1/32 (inside address):
services {
nat {
pool dest-pool {
address 192.168.200.2/32;
}
rule dest-nat {
match-direction output;
term dest-nat {
from {
destination-address {
172.17.39.18/32;
}
}
then {
translated {
destination-pool dest-pool;
translation-type {
destination static;
}
}
}
}
}
}
}
Don't forget to match on applications in the rule, if necessary, to
activate ALGs.
Now, you just add the new rule to the existing service-set and
everything should work!
-Jon
On 11/1/07, Matt Stevens <[EMAIL PROTECTED]> wrote:
> I'm a recent Cisco convert - trying to wrap my head around the Juniper
> was of dealing with NAT.
>
> I'm trying to get a setup working where I can allow inbound traffic
> through the NAT to specific internal machines.
>
> Ideally I'd like to be able to map things at a port level - ie. port 80
> on external address X goes to port Y on internal address Z.
>
> I have things working to the point where I can NAT a specific internal
> address to a specific external address (see config at the end), with
> everyone else using PAT on a different address. But I can't seem to
> figure out how I allow inbound traffic through.
>
> This is on a J-4350, if that makes any difference...
>
> Any pointers in the right direction would be most appreciated!
> --
> matt
>
>
> Here's my service nat config. I have the service-set for this applied on
> the internal interface:
> rule NAT {
> match-direction input;
> term static-matt {
> from {
> source-address {
> 192.168.1.238/32;
> }
> }
> then {
> translated {
> source-pool static-matt;
> translation-type {
> source static;
> }
> }
> }
> }
> term dynamic {
> then {
> translated {
> source-pool dynamic;
> translation-type {
> source dynamic;
> }
> }
> }
> }
> }
> }
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] J-Series vs SSG
Alex, Its important to see the technical specifications for the SSG-320 box: BGP instances 3 BGP peers 4 BGP routes 10,000 OSPF instances 3 OSPF routes 10,000 RIP v1/v2 instances 128 RIP v2 routes 10,000 > We are a small web hosting company looking to implement a pair of > Juniper firewalls behind our border routers (both J4350s running BGP to > a couple of ISPs). What we are looking for is pretty simple - stateful > firewalling, simple ACLs, DDoS protection, active/passive failover. J-Series certainly will support all these features. > We are looking at getting either 2 x SSG 320 or 2 x J2320s. I'm aware > that these are exactly the same hardware - the question is whether we > want to be running ScreenOS or JunOS. > > My preference right now is J2320s with JunOS as I'm very comfortable > working with JunOS. But there seems to be a consensus amongst people I > have spoken to that ScreenOS will be easier to configure and will be a > better solution in the long term. Also as far as I can gather, JunOS > isn't able to sync firewall state which ScreenOS does easily. ScreeonOS is easier to configure, better support for NAT and Filters (with UTM), but you will not have the same routing features and flexibility to configure, manipulate, mark or classify traffic ... like you have with JUNOS. JUNIPER is talking about to support some UTM features in JUNOS and some acceleration features too. Att, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] System board memory expansion on M7i
You're not incorrect that they can be ordered with that much RAM, however... any sales rep that didn't put you onto the new RE-850-1536-BB (the 850Mhz CPU with 1536 MB RAM) for the same price as the old 400 mhz RE isn't doing his/her job. I say this because we just got our new M7i with those very specs 5 days ago. Our sales rep originally had us on the 400 Mhz RE, and then zero-cost upgraded the quote to the 850 Mhz RE and we took it. Also, if you are looking into the M7i, you can get the Firewall ASM included/integrated on the FE, but if you order it later, you have to order it as a separate PIC, and it will cost more. danno -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rubens Kuhl Jr. Sent: Thursday, November 01, 2007 11:27 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] System board memory expansion on M7i Hi. M7i routers can be ordered with 256 or 512 MB RAM system board memory; any guidelines on what usage scenarios would make 512MB desirable or even mandatory ? Our need is a Internet router with 3 full-routing transit feeds and a bunch of peering connections that made us specify more memory for the routing engine, but that may or may not impact forwarding engine requirements. AS and J-Flow are already included in the RFP. Rubens ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] chassisd syslog message
On Fri, Nov 02, 2007 at 09:05:43AM -0400, Eric Van Tol wrote: > Thanks, Daniel. Are you noticing any other side effects of which I > should be aware? I'm seeing the CLI hangs too but wasn't correlating those to the syscall warnings. But now that you mention it, I'm observing the same. One of the two J2320 crashed for a period of time: Oct 31 19:52:22 j2320-2 /kernel: panic: page fault Oct 31 22:12:22 j2320-2 /kernel: panic: page fault Oct 31 23:08:42 j2320-2 /kernel: panic: page fault Oct 31 23:12:46 j2320-2 /kernel: panic: page fault Nov 1 00:25:47 j2320-2 /kernel: panic: page fault Nov 1 00:56:28 j2320-2 /kernel: panic: page fault Nov 1 08:18:29 j2320-2 /kernel: panic: page fault Nov 1 14:13:24 j2320-2 /kernel: panic: page fault Nov 1 14:19:33 j2320-2 /kernel: panic: page fault Nov 1 16:00:55 j2320-2 /kernel: panic: page fault Nov 1 16:11:02 j2320-2 /kernel: panic: page fault Nov 1 17:28:06 j2320-2 /kernel: panic: page fault Nov 1 17:40:18 j2320-2 /kernel: panic: page fault Nov 1 18:04:40 j2320-2 /kernel: panic: page fault Not sure wether that's related to the syscall problem, and it stopped crashing again. Best regards, Daniel -- CLUE-RIPE -- Jabber: [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- PGP: 0xA85C8AA0 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] chassisd syslog message
Thanks, Daniel. Are you noticing any other side effects of which I should be aware? -evt > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Daniel Roesen > Sent: Friday, November 02, 2007 8:25 AM > To: juniper-nsp@puck.nether.net > Subject: Re: [j-nsp] chassisd syslog message > > On Fri, Nov 02, 2007 at 10:22:56AM +, Phill Jolliffe wrote: > > what is the name of the process with pid 2922? > > chassisd, as the log line already says... > > We're seeing the exactly same problem on our J2320s. We have a > JTAC case open on that. > > Best regards, > Daniel > > -- > CLUE-RIPE -- Jabber: [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- PGP: 0xA85C8AA0 > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] chassisd syslog message
On Fri, Nov 02, 2007 at 10:22:56AM +, Phill Jolliffe wrote: > what is the name of the process with pid 2922? chassisd, as the log line already says... We're seeing the exactly same problem on our J2320s. We have a JTAC case open on that. Best regards, Daniel -- CLUE-RIPE -- Jabber: [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- PGP: 0xA85C8AA0 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Fw: BRAS- No queues
Hello all i get this output from a E320 can anyone tell me what the * in voice traffic class mean in the output? Thanks in advance dc-bras01(config)#run show egress-queue rates full interf gig 3/0/3.17110001 trafficforwarded aggregate minimum interface class ratedrop rate rate -- - - vlan GigabitEthernet3/0/3.17110001 best-effort 0 00 tc-vod 0 00 tc-voice * * 2000 tc-multicast 0 00 maximum interface rate -- -- vlan GigabitEthernet3/0/3.17110001 1600 10 10 10 Queues reported:3 Queues filtered (under threshold): 0 * Queues disabled (no rate period): 1 **Queues disabled (no resources): 0 Total queues: 4 dc-bras01(config)#exit ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] chassisd syslog message
what is the name of the process with pid 2922? show system process exten | match 2922 or start shell su ps aux | grep 2922 On 11/2/07, Eric Van Tol <[EMAIL PROTECTED]> wrote: > Hi, > I seem to receiving the following message in a J2350 router about every > minute or so: > > /kernel: chassisd pid 2922 syscall 54 ran for 1251.115 ms > > Is this normal? It seems that whenever this message is logged, the cli > pauses for a few seconds, giving the impression that the router is > unresponsive. The same behavior occurs whether the router is fully > configured or just has a factory-default config on it. > > Saw this in a J2320, too, so maybe it's normal? > > thanks, > evt > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- *-= Foobar and WTF makes the world go round =-* ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
