Re: [j-nsp] Basic NAT44 on MS-MPC implementation help
Hello, https://www.juniper.net/uk/en/training/jnbooks/day-one/networking-technologies-series/deploying-cgnat/ has all necessary info for MS-DPC CGNAT. To adapt CGNAT config for MS-MPC "MS" interfaces, all You need is to substitute SP interfaces for MS interfaces. Your service filters part looks correct to me. You don't need this part: "set chassis fpc 4 pic 0 inline-services bandwidth 20g" Below is the other part You need to add. Assuming Your MS-MPC-128 is in slot 4 and You want to use NPU 0: set interfaces ae1 unit 0 family inet service input service-set CGNAT service-filter sf-in set interfaces ae1 unit 0 family inet service output service-set CGNAT service-filter sf-out set interfaces ms-4/0/0 unit 0 family inet set services service-set CGNAT nat-rules nat-rule1 set services service-set CGNAT interface-service service-interface ms-4/0/0.0 set applications application-set accept-algs application junos-http set applications application-set accept-algs application junos-ftp set applications application-set accept-algs application junos-tftp set applications application-set accept-algs application junos-telnet set applications application-set accept-algs application junos-sip set services nat pool napt-pool address y.y.y.y/32 set services nat pool napt-pool port automatic random-allocation set services nat rule nat-rule1 match-direction input set services nat rule nat-rule1 term alg-term1 from source-address 100.64.0.0/10 set services nat rule nat-rule1 term alg-term1 from application-sets accept-algs set services nat rule nat-rule1 term alg-term1 then translated source-pool napt-pool set services nat rule nat-rule1 term alg-term1 then translated translation-type napt-44 set services nat rule nat-rule1 term nat-term2 from source-address 100.64.0.0/10 set services nat rule nat-rule1 term nat-term2 then translated source-pool napt-pool set services nat rule nat-rule1 term nat-term2 then translated translation-type napt-44 Do not forget to announce Your NAT pool to the outside world. On MX, it is represented as [Static/1] route. You need to explicitly redistribute it into routing protocol of Your choice. HTH Thanks Alex On 12/07/2016 18:45, Josh Reynolds wrote: Oops, forgot service filter part: set firewall family inet service-filter sf-in term 1 from source-address 100.64.0.0/10 set firewall family inet service-filter sf-in term 1 from destination-address 0.0.0.0/0 set firewall family inet service-filter sf-in term 1 from destination-address 100.64.0.0/10 except set firewall family inet service-filter sf-in term 1 then count sf-in-filter-hit set firewall family inet service-filter sf-in term 1 then service set firewall family inet service-filter sf-in term 2 then skip set firewall family inet service-filter sf-out term 1 then count sf-out-filter-excluded-from-nat set firewall family inet service-filter sf-out term 1 then skip On Tue, Jul 12, 2016 at 12:28 PM, Josh Reynolds wrote: Here's what I've got going on now... set services nat pool centralolt01 address xx.yy.196.3/32 set services nat rule cgnat match-direction input set services nat rule cgnat term THINGTONAT1 from source-address 100.64.1.0/24 set services nat rule cgnat term THINGTONAT1 from destination-address 0.0.0.0/0 set services nat rule cgnat term THINGTONAT1 then translated source-pool centralolt01 set services nat rule cgnat term THINGTONAT1 then translated translation-type dynamic-nat44 set services service-set cgnat nat-rules cgnat set services service-set cgnat interface-service service-interface ms-4/0/0 set chassis fpc 4 pic 0 inline-services bandwidth 20g set interfaces ms-4/0/0 unit 0 family inet set interfaces ae1 unit 0 family inet service input service-set cgnat service-filter sf-in set interfaces ae1 unit 0 family inet service output service-set cgnat service-filter sf-out MAP: WAN <- border mx -><- core mx (ms-mpc-128) -> transport routers Between the border mx and core is a LAG group with OSPF running on it, same goes between the core mx and the transport routers. Filter: __service-cgnat:sf-in Counters: NameBytes Packets sf-in-filter-hit54354 824 Filter: __service-cgnat:sf-out Counters: NameBytes Packets sf-out-filter-excluded-from-nat 1006452919915 So my rule is getting hit, but for some reason traffic can't make it past the core router to the border. Is it because this address pool I'm using for SNAT is done inline, and doesn't actually exist anywhere? If that's so, it makes sense, I just don't know how to go about fixing that. Any help or insight would be appreciated. Thank you. On Mon, Jul 11, 2016 at 2:21 PM, Josh Reynolds wrote: Hi all. I've gone through quite a few pages of juniper techpubs, but I'm having a problem figuring out how to corr
Re: [j-nsp] Basic NAT44 on MS-MPC implementation help
Oops, forgot service filter part: set firewall family inet service-filter sf-in term 1 from source-address 100.64.0.0/10 set firewall family inet service-filter sf-in term 1 from destination-address 0.0.0.0/0 set firewall family inet service-filter sf-in term 1 from destination-address 100.64.0.0/10 except set firewall family inet service-filter sf-in term 1 then count sf-in-filter-hit set firewall family inet service-filter sf-in term 1 then service set firewall family inet service-filter sf-in term 2 then skip set firewall family inet service-filter sf-out term 1 then count sf-out-filter-excluded-from-nat set firewall family inet service-filter sf-out term 1 then skip On Tue, Jul 12, 2016 at 12:28 PM, Josh Reynolds wrote: > Here's what I've got going on now... > > set services nat pool centralolt01 address xx.yy.196.3/32 > set services nat rule cgnat match-direction input > set services nat rule cgnat term THINGTONAT1 from source-address 100.64.1.0/24 > set services nat rule cgnat term THINGTONAT1 from destination-address > 0.0.0.0/0 > set services nat rule cgnat term THINGTONAT1 then translated > source-pool centralolt01 > set services nat rule cgnat term THINGTONAT1 then translated > translation-type dynamic-nat44 > > set services service-set cgnat nat-rules cgnat > set services service-set cgnat interface-service service-interface ms-4/0/0 > > set chassis fpc 4 pic 0 inline-services bandwidth 20g > > set interfaces ms-4/0/0 unit 0 family inet > > set interfaces ae1 unit 0 family inet service input service-set cgnat > service-filter sf-in > set interfaces ae1 unit 0 family inet service output service-set cgnat > service-filter sf-out > > MAP: WAN <- border mx -><- core mx (ms-mpc-128) -> > transport routers > > Between the border mx and core is a LAG group with OSPF running on it, > same goes between the core mx and the transport routers. > > Filter: __service-cgnat:sf-in > Counters: > NameBytes Packets > sf-in-filter-hit54354 824 > > Filter: __service-cgnat:sf-out > Counters: > NameBytes Packets > sf-out-filter-excluded-from-nat 1006452919915 > > So my rule is getting hit, but for some reason traffic can't make it > past the core router to the border. Is it because this address pool > I'm using for SNAT is done inline, and doesn't actually exist > anywhere? If that's so, it makes sense, I just don't know how to go > about fixing that. > > Any help or insight would be appreciated. Thank you. > > > > On Mon, Jul 11, 2016 at 2:21 PM, Josh Reynolds wrote: >> Hi all. >> >> I've gone through quite a few pages of juniper techpubs, but I'm >> having a problem figuring out how to correctly implement your >> standard, run of the mill NAT (ipv4) using an MS-MPC-128 >> >> Part of this may be design or topology related, and I was wondering if >> someone could help me figure out a solution. >> >> >> WAN-CORE (MX960)<-ae1->EX4500 >> >> So I have a couple of ports on the EX4500's with different RFC6598 >> (CGNAT Range) subnets on them (routed ports), for various different >> things (say range1, range2, range3, etc) >> >> All I want to do, is route any traffic coming in to the CORE from >> range1/2/3/etc to a certain /32 (a different /32 for each range). >> Pretty simple, your basic NAT setup. >> >> My problem I think is how to apply this in somewhat a transparent >> fashion. Currently, what I've pulled up off the web seems to break all >> the things, as it seems like everything is