Re: [j-nsp] PPTP VPN through NAT on M10i
For anyone who hits this thread looking for an answer, upgrading to 11.2 and then using the following NAT match rule worked perfectly: match-direction output; term PPTP_VPNs { from { source-address { 192.168.1.0/24; } applications junos-pptp; } then { translated { source-pool NATPOOL; # same pool as used by other rules translation-type { napt-44; } } } } I was able to remove the application definition at the bottom and the separate GRE-NATPOOL, streamlining the config. On Jan 17, 2012, at 8:27 PM, Alex Arseniev wrote: If you have 100s of users and 1s of public IPs means You need NAPT44. The way to use PPTP through NAPT44 on JUNOS is to activate PPTP ALG (more specifically, match on application junos-pptp in NAT rule or SFW rule) and PPTP ALG ALG is supported from JUNOS 11.2R1. HTH Rgds Alex - Original Message - From: Jo Rhett jrh...@netconsonance.com To: juniper-nsp@puck.nether.net Sent: Tuesday, January 17, 2012 3:19 AM Subject: [j-nsp] PPTP VPN through NAT on M10i I've got a problem with NAT on an M10i with Junos 10.4. Simple PNAP interface, works fine for TCP and UDP. Doesn't work for PPTP or IPSEC. Way back in my mind I remember something about having to create a second nat rule without port mapping, but its not working. I'm pretty sure I'm forgetting something here. Can someone spare a 2x4 and clue me over the head? ---yes, I know that the filters in the configuration below aren't active. Here's the configuration now: interfaces { ge-0/0/0 { unit 0 { family inet { address 192.168.1.1/24; } } } ge-0/1/0 { unit 0 { family inet { service { input { service-set NAT; } output { service-set NAT; } } address 192.168.2.1/24; } } } sp-0/3/0 { unit 0 { family inet; } } …. firewall { filter UNTRUST-IN { term ICMP { from { destination-address { 192.168.2.1/4; } protocol icmp; } then accept; } term EVERYTHING-ELSE { then { discard; } } } filter TRUST-OUT { term IPOUT { from { source-address { 192.168.1.0/24; } destination-address { 0.0.0.0/0; } } then accept; } } } services { service-set NAT { nat-rules Outbound; interface-service { service-interface sp-0/3/0.0; } } nat { pool NATPOOL { address 192.168.2.3/32 port { automatic; } } pool GRE-NATPOOL { address 192.168.2.3/32 } rule Outbound { match-direction output; term PPTP_VPNs { from { source-address { 192.168.1.0/24; } applications GRE-PPTP; } then { translated { source-pool GRE-NATPOOL; translation-type { source dynamic; } } } } term Else { from { source-address { 192.168.1.0/24; } } then { translated { source-pool NATPOOL; translation-type { source dynamic; } } } } } } adaptive-services-pics { traceoptions { flag all; } } } applications { application GRE-PPTP { protocol gre; } } -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] PPTP VPN through NAT on M10i
Does that mean that it is supported from 11.2R1 up, or does that mean it's never supported this way? Did I misread this page, which says that outside source dynamic nat is supported? https://www.juniper.net/techpubs/en_US/junose10.1/information-products/topic-collections/swconfig-ip-services/id-67401.html Is there any way to do this without 1:1 static mapping? This site has very few external addresses, and hundreds of internal users. Mapping each possible VPN user to a static external IP is not possible here. It's possible I'm just implementing this the wrong way... On Jan 16, 2012, at 11:33 PM, Alex Arseniev wrote: PPTP ALG is supported from JUNOS 11.2R1 GRE is not supported with nat source dynamic HTH Rgds Alex - Original Message - From: Jo Rhett jrh...