Routing

View Only

last person joined: 3 days ago

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

Back to discussions

Expand all | Collapse all

MX104 + cg-nat

Jump to Best Answer

1. MX104 + cg-nat

0 Recommend
smelnik
Posted 11-01-2017 09:16

Reply Reply Privately
Good day everyone!

i`m trying to set up nat on my mx104+ms-mic-16g with bng (dhcp subscribers).

Configuration looks like this:

show chassis fpc 1

pic 0 {
inline-services {
bandwidth 10g;
}
adaptive-services {
service-package layer-3;
}
}

show interfaces ms-1/0/0

unit 10 {
family inet;
service-domain inside;
}
unit 20 {
family inet;
service-domain outside;
}

show services nat

pool NAT {
address 1.1.1.0/24;
port {
automatic {
random-allocation;
}
secured-port-block-allocation block-size 1024 max-blocks-per-address 4 active-block-timeout 300;
}
address-allocation round-robin;
}
rule NAT-1 {
match-direction input;
term t1 {
from {
source-address {
  10.228.8.0/22;
}
}
then {
translated {
source-pool NAT;
translation-type {
napt-44;
}
address-pooling paired;
}
}
}
}

show firewall family inet filter NAT

interface-specific;

term 10 {
from {
source-address {
  10.228.8.0/22;
}
destination-address {
  10.228.0.0/16;
}
}
then accept;
}
term 100 {
from {
source-address {
  10.228.8.0/22;
}
}
then {
routing-instance NAT;
}
}
term 200 {
then accept;
}

show dynamic-profiles NAT

interfaces {
"$junos-interface-ifd-name" {
unit "$junos-underlying-interface-unit" {
family inet {
filter {
input NAT precedence 100;
}
}
}
}
}

show routing-instances NAT

instance-type virtual-router;
interface ms-1/0/0.10;
routing-options {
static {
route 0.0.0.0/0 next-hop ms-1/0/0.10;
route 10.228.8.0/24 next-table inet.0;
}
}

Then i got subscriber with dynamic-profile NAT attached

run show subscribers

Interface IP Address/VLAN ID User Name LS:RI
demux0.3221225496 1000 default:default
demux0.3221225496 10.228.10.254 ge-0/0/1:1000&000403E80018&010B7465737473776974636832 default:default

Service Session ID: 12
Service Session Name: NAT
Service Session Version: 1
State: Active
Family: inet
IPv4 Input Filter Name: NAT-demux0.3221225478-in
Service Activation time: 2017-11-01 17:53:05 EET

Problem is that nat not happenning.
2. RE: MX104 + cg-nat

0 Recommend
rnayar
Posted 11-01-2017 09:38

Reply Reply Privately
Hi,

Please apply the filter under forwarding-option and check once.

NAT# show forwarding-options
family inet {
    filter {
        input NAT;
    }
}
3. RE: MX104 + cg-nat

0 Recommend
rnayar
Posted 11-01-2017 09:48

Reply Reply Privately
You can also use below dynamic-profile and check as well.

NAT{
    predefined-variable-defaults {
        input-filter NAT;
    }
    interfaces {
        demux0 {
            unit "$junos-interface-unit" {
                family inet {
                    filter {
                        input "$junos-input-filter";
                    }
                }
            }
        }
    }
}
4. RE: MX104 + cg-nat

0 Recommend
smelnik
Posted 11-01-2017 09:57

Reply Reply Privately
Thanks.

It looks like nat is hapenning. I have mirrored traffic from border router and when i ping 8.8.8.8 from client i see packets with source address of my nat pool, and i see reply coming back to nat pool IP address, but subscriber did not receiving this reply.
5. RE: MX104 + cg-nat
Best Answer

1 Recommend
rnayar
Posted 11-01-2017 10:02

Reply Reply Privately
Hi,

Please paste the output of "show service session"

Do you have return route for natted ip?

Regards,

Rahul
6. RE: MX104 + cg-nat

0 Recommend
smelnik
Posted 11-01-2017 10:07

Reply Reply Privately
Yes, i got this route distributed to iBGP.

