Re: [j-nsp] PPTP VPN through NAT on M10i
For anyone who hits this thread looking for an answer, upgrading to 11.2 and
then using the following NAT match rule worked perfectly:
match-direction output;
term PPTP_VPNs {
from {
source-address {
192.168.1.0/24;
}
applications junos-pptp;
}
then {
translated {
source-pool NATPOOL; # same pool as used by other rules
translation-type {
napt-44;
}
}
}
}
I was able to remove the application definition at the bottom and the separate
GRE-NATPOOL, streamlining the config.
On Jan 17, 2012, at 8:27 PM, Alex Arseniev wrote:
If you have 100s of users and 1s of public IPs means You need NAPT44.
The way to use PPTP through NAPT44 on JUNOS is to activate PPTP ALG (more
specifically, match on application junos-pptp in NAT rule or SFW rule) and
PPTP ALG ALG is supported from JUNOS 11.2R1.
HTH
Rgds
Alex
- Original Message - From: Jo Rhett jrh...@netconsonance.com
To: juniper-nsp@puck.nether.net
Sent: Tuesday, January 17, 2012 3:19 AM
Subject: [j-nsp] PPTP VPN through NAT on M10i
I've got a problem with NAT on an M10i with Junos 10.4. Simple PNAP
interface, works fine for TCP and UDP. Doesn't work for PPTP or IPSEC. Way
back in my mind I remember something about having to create a second nat rule
without port mapping, but its not working. I'm pretty sure I'm forgetting
something here. Can someone spare a 2x4 and clue me over the head?
---yes, I know that the filters in the configuration below aren't active.
Here's the configuration now:
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
ge-0/1/0 {
unit 0 {
family inet {
service {
input {
service-set NAT;
}
output {
service-set NAT;
}
}
address 192.168.2.1/24;
}
}
}
sp-0/3/0 {
unit 0 {
family inet;
}
}
….
firewall {
filter UNTRUST-IN {
term ICMP {
from {
destination-address {
192.168.2.1/4;
}
protocol icmp;
}
then accept;
}
term EVERYTHING-ELSE {
then {
discard;
}
}
}
filter TRUST-OUT {
term IPOUT {
from {
source-address {
192.168.1.0/24;
}
destination-address {
0.0.0.0/0;
}
}
then accept;
}
}
}
services {
service-set NAT {
nat-rules Outbound;
interface-service {
service-interface sp-0/3/0.0;
}
}
nat {
pool NATPOOL {
address 192.168.2.3/32
port {
automatic;
}
}
pool GRE-NATPOOL {
address 192.168.2.3/32
}
rule Outbound {
match-direction output;
term PPTP_VPNs {
from {
source-address {
192.168.1.0/24;
}
applications GRE-PPTP;
}
then {
translated {
source-pool GRE-NATPOOL;
translation-type {
source dynamic;
}
}
}
}
term Else {
from {
source-address {
192.168.1.0/24;
}
}
then {
translated {
source-pool NATPOOL;
translation-type {
source dynamic;
}
}
}
}
}
}
adaptive-services-pics {
traceoptions {
flag all;
}
}
}
applications {
application GRE-PPTP {
protocol gre;
}
}
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other
randomness
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] PPTP VPN through NAT on M10i
Does that mean that it is supported from 11.2R1 up, or does that mean it's
never supported this way? Did I misread this page, which says that outside
source dynamic nat is supported?
https://www.juniper.net/techpubs/en_US/junose10.1/information-products/topic-collections/swconfig-ip-services/id-67401.html
Is there any way to do this without 1:1 static mapping? This site has very few
external addresses, and hundreds of internal users. Mapping each possible VPN
user to a static external IP is not possible here. It's possible I'm just
implementing this the wrong way...
On Jan 16, 2012, at 11:33 PM, Alex Arseniev wrote:
PPTP ALG is supported from JUNOS 11.2R1
GRE is not supported with nat source dynamic
HTH
Rgds
Alex
- Original Message - From: Jo Rhett jrh...@netconsonance.com
To: juniper-nsp@puck.nether.net
Sent: Tuesday, January 17, 2012 3:19 AM
Subject: [j-nsp] PPTP VPN through NAT on M10i
I've got a problem with NAT on an M10i with Junos 10.4. Simple PNAP
interface, works fine for TCP and UDP. Doesn't work for PPTP or IPSEC. Way
back in my mind I remember something about having to create a second nat rule
without port mapping, but its not working. I'm pretty sure I'm forgetting
something here. Can someone spare a 2x4 and clue me over the head?
---yes, I know that the filters in the configuration below aren't active.
Here's the configuration now:
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
ge-0/1/0 {
unit 0 {
family inet {
service {
input {
service-set NAT;
}
output {
service-set NAT;
}
}
address 192.168.2.1/24;
}
}
}
sp-0/3/0 {
unit 0 {
family inet;
}
}
….
firewall {
filter UNTRUST-IN {
term ICMP {
from {
destination-address {
192.168.2.1/4;
}
protocol icmp;
}
then accept;
}
term EVERYTHING-ELSE {
then {
discard;
}
}
}
filter TRUST-OUT {
term IPOUT {
from {
source-address {
192.168.1.0/24;
}
destination-address {
0.0.0.0/0;
}
}
then accept;
}
}
}
services {
service-set NAT {
nat-rules Outbound;
interface-service {
service-interface sp-0/3/0.0;
}
}
nat {
pool NATPOOL {
address 192.168.2.3/32
port {
automatic;
}
}
pool GRE-NATPOOL {
address 192.168.2.3/32
}
rule Outbound {
match-direction output;
term PPTP_VPNs {
from {
source-address {
192.168.1.0/24;
}
applications GRE-PPTP;
}
then {
translated {
source-pool GRE-NATPOOL;
translation-type {
source dynamic;
}
}
}
}
term Else {
from {
source-address {
192.168.1.0/24;
}
}
then {
translated {
source-pool NATPOOL;
translation-type {
source dynamic;
}
}
}
}
}
}
adaptive-services-pics {
traceoptions {
flag all;
}
}
}
applications {
application GRE-PPTP {
protocol gre;
}
}
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other
randomness
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other
randomness
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] PPTP VPN through NAT on M10i
PPTP ALG is supported from JUNOS 11.2R1
GRE is not supported with nat source dynamic
HTH
Rgds
Alex
- Original Message -
From: Jo Rhett jrh...@netconsonance.com
To: juniper-nsp@puck.nether.net
Sent: Tuesday, January 17, 2012 3:19 AM
Subject: [j-nsp] PPTP VPN through NAT on M10i
I've got a problem with NAT on an M10i with Junos 10.4. Simple PNAP
interface, works fine for TCP and UDP. Doesn't work for PPTP or IPSEC. Way
back in my mind I remember something about having to create a second nat
rule without port mapping, but its not working. I'm pretty sure I'm
forgetting something here. Can someone spare a 2x4 and clue me over the
head?
---yes, I know that the filters in the configuration below aren't active.
Here's the configuration now:
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
ge-0/1/0 {
unit 0 {
family inet {
service {
input {
service-set NAT;
}
output {
service-set NAT;
}
}
address 192.168.2.1/24;
}
}
}
sp-0/3/0 {
unit 0 {
family inet;
}
}
….
firewall {
filter UNTRUST-IN {
term ICMP {
from {
destination-address {
192.168.2.1/4;
}
protocol icmp;
}
then accept;
}
term EVERYTHING-ELSE {
then {
discard;
}
}
}
filter TRUST-OUT {
term IPOUT {
from {
source-address {
192.168.1.0/24;
}
destination-address {
0.0.0.0/0;
}
}
then accept;
}
}
}
services {
service-set NAT {
nat-rules Outbound;
interface-service {
service-interface sp-0/3/0.0;
}
}
nat {
pool NATPOOL {
address 192.168.2.3/32
port {
automatic;
}
}
pool GRE-NATPOOL {
address 192.168.2.3/32
}
rule Outbound {
match-direction output;
term PPTP_VPNs {
from {
source-address {
192.168.1.0/24;
}
applications GRE-PPTP;
}
then {
translated {
source-pool GRE-NATPOOL;
translation-type {
source dynamic;
}
}
}
}
term Else {
from {
source-address {
192.168.1.0/24;
}
}
then {
translated {
source-pool NATPOOL;
translation-type {
source dynamic;
}
}
}
}
}
}
adaptive-services-pics {
traceoptions {
flag all;
}
}
}
applications {
application GRE-PPTP {
protocol gre;
}
}
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and
other randomness
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