@netconsonance.com To: juniper-nsp@puck.nether.net Sent: Tuesday, January 17, 2012 3:19 AM Subject: [j-nsp] PPTP VPN through NAT on M10i I've got a problem with NAT on an M10i with Junos 10.4. Simple PNAP interface, works fine for TCP and UDP. Doesn't work for PPTP or IPSEC. Way back in my mind I remember something about having to create a second nat rule without port mapping, but its not working. I'm pretty sure I'm forgetting something here. Can someone spare a 2x4 and clue me over the head? ---yes, I know that the filters in the configuration below aren't active. Here's the configuration now: interfaces { ge-0/0/0 { unit 0 { family inet { address 192.168.1.1/24; } } } ge-0/1/0 { unit 0 { family inet { service { input { service-set NAT; } output { service-set NAT; } } address 192.168.2.1/24; } } } sp-0/3/0 { unit 0 { family inet; } } …. firewall { filter UNTRUST-IN { term ICMP { from { destination-address { 192.168.2.1/4; } protocol icmp; } then accept; } term EVERYTHING-ELSE { then { discard; } } } filter TRUST-OUT { term IPOUT { from { source-address { 192.168.1.0/24; } destination-address { 0.0.0.0/0; } } then accept; } } } services { service-set NAT { nat-rules Outbound; interface-service { service-interface sp-0/3/0.0; } } nat { pool NATPOOL { address 192.168.2.3/32 port { automatic; } } pool GRE-NATPOOL { address 192.168.2.3/32 } rule Outbound { match-direction output; term PPTP_VPNs { from { source-address { 192.168.1.0/24; } applications GRE-PPTP; } then { translated { source-pool GRE-NATPOOL; translation-type { source dynamic; } } } } term Else { from { source-address { 192.168.1.0/24; } } then { translated { source-pool NATPOOL; translation-type { source dynamic; } } } } } } adaptive-services-pics { traceoptions { flag all; } } } applications { application GRE-PPTP { protocol gre; } } -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] PPTP VPN through NAT on M10i
PPTP ALG is supported from JUNOS 11.2R1 GRE is not supported with nat source dynamic HTH Rgds Alex - Original Message - From: Jo Rhett jrh...@netconsonance.com To: juniper-nsp@puck.nether.net Sent: Tuesday, January 17, 2012 3:19 AM Subject: [j-nsp] PPTP VPN through NAT on M10i I've got a problem with NAT on an M10i with Junos 10.4. Simple PNAP interface, works fine for TCP and UDP. Doesn't work for PPTP or IPSEC. Way back in my mind I remember something about having to create a second nat rule without port mapping, but its not working. I'm pretty sure I'm forgetting something here. Can someone spare a 2x4 and clue me over the head? ---yes, I know that the filters in the configuration below aren't active. Here's the configuration now: interfaces { ge-0/0/0 { unit 0 { family inet { address 192.168.1.1/24; } } } ge-0/1/0 { unit 0 { family inet { service { input { service-set NAT; } output { service-set NAT; } } address 192.168.2.1/24; } } } sp-0/3/0 { unit 0 { family inet; } } …. firewall { filter UNTRUST-IN { term ICMP { from { destination-address { 192.168.2.1/4; } protocol icmp; } then accept; } term EVERYTHING-ELSE { then { discard; } } } filter TRUST-OUT { term IPOUT { from { source-address { 192.168.1.0/24; } destination-address { 0.0.0.0/0; } } then accept; } } } services { service-set NAT { nat-rules Outbound; interface-service { service-interface sp-0/3/0.0; } } nat { pool NATPOOL { address 192.168.2.3/32 port { automatic; } } pool GRE-NATPOOL { address 192.168.2.3/32 } rule Outbound { match-direction output; term PPTP_VPNs { from { source-address { 192.168.1.0/24; } applications GRE-PPTP; } then { translated { source-pool GRE-NATPOOL; translation-type { source dynamic; } } } } term Else { from { source-address { 192.168.1.0/24; } } then { translated { source-pool NATPOOL; translation-type { source dynamic; } } } } } } adaptive-services-pics { traceoptions { flag all; } } } applications { application GRE-PPTP { protocol gre; } } -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp