Re: [j-nsp] NAT on M120 with MS-PIC
no, thats normal... actually if sessions are always being initiated from outside in this case then he doesn't need the "input" direction rule... Sent from Yahoo! Mail on Android ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] NAT on M120 with MS-PIC
10.4r5 seems to need some additional tricks... At least on my mx. We also added a service filter to keep it from grabbing other traffic. Will O'Brien On Aug 14, 2011, at 6:12 PM, "Derick Winkworth" wrote: > You need two rules actually, you have a rule for the "input" direction, you > need > a rule for the "output" direction as well... > > nat { >pool 87 { >address 41.72.x.86/32; >} >rule test-out { >match-direction output; >term t1 { >from { >destination-address { >41.72.y.254/32; >} >} >then { >translated { >source-pool 87; >translation-type { >destination static; >} >} >} >} >} > } > > > it'll look something like that... then add that rule to the service-set... > Derick Winkworth > CCIE #15672 (RS, SP), JNCIE-M #721 > http://blinking-network.blogspot.com > > > > > > From: Mauritz Lewies > To: juniper-nsp@puck.nether.net > Sent: Sun, August 14, 2011 4:05:22 PM > Subject: [j-nsp] NAT on M120 with MS-PIC > > Hi > > I have a M120 with Junos 10.4 R5.5 and a MS-PIC. > > I'm trying to get one-one static NAT working, but alas no success. > > This is the relevant config: > > root@ZMT-ZM-LMY-MSE-001-RE1> show configuration chassis > redundancy { >routing-engine 0 master; >routing-engine 1 backup; >failover { >on-loss-of-keepalives; >on-disk-failure; >} >graceful-switchover; > } > fpc 5 { >pic 3 { >adaptive-services { >service-package layer-3; >} >} > } > > {master}[edit services] > root@ZMT-ZM-LMY-MSE-001-RE1# show > service-set test { >nat-rules test; >interface-service >service-interface sp-5/3/0 > } > nat { >pool 86 { >address 41.72.y.254/32; >} >rule test { >match-direction input; >term t1 { >from { >source-address { >41.72.x.86/32; >} >} >then { >translated { >source-pool 86; >translation-type { >source static; >} >} >} >} >} > } > > root@ZMT-ZM-LMY-MSE-001-RE1> show configuration interfaces ge-2/0/1.111 > vlan-id 111; > family inet { >sampling { >input; >output; >} >service { >input { >service-set test; >} >output { >service-set test; >} >} >address 41.72.x.26/30; > } > > {master} > > > But then this output: > > root@ZMT-ZM-LMY-MSE-001-RE1> show services nat mappings summary > > Total number of address mappings: 0 > Total number of endpoint independent port mappings: 0 > Total number of endpoint independent filters: 0 > > {master} > root@ZMT-ZM-LMY-MSE-001-RE1> show services nat mappings summary > > Total number of address mappings: 0 > Total number of endpoint independent port mappings: 0 > Total number of endpoint independent filters: 0 > > {master} > root@ZMT-ZM-LMY-MSE-001-RE1> show services nat statistics interface > ge-2/0/1.111 > > {master} > root@ZMT-ZM-LMY-MSE-001-RE1> show services nat statistics > Interface: sp-5/3/0 > error: This command is not supported on sp-5/3/0 interface > > {master} > > Any help? > > Regards, > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] management daemon of M20(9.4R4.5) is not running
Cold reboot of the router helped :) regards, martin 2011/8/10 Martin T : > I have a Juniper M20 with Junos 9.4R4.5, which all of the sudden > doesn't support SSH login: > > > martint@martin:~> ssh 192.168.1.254 > > Enter passphrase for key '/home/martin/.ssh/id_dsa': > --- JUNOS 9.4R4.5 built 2009-11-16 16:23:14 UTC > could not open user interface connection: management daemon not running > Retry connection attempts ? [yes,no] (yes) > could not open user interface connection: management daemon not running > Retry connection attempts ? [yes,no] (yes) > could not open user interface connection: management daemon not running > Retry connection attempts ? [yes,no] (yes) > could not open user interface connection: management daemon not running > Retry connection attempts ? [yes,no] (yes) > could not open user interface connection: management daemon not running > Retry connection attempts ? [yes,no] (yes) no > Connection to 192.168.1.254 closed. > martint@martin:~> > > > Over console line I can see, that mgd is actually running: > > root 1169 0.0 1.0 28948 21668 ?? I 25Feb11 0:54.90 /usr/sbin/mgd > -N > > > I tried to execute another instance of mgd with "/usr/sbin/mgd -N", > but this resulted with: > > "mgd: error: daemon MGD detects existing daemon using lock file" > > As it turned out, mgd uses lock file in order to ensure, that only one > instance of mgd is running at any specific time. Then I tried to force > mgd to reload gently using "kill -HUP 1169", but it looks like mgd > ignores the hang up signal. Then I sent SIGTERM with "kill 1169", > which caused mgd to restart: > > root 79861 3.1 1.0 24824 21124 ?? S 10:26PM 0:00.39 /usr/sbin/mgd -N > > ..but there is still no access to the router over SSH. However, now I > don't get the "could not open user interface connection" error. > Instead the SSH session just hangs there forever. > > Any ideas, how to regain access to this machine over SSH? Or is the > reboot only option out there in such case? > > > regards, > martin > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] NAT on M120 with MS-PIC