Service Set: NAT-SRV-SET, Session: 603980079, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP 5.188.203.30:42130 -> 1.1.1.2:1945 Drop O 1
7. RE: MX104 + cg-nat

0 Recommend
rnayar
Posted 11-01-2017 10:10

Reply Reply Privately
Nat is not working i believe from the output. There is no mapping.

Please ping the DNS and collect "show service session"

Regards,

Rahul
8. RE: MX104 + cg-nat

0 Recommend
smelnik
Posted 11-01-2017 10:15

Reply Reply Privately
Done

Service Set: NAT-SRV-SET, Session: 1946157221, ALG: icmp, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no ICMP 10.228.10.254 -> 8.8.8.8 Forward I 47 ICMP 8.8.8.8 -> 1.1.1.2 Forward O 47 Service Set: NAT-SRV-SET, Session: 1006632972, ALG: none, Flags: 0x300000, IP Action: no, Offload: no, Asymmetric: no TCP 10.228.10.254:42040 -> 98.139.180.149:80 Forward I 3 TCP 98.139.180.149:80 -> 1.1.1.2:54315 Forward O 3 Service Set: NAT-SRV-SET, Session: 301990310, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no TCP 10.228.10.254:34908 -> 185.60.216.35:80 Forward I 3 TCP 185.60.216.35:80 -> 1.1.1.2:54782 Forward O 8 Service Set: NAT-SRV-SET, Session: 1577058409, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no TCP 10.228.10.254:34907 -> 185.60.216.35:80 Forward I 3 TCP 185.60.216.35:80 -> 1.1.1.2:54735 Forward O 8 Service Set: NAT-SRV-SET, Session: 268435600, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no TCP 10.228.10.254:34906 -> 185.60.216.35:80 Forward I 3 TCP 185.60.216.35:80 -> 1.1.1.2:54538 Forward O 8 Service Set: NAT-SRV-SET, Session: 167772477, ALG: none, Flags: 0x300000, IP Action: no, Offload: no, Asymmetric: no TCP 10.228.10.254:42433 -> 91.218.112.167:443 Forward I 5 TCP 91.218.112.167:443 -> 1.1.1.2:54459 Forward O 14
9. RE: MX104 + cg-nat

0 Recommend
rnayar
Posted 11-01-2017 10:19

Reply Reply Privately
Output look fine. Ping from subscriber to DNS as well as browsing failing?

Do you have any other filter under lo0 or subscriber interface?

Regards,

Rahul N
10. RE: MX104 + cg-nat

0 Recommend
smelnik
Posted 11-01-2017 10:25

Reply Reply Privately
ONly one is under LO, permitting only specific exceptional traffic.
11. RE: MX104 + cg-nat

0 Recommend
rnayar
Posted 11-01-2017 10:27

Reply Reply Privately
Is browsing working for the subscribers? Just ping issue?

What version you're using?

Regards,

Rahul N
12. RE: MX104 + cg-nat

0 Recommend
smelnik
Posted 11-01-2017 10:37

Reply Reply Privately
show version

show version Model: mx104 Junos: 15.1R5-S4.2 JUNOS Base OS boot [15.1R5-S4.2] JUNOS Base OS Software Suite [15.1R5-S4.2] JUNOS Crypto Software Suite [15.1R5-S4.2] JUNOS Packet Forwarding Engine Support (MX104) [15.1R5-S4.2] JUNOS Web Management [15.1R5-S4.2] JUNOS Online Documentation [15.1R5-S4.2] JUNOS Services Application Level Gateways [15.1R5-S4.2] JUNOS Services Jflow Container package [15.1R5-S4.2] JUNOS Services Stateful Firewall [15.1R5-S4.2] JUNOS Services NAT [15.1R5-S4.2] JUNOS Services RPM [15.1R5-S4.2] JUNOS Services Captive Portal and Content Delivery Container package [15.1R5-S4.2] JUNOS Macsec Software Suite [15.1R5-S4.2] JUNOS Services Crypto [15.1R5-S4.2] JUNOS Services IPSec [15.1R5-S4.2] JUNOS Kernel Software Suite [15.1R5-S4.2] JUNOS Routing Software Suite [15.1R5-S4.2]

Again i`ve checked for route on border router - it is present.

On MX router:

show route 1.1.1.0/24 inet.0: 59 destinations, 63 routes (59 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 1.1.1.0/24 *[Static/1] 00:05:59 > via ms-1/0/0.20

Looks good.

Both ping and http not working.

Maybe there is a mistake in routing-instance:

NAT { instance-type virtual-router; interface ms-1/0/0.10; routing-options { static { route 0.0.0.0/0 next-hop ms-1/0/0.10; route 10.228.8.0/24 next-table inet.0; } } }

But it looks good to me.
13. RE: MX104 + cg-nat

0 Recommend
rnayar
Posted 11-01-2017 10:46

Reply Reply Privately
I need few output.

Show subscribers xyz extensive

show interface <subscriber interface> extenive

show dynamic-profile session cliend-id < client-id> <<< Client id can be derived from show subscribers xyz extensive output, session id >

show service session < Please browse one site> << need to check if there is DNS hit as previous output doesn't have any DNS hit

Configuration

Regards,

Rahul N

14. RE: MX104 + cg-nat

Recommend

smelnik

Posted 11-01-2017 10:54

run show subscribers extensive

Type: VLAN
Logical System: default
Routing Instance: default
Interface: demux0.3221225472
Interface type: Dynamic
Underlying Interface: ge-0/0/1
Dynamic Profile Name: VLAN-PROFILE-SVLAN
Dynamic Profile Version: 1
State: Active
Session ID: 1
PFE Flow ID: 41
VLAN Id: 1000
Login Time: 2017-11-01 19:29:43 EET

Type: DHCP
User Name: ge-0/0/1:1000&000403E80018&010B7465737473776974636832
IP Address: 10.228.10.254
IP Netmask: 255.255.252.0
Logical System: default
Routing Instance: default
Interface: demux0.3221225472
Interface type: Static
Underlying Interface: demux0.3221225472
Dynamic Profile Name: IP-DHCP-PROFILE-1
Dynamic Profile Version: 1
MAC Address: e4:18:6b:25:82:dd
State: Active
Radius Accounting ID: 2
Session ID: 2
PFE Flow ID: 41
VLAN Id: 1000
Agent Circuit ID: len 6
00 04 03 e8 00 18
Agent Remote ID: len 13
01 0b 74 65 73 74 73 77 69 74 63 68 32
Login Time: 2017-11-01 19:29:43 EET
Service Sessions: 2
DHCP Options: len 76
35 01 01 39 02 05 dc 3d 07 01 e4 18 6b 25 82 dd 3c 06 6e 64
68 63 70 63 0c 0c 4b 65 65 6e 65 74 69 63 5f 41 69 72 37 0b
01 03 06 0f 1c 21 2a 2b 2c 79 f9 52 17 01 06 00 04 03 e8 00
18 02 0d 01 0b 74 65 73 74 73 77 69 74 63 68 32
IP Address Pool: 10-228-8-0
Accounting interval: 7200

   Service Session ID: 3
   Service Session Name: RATE-LIMIT
   Service Session Version: 1
   State: Active
   Family: inet
   IPv4 Input Filter Name: var-ff-in_UID1001-demux0.3221225472-in
   IPv4 Output Filter Name: var-ff-out_UID1002-demux0.3221225472-out
   Service Activation time: 2017-11-01 19:29:46 EET
   Dynamic configuration:
     var-burst: 1000000
     var-bw: 8000000
     var-ff-in: var-ff-in_UID1001
     var-ff-out: var-ff-out_UID1002
     var-plr: var-plr_UID1000

   Service Session ID: 4
   Service Session Name: NAT
   Service Session Version: 1
   State: Active
   Family: inet
   IPv4 Input Filter Name: NAT-demux0.3221225472-in
   Service Activation time: 2017-11-01 19:29:54 EET

run show interfaces demux0.3221225472 extensive

  Logical interface demux0.3221225472 (Index 536870953) (SNMP ifIndex 200000041) (Generation 2)
    Flags: Up VLAN-Tag [ 0x8100.1000 ]  Encapsulation: ENET2
    Demux:
      Underlying interface: ge-0/0/1 (Index 151)
    Bandwidth: 0
    Traffic statistics:
     Input  bytes  :              1076976
     Output bytes  :               939275
     Input  packets:                 5036
     Output packets:                 2573
    Local statistics:
     Input  bytes  :                19724
     Output bytes  :                17754
     Input  packets:                  273
     Output packets:                  267
    Transit statistics:
     Input  bytes  :              1057252                 5592 bps
     Output bytes  :               921521                 8056 bps
     Input  packets:                 4763                    2 pps
     Output packets:                 2306                    2 pps
    Protocol inet, MTU: 9178, Generation: 0, Route table: 0
      Flags: Unnumbered
      Donor interface: lo0.0 (Index 321)
      Preferred source address: 10.228.8.1
      Input Filters: var-ff-in_UID1001-demux0.3221225472-in (50), NAT-demux0.3221225472-in (100)
      Output Filters: var-ff-out_UID1002-demux0.3221225472-out (50)
      Addresses, Flags: Is-Primary
        Destination: Unspecified, Local: 10.228.8.1, Broadcast: Unspecified, Generation: 0

IP-DHCP-PROFILE-1 {
    interfaces {
        demux0 {
            unit 3221225472 {
                family {
                    inet {
                        unnumbered-address lo0.0 preferred-source-address 10.228.8.1;
                    }
                }
            }
        }
    }
}
RATE-LIMIT {
    interfaces {
        demux0 {
            unit 3221225472 {
                family {
                    inet {
                        filter {
                            input var-ff-in_UID1001 precedence 50;
                            output var-ff-out_UID1002 precedence 50;
                        }
                    }
                }
            }
        }
    }
    firewall {
        family {
            inet {
                filter var-ff-in_UID1001 {
                    interface-specific;
                    term 1 {
                        then {
                            policer var-plr_UID1000;
                            sample;
                            port-mirror;
                            accept;
                        }
                    }
                }
                filter var-ff-out_UID1002 {
                    interface-specific;
                    term 1 {
                        then {
                            policer var-plr_UID1000;
                            sample;
                            port-mirror;
                            accept;
                        }
                    }
                }
            }
        }
        policer var-plr_UID1000 {
            logical-interface-policer;
            if-exceeding {
                bandwidth-limit 8000000;
                burst-size-limit 1000000;
            }
            then discard;
        }
    }
}
NAT {
    interfaces {
        demux0 {
            unit 3221225472 {
                family {
                    inet {
                        filter {
                            input NAT precedence 100;
                        }
                    }
                }
            }
        }
    }
}

show service session

There are no dns queries because of firewall rule dns servers are located in 10.228.0.0/16

filter NAT {
    interface-specific;
    term 15 {
        from {
            source-address {
                10.228.8.0/22;
            }
            destination-address {
                10.228.0.0/16;
            }
        }
        then accept;
    }
    term 100 {
        from {
            source-address {
                10.228.8.0/22;
            }
        }
        then {
            count NAT-FW;
            routing-instance NAT;
        }
    }
    term 20 {
        then accept;
    }
}

Service Set: NAT-SRV-SET, Session: 704643211, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP      88.198.177.100:443    ->   10.228.10.254:57144  Drop     I               1

Service Set: NAT-SRV-SET, Session: 402653325, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP     128.199.196.176:47385  -> 1.1.1.147:13403  Drop     O               1

Service Set: NAT-SRV-SET, Session: 100663318, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP       139.59.80.251:52813  -> 1.1.1.171:15069  Drop     O               1

Service Set: NAT-SRV-SET, Session: 671088956, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP       138.197.162.5:54075  -> 1.1.1.177:10266  Drop     O               1

Service Set: NAT-SRV-SET, Session: 67109177, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP       185.60.216.35:80     ->   10.228.10.254:38710  Drop     I               1

Service Set: NAT-SRV-SET, Session: 335544394, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP      173.194.73.138:80     ->   10.228.10.254:48409  Drop     I               1

Service Set: NAT-SRV-SET, Session: 671089077, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:38710  ->   185.60.216.35:80     Forward  I               1
TCP       185.60.216.35:80     -> 1.1.1.129:58663  Forward  O               1

Service Set: NAT-SRV-SET, Session: 939524314, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP     128.199.196.176:47385  -> 1.1.1.222:12420  Drop     O               1

Service Set: NAT-SRV-SET, Session: 536871243, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP      173.194.73.138:80     ->   10.228.10.254:48411  Drop     I               1

Service Set: NAT-SRV-SET, Session: 1040187767, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP        60.254.8.122:45514  -> 1.1.1.168:23     Drop     O               1

Service Set: NAT-SRV-SET, Session: 704643158, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP     128.199.196.176:47385  -> 1.1.1.136:12336  Drop     O               1

Service Set: NAT-SRV-SET, Session: 905969680, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP        5.188.203.30:42130  -> 1.1.1.166:1231   Drop     O               1

Service Set: NAT-SRV-SET, Session: 905970171, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP      125.99.100.111:3992   -> 1.1.1.245:23     Drop     O               1

Service Set: NAT-SRV-SET, Session: 1107296263, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP     128.199.196.176:47385  -> 1.1.1.232:13234  Drop     O               1

Service Set: NAT-SRV-SET, Session: 335544818, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP       46.105.148.85:443    ->   10.228.10.254:60234  Drop     I               1

Service Set: NAT-SRV-SET, Session: 402653648, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP         79.79.33.35:53714  -> 1.1.1.236:23     Drop     O               1

Service Set: NAT-SRV-SET, Session: 469762344, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP       170.238.51.52:44710  -> 1.1.1.234:23     Drop     O               1

Service Set: NAT-SRV-SET, Session: 838861236, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP      88.198.177.100:443    ->   10.228.10.254:57160  Drop     I               1

Service Set: NAT-SRV-SET, Session: 1442840729, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP        5.188.203.30:42130  -> 1.1.1.184:1231   Drop     O               1

Service Set: NAT-SRV-SET, Session: 671089122, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP       89.249.246.86:45503  -> 1.1.1.149:2201   Drop     O               1

Service Set: NAT-SRV-SET, Session: 335544417, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP     128.199.196.176:47385  -> 1.1.1.128:13742  Drop     O               1

Service Set: NAT-SRV-SET, Session: 268435560, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP        42.243.69.53:31855  -> 1.1.1.217:23     Drop     O               1

Service Set: NAT-SRV-SET, Session: 100663773, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP       46.105.148.85:443    ->   10.228.10.254:60218  Drop     I               1

Service Set: NAT-SRV-SET, Session: 469762559, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP       185.60.216.35:80     ->   10.228.10.254:38697  Drop     I               1

Service Set: NAT-SRV-SET, Session: 167772660, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
TCP      190.96.118.111:63295  -> 1.1.1.199:445    Drop     O               1

Service Set: NAT-SRV-SET, Session: 469762542, ALG: icmp, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
ICMP      10.228.10.254        ->         8.8.4.4        Forward  I               5
ICMP            8.8.4.4        -> 1.1.1.129        Forward  O               5

Service Set: NAT-SRV-SET, Session: 939524293, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:48412  ->  173.194.73.138:80     Forward  I               3
TCP      173.194.73.138:80     -> 1.1.1.129:59279  Forward  O               5

Service Set: NAT-SRV-SET, Session: 1275068542, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:48411  ->  173.194.73.138:80     Forward  I               3
TCP      173.194.73.138:80     -> 1.1.1.129:59175  Forward  O               6

Service Set: NAT-SRV-SET, Session: 1409286209, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:54663  ->  173.194.73.139:80     Forward  I               3
TCP      173.194.73.139:80     -> 1.1.1.129:58875  Forward  O               6

Service Set: NAT-SRV-SET, Session: 436207923, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:48409  ->  173.194.73.138:80     Forward  I               3
TCP      173.194.73.138:80     -> 1.1.1.129:58933  Forward  O               7

Service Set: NAT-SRV-SET, Session: 1442841054, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:60234  ->   46.105.148.85:443    Forward  I               5
TCP       46.105.148.85:443    -> 1.1.1.129:58726  Forward  O               8

Service Set: NAT-SRV-SET, Session: 872415238, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:57160  ->  88.198.177.100:443    Forward  I               5
TCP      88.198.177.100:443    -> 1.1.1.129:59048  Forward  O               8

Service Set: NAT-SRV-SET, Session: 671089039, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:42273  ->  98.138.253.109:80     Forward  I               3
TCP      98.138.253.109:80     -> 1.1.1.129:59077  Forward  O               3

Service Set: NAT-SRV-SET, Session: 369099240, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:42272  ->  98.138.253.109:80     Forward  I               3
TCP      98.138.253.109:80     -> 1.1.1.129:59330  Forward  O               3

Service Set: NAT-SRV-SET, Session: 436208067, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:42398  ->  98.139.180.149:80     Forward  I               3
TCP      98.139.180.149:80     -> 1.1.1.129:59382  Forward  O               3

Service Set: NAT-SRV-SET, Session: 234881038, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:60229  ->   46.105.148.85:443    Forward  I               5
TCP       46.105.148.85:443    -> 1.1.1.129:58840  Forward  O              11

Service Set: NAT-SRV-SET, Session: 1073741949, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:57155  ->  88.198.177.100:443    Forward  I               5
TCP      88.198.177.100:443    -> 1.1.1.129:58474  Forward  O              11

Service Set: NAT-SRV-SET, Session: 1543504253, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:54576  ->   206.190.36.45:80     Forward  I               3
TCP       206.190.36.45:80     -> 1.1.1.129:58396  Forward  O               3

Service Set: NAT-SRV-SET, Session: 503316813, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:38697  ->   185.60.216.35:80     Forward  I               3
TCP       185.60.216.35:80     -> 1.1.1.129:59384  Forward  O               8

Service Set: NAT-SRV-SET, Session: 2013266201, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:38696  ->   185.60.216.35:80     Forward  I               3
TCP       185.60.216.35:80     -> 1.1.1.129:59202  Forward  O               8

Service Set: NAT-SRV-SET, Session: 1543504162, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:38695  ->   185.60.216.35:80     Forward  I               3
TCP       185.60.216.35:80     -> 1.1.1.129:59331  Forward  O               8

Service Set: NAT-SRV-SET, Session: 1476395062, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:38694  ->   185.60.216.35:80     Forward  I               3
TCP       185.60.216.35:80     -> 1.1.1.129:58948  Forward  O               8

Service Set: NAT-SRV-SET, Session: 1543504108, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:55610  ->  173.194.73.100:80     Forward  I               3
TCP      173.194.73.100:80     -> 1.1.1.129:58454  Forward  O               8

Service Set: NAT-SRV-SET, Session: 1275068746, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:48395  ->  173.194.73.138:80     Forward  I               3
TCP      173.194.73.138:80     -> 1.1.1.129:58482  Forward  O               8

Service Set: NAT-SRV-SET, Session: 469762241, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:54647  ->  173.194.73.139:80     Forward  I               3
TCP      173.194.73.139:80     -> 1.1.1.129:58823  Forward  O               8

Service Set: NAT-SRV-SET, Session: 2080375092, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:39278  ->  173.194.73.102:80     Forward  I               3
TCP      173.194.73.102:80     -> 1.1.1.129:58913  Forward  O               8

Service Set: NAT-SRV-SET, Session: 503316503, ALG: none, Flags: 0x300000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:60218  ->   46.105.148.85:443    Forward  I               5
TCP       46.105.148.85:443    -> 1.1.1.129:58845  Forward  O              13

Service Set: NAT-SRV-SET, Session: 33554661, ALG: none, Flags: 0x300000, IP Action: no, Offload: no, Asymmetric: no
TCP       10.228.10.254:57144  ->  88.198.177.100:443    Forward  I               5
TCP      88.198.177.100:443    -> 1.1.1.129:58656  Forward  O              14

15. RE: MX104 + cg-nat

0 Recommend
rnayar
Posted 11-01-2017 11:14

Reply Reply Privately
Please remove service-profile rate-limit and check once. Just activate service-profile NAT for testing purpose.

Regards,

Rahul N
16. RE: MX104 + cg-nat

0 Recommend
smelnik
Posted 11-01-2017 11:54

Reply Reply Privately
Removed RATE-LIMIT. No change.

Type: VLAN Logical System: default Routing Instance: default Interface: demux0.3221225472 Interface type: Dynamic Underlying Interface: ge-0/0/1 Dynamic Profile Name: VLAN-PROFILE-SVLAN Dynamic Profile Version: 1 State: Active Session ID: 1 PFE Flow ID: 41 VLAN Id: 1000 Login Time: 2017-11-01 19:29:43 EET Type: DHCP User Name: ge-0/0/1:1000&000403E80018&010B7465737473776974636832 IP Address: 10.228.10.254 IP Netmask: 255.255.252.0 Logical System: default Routing Instance: default Interface: demux0.3221225472 Interface type: Static Underlying Interface: demux0.3221225472 Dynamic Profile Name: IP-DHCP-PROFILE-1 Dynamic Profile Version: 1 MAC Address: e4:18:6b:25:82:dd State: Active Radius Accounting ID: 2 Session ID: 2 PFE Flow ID: 41 VLAN Id: 1000 Agent Circuit ID: len 6 00 04 03 e8 00 18 Agent Remote ID: len 13 01 0b 74 65 73 74 73 77 69 74 63 68 32 Login Time: 2017-11-01 19:29:43 EET Service Sessions: 1 DHCP Options: len 76 35 01 01 39 02 05 dc 3d 07 01 e4 18 6b 25 82 dd 3c 06 6e 64 68 63 70 63 0c 0c 4b 65 65 6e 65 74 69 63 5f 41 69 72 37 0b 01 03 06 0f 1c 21 2a 2b 2c 79 f9 52 17 01 06 00 04 03 e8 00 18 02 0d 01 0b 74 65 73 74 73 77 69 74 63 68 32 IP Address Pool: 10-228-8-0 Accounting interval: 7200 Service Session ID: 4 Service Session Name: NAT Service Session Version: 1 State: Active Family: inet IPv4 Input Filter Name: NAT-demux0.3221225472-in Service Activation time: 2017-11-01 19:29:54 EET
17. RE: MX104 + cg-nat

1 Recommend
smelnik
Posted 11-01-2017 15:11

Reply Reply Privately
Lools like problem solved.

My mistake was in routing-instance:

was route 10.228.8.0/24 next-table inet.0

correct mask is /22

Thanks for help!

Routing

MX104 + cg-nat

smelnik11-01-2017 09:16

rnayar11-01-2017 09:38

rnayar11-01-2017 09:48

smelnik11-01-2017 09:57

rnayar11-01-2017 10:02Best Answer

smelnik11-01-2017 10:07

rnayar11-01-2017 10:10

smelnik11-01-2017 10:15

rnayar11-01-2017 10:19

smelnik11-01-2017 10:25

rnayar11-01-2017 10:27

smelnik11-01-2017 10:37

rnayar11-01-2017 10:46

smelnik11-01-2017 10:54

rnayar11-01-2017 11:14

smelnik11-01-2017 11:54

smelnik11-01-2017 15:11

1. MX104 + cg-nat

2. RE: MX104 + cg-nat

3. RE: MX104 + cg-nat

4. RE: MX104 + cg-nat

5. RE: MX104 + cg-nat Best Answer

6. RE: MX104 + cg-nat

7. RE: MX104 + cg-nat

8. RE: MX104 + cg-nat

9. RE: MX104 + cg-nat

10. RE: MX104 + cg-nat

11. RE: MX104 + cg-nat

12. RE: MX104 + cg-nat

13. RE: MX104 + cg-nat

14. RE: MX104 + cg-nat

15. RE: MX104 + cg-nat

16. RE: MX104 + cg-nat

17. RE: MX104 + cg-nat

5. RE: MX104 + cg-nat
Best Answer