getting forwarded through >> the ms-mpc interface. >> >> Here's what I have so far, if somebody could help me out real quick or >> show me another method it would be greatly appreciated. >> - >> >> customer ip range x.x.x.x >> range to snat to y.y.y.y >> >> set interfaces ae1 unit 0 family inet service input service-set CGNAT >> set interfaces ae1 unit 0 family inet service output service-set CGNAT >> set interfaces ms-3/0/0 unit 0 family inet >> >> set applications application-set accept-algs application junos-http >> set applications application-set accept-algs application junos-ftp >> set applications application-set accept-algs application junos-tftp >> set applications application-set accept-algs application junos-telnet >> set applications application-set accept-algs application junos-sip >> >> set services stateful-firewall rule centralolt01-data match-direction >> input-output >> set services stateful-firewall rule centralolt01-data term 1 from >> source-address x.x.x.x/24 >> set services stateful-firewall rule centralolt01-data term 1 from >> application-sets accept-algs >> set services stateful-firewall rule centralolt01-data term 1 then accept >> set services nat pool napt-pool address y.y.y.y/32 >> set services nat pool napt-pool port automatic auto >> >> set services nat rule
Re: [j-nsp] Basic NAT44 on MS-MPC implementation help
Here's what I've got going on now... set services nat pool centralolt01 address xx.yy.196.3/32 set services nat rule cgnat match-direction input set services nat rule cgnat term THINGTONAT1 from source-address 100.64.1.0/24 set services nat rule cgnat term THINGTONAT1 from destination-address 0.0.0.0/0 set services nat rule cgnat term THINGTONAT1 then translated source-pool centralolt01 set services nat rule cgnat term THINGTONAT1 then translated translation-type dynamic-nat44 set services service-set cgnat nat-rules cgnat set services service-set cgnat interface-service service-interface ms-4/0/0 set chassis fpc 4 pic 0 inline-services bandwidth 20g set interfaces ms-4/0/0 unit 0 family inet set interfaces ae1 unit 0 family inet service input service-set cgnat service-filter sf-in set interfaces ae1 unit 0 family inet service output service-set cgnat service-filter sf-out MAP: WAN <- border mx -><- core mx (ms-mpc-128) -> transport routers Between the border mx and core is a LAG group with OSPF running on it, same goes between the core mx and the transport routers. Filter: __service-cgnat:sf-in Counters: NameBytes Packets sf-in-filter-hit54354 824 Filter: __service-cgnat:sf-out Counters: NameBytes Packets sf-out-filter-excluded-from-nat 1006452919915 So my rule is getting hit, but for some reason traffic can't make it past the core router to the border. Is it because this address pool I'm using for SNAT is done inline, and doesn't actually exist anywhere? If that's so, it makes sense, I just don't know how to go about fixing that. Any help or insight would be appreciated. Thank you. On Mon, Jul 11, 2016 at 2:21 PM, Josh Reynolds wrote: > Hi all. > > I've gone through quite a few pages of juniper techpubs, but I'm > having a problem figuring out how to correctly implement your > standard, run of the mill NAT (ipv4) using an MS-MPC-128 > > Part of this may be design or topology related, and I was wondering if > someone could help me figure out a solution. > > > WAN-CORE (MX960)<-ae1->EX4500 > > So I have a couple of ports on the EX4500's with different RFC6598 > (CGNAT Range) subnets on them (routed ports), for various different > things (say range1, range2, range3, etc) > > All I want to do, is route any traffic coming in to the CORE from > range1/2/3/etc to a certain /32 (a different /32 for each range). > Pretty simple, your basic NAT setup. > > My problem I think is how to apply this in somewhat a transparent > fashion. Currently, what I've pulled up off the web seems to break all > the things, as it seems like everything is getting forwarded through > the ms-mpc interface. > > Here's what I have so far, if somebody could help me out real quick or > show me another method it would be greatly appreciated. > - > > customer ip range x.x.x.x > range to snat to y.y.y.y > > set interfaces ae1 unit 0 family inet service input service-set CGNAT > set interfaces ae1 unit 0 family inet service output service-set CGNAT > set interfaces ms-3/0/0 unit 0 family inet > > set applications application-set accept-algs application junos-http > set applications application-set accept-algs application junos-ftp > set applications application-set accept-algs application junos-tftp > set applications application-set accept-algs application junos-telnet > set applications application-set accept-algs application junos-sip > > set services stateful-firewall rule centralolt01-data match-direction > input-output > set services stateful-firewall rule centralolt01-data term 1 from > source-address x.x.x.x/24 > set services stateful-firewall rule centralolt01-data term 1 from > application-sets accept-algs > set services stateful-firewall rule centralolt01-data term 1 then accept > set services nat pool napt-pool address y.y.y.y/32 > set services nat pool napt-pool port automatic auto > > set services nat rule nat-rule1 match-direction input > set services nat rule nat-rule1 term nat-term1 from source-address > x.x.x.x/24 // NAT for the customer side > set services nat rule nat-rule1 term nat-term1 from application-sets > accept-algs > set services nat rule nat-rule1 term nat-term1 then translated > source-pool napt-pool > set services nat rule nat-rule1 term nat-term1 then translated > translation-type napt-44 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Basic NAT44 on MS-MPC implementation help
Hi all. I've gone through quite a few pages of juniper techpubs, but I'm having a problem figuring out how to correctly implement your standard, run of the mill NAT (ipv4) using an MS-MPC-128 Part of this may be design or topology related, and I was wondering if someone could help me figure out a solution. WAN-CORE (MX960)<-ae1->EX4500 So I have a couple of ports on the EX4500's with different RFC6598 (CGNAT Range) subnets on them (routed ports), for various different things (say range1, range2, range3, etc) All I want to do, is route any traffic coming in to the CORE from range1/2/3/etc to a certain /32 (a different /32 for each range). Pretty simple, your basic NAT setup. My problem I think is how to apply this in somewhat a transparent fashion. Currently, what I've pulled up off the web seems to break all the things, as it seems like everything is getting forwarded through the ms-mpc interface. Here's what I have so far, if somebody could help me out real quick or show me another method it would be greatly appreciated. - customer ip range x.x.x.x range to snat to y.y.y.y set interfaces ae1 unit 0 family inet service input service-set CGNAT set interfaces ae1 unit 0 family inet service output service-set CGNAT set interfaces ms-3/0/0 unit 0 family inet set applications application-set accept-algs application junos-http set applications application-set accept-algs application junos-ftp set applications application-set accept-algs application junos-tftp set applications application-set accept-algs application junos-telnet set applications application-set accept-algs application junos-sip set services stateful-firewall rule centralolt01-data match-direction input-output set services stateful-firewall rule centralolt01-data term 1 from source-address x.x.x.x/24 set services stateful-firewall rule centralolt01-data term 1 from application-sets accept-algs set services stateful-firewall rule centralolt01-data term 1 then accept set services nat pool napt-pool address y.y.y.y/32 set services nat pool napt-pool port automatic auto set services nat rule nat-rule1 match-direction input set services nat rule nat-rule1 term nat-term1 from source-address x.x.x.x/24 // NAT for the customer side set services nat rule nat-rule1 term nat-term1 from application-sets accept-algs set services nat rule nat-rule1 term nat-term1 then translated source-pool napt-pool set services nat rule nat-rule1 term nat-term1 then translated translation-type napt-44 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