You need two rules actually, you have a rule for the "input" direction, you need a rule for the "output" direction as well... nat { pool 87 { address 41.72.x.86/32; } rule test-out { match-direction output; term t1 { from { destination-address { 41.72.y.254/32; } } then { translated { source-pool 87; translation-type { destination static; } } } } } } it'll look something like that... then add that rule to the service-set... Derick Winkworth CCIE #15672 (RS, SP), JNCIE-M #721 http://blinking-network.blogspot.com From: Mauritz Lewies To: juniper-nsp@puck.nether.net Sent: Sun, August 14, 2011 4:05:22 PM Subject: [j-nsp] NAT on M120 with MS-PIC Hi I have a M120 with Junos 10.4 R5.5 and a MS-PIC. I'm trying to get one-one static NAT working, but alas no success. This is the relevant config: root@ZMT-ZM-LMY-MSE-001-RE1> show configuration chassis redundancy { routing-engine 0 master; routing-engine 1 backup; failover { on-loss-of-keepalives; on-disk-failure; } graceful-switchover; } fpc 5 { pic 3 { adaptive-services { service-package layer-3; } } } {master}[edit services] root@ZMT-ZM-LMY-MSE-001-RE1# show service-set test { nat-rules test; interface-service service-interface sp-5/3/0 } nat { pool 86 { address 41.72.y.254/32; } rule test { match-direction input; term t1 { from { source-address { 41.72.x.86/32; } } then { translated { source-pool 86; translation-type { source static; } } } } } } root@ZMT-ZM-LMY-MSE-001-RE1> show configuration interfaces ge-2/0/1.111 vlan-id 111; family inet { sampling { input; output; } service { input { service-set test; } output { service-set test; } } address 41.72.x.26/30; } {master} But then this output: root@ZMT-ZM-LMY-MSE-001-RE1> show services nat mappings summary Total number of address mappings: 0 Total number of endpoint independent port mappings: 0 Total number of endpoint independent filters: 0 {master} root@ZMT-ZM-LMY-MSE-001-RE1> show services nat mappings summary Total number of address mappings: 0 Total number of endpoint independent port mappings: 0 Total number of endpoint independent filters: 0 {master} root@ZMT-ZM-LMY-MSE-001-RE1> show services nat statistics interface ge-2/0/1.111 {master} root@ZMT-ZM-LMY-MSE-001-RE1> show services nat statistics Interface: sp-5/3/0 error: This command is not supported on sp-5/3/0 interface {master} Any help? Regards, ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] NAT on M120 with MS-PIC
Hi I have a M120 with Junos 10.4 R5.5 and a MS-PIC. I'm trying to get one-one static NAT working, but alas no success. This is the relevant config: root@ZMT-ZM-LMY-MSE-001-RE1> show configuration chassis redundancy { routing-engine 0 master; routing-engine 1 backup; failover { on-loss-of-keepalives; on-disk-failure; } graceful-switchover; } fpc 5 { pic 3 { adaptive-services { service-package layer-3; } } } {master}[edit services] root@ZMT-ZM-LMY-MSE-001-RE1# show service-set test { nat-rules test; interface-service service-interface sp-5/3/0 } nat { pool 86 { address 41.72.y.254/32; } rule test { match-direction input; term t1 { from { source-address { 41.72.x.86/32; } } then { translated { source-pool 86; translation-type { source static; } } } } } } root@ZMT-ZM-LMY-MSE-001-RE1> show configuration interfaces ge-2/0/1.111 vlan-id 111; family inet { sampling { input; output; } service { input { service-set test; } output { service-set test; } } address 41.72.x.26/30; } {master} But then this output: root@ZMT-ZM-LMY-MSE-001-RE1> show services nat mappings summary Total number of address mappings: 0 Total number of endpoint independent port mappings: 0 Total number of endpoint independent filters: 0 {master} root@ZMT-ZM-LMY-MSE-001-RE1> show services nat mappings summary Total number of address mappings: 0 Total number of endpoint independent port mappings: 0 Total number of endpoint independent filters: 0 {master} root@ZMT-ZM-LMY-MSE-001-RE1> show services nat statistics interface ge-2/0/1.111 {master} root@ZMT-ZM-LMY-MSE-001-RE1> show services nat statistics Interface: sp-5/3/0 error: This command is not supported on sp-5/3/0 interface {master} Any help? Regards, ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX best practices in SP and EP networks
Do you have any figures for throughput required? What functionality do the SRX's need to support? Nick On 14/08/2011 02:41, "uk2usa" wrote: >Experts, >Please share the best practices for SRX deployment in service provider and >enterprise networks? > >Also, recommend SRX options I have for above cases > >Highly appreciated, > >-Dan >___ >juniper-nsp mailing list juniper-nsp@puck.nether.net >https://puck.nether.net/mailman/listinfo/juniper-nsp -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp