Routing

Expand all | Collapse all

MX104 + cg-nat

Jump to Best Answer
  • 1.  MX104 + cg-nat

    Posted 11-01-2017 09:16

    Good day everyone!

    i`m trying to set up nat on my mx104+ms-mic-16g with bng (dhcp subscribers).

    Configuration looks like this:

     

    show chassis fpc 1
    pic 0 {
        inline-services {
            bandwidth 10g;
        }
        adaptive-services {
            service-package layer-3;
        }
    }
     
    show interfaces ms-1/0/0
     
    unit 10 {
        family inet;
        service-domain inside;
    }
    unit 20 {
        family inet;
        service-domain outside;
    }
    show services nat
    pool NAT {
        address 1.1.1.0/24;
        port {
            automatic {
                random-allocation;
            }
            secured-port-block-allocation block-size 1024 max-blocks-per-address 4 active-block-timeout 300;
        }
        address-allocation round-robin;
    }
    rule NAT-1 {
        match-direction input;
        term t1 {
            from {
                source-address {
                    10.228.8.0/22;
                }
            }
            then {
                translated {
                    source-pool NAT;
                    translation-type {
                        napt-44;
                    }
                    address-pooling paired;
                }
            }
        }
    }
    show firewall family inet filter NAT
     
    interface-specific;
    term 10 {
        from {
            source-address {
                10.228.8.0/22;
            }
            destination-address {
                10.228.0.0/16;
            }
        }
        then accept;
    }
    term 100 {
        from {
            source-address {
                10.228.8.0/22;
            }
        }
        then {
            routing-instance NAT;
        }
    }
    term 200 {
        then accept;
    }
    show dynamic-profiles NAT
    interfaces {
        "$junos-interface-ifd-name" {
            unit "$junos-underlying-interface-unit" {
                family inet {
                    filter {
                        input NAT precedence 100;
                    }
                }
            }
        }
    }
    show routing-instances NAT
    instance-type virtual-router;
    interface ms-1/0/0.10;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop ms-1/0/0.10;
            route 10.228.8.0/24 next-table inet.0;
        }
    }
    Then i got subscriber with dynamic-profile NAT attached
     
    run show subscribers
    Interface           IP Address/VLAN ID                      User Name                      LS:RI
    demux0.3221225496    1000                                                             default:default
    demux0.3221225496   10.228.10.254                           ge-0/0/1:1000&000403E80018&010B7465737473776974636832       default:default
    Service Session ID: 12
    Service Session Name: NAT
    Service Session Version: 1
    State: Active
    Family: inet
    IPv4 Input Filter Name: NAT-demux0.3221225478-in
    Service Activation time: 2017-11-01 17:53:05 EET
     
     

     

    Problem is that nat not happenning. 
     
     
     
     
     
     
     


  • 2.  RE: MX104 + cg-nat

     
    Posted 11-01-2017 09:38

    Hi,

     

    Please apply the filter under forwarding-option and check once.

     

    NAT# show forwarding-options
    family inet {
        filter {
            input NAT; 
        }
    }



  • 3.  RE: MX104 + cg-nat

     
    Posted 11-01-2017 09:48

    You can also use below dynamic-profile and check as well.

     

    NAT{
        predefined-variable-defaults {
            input-filter NAT;
        }
        interfaces {
            demux0 {
                unit "$junos-interface-unit" {
                    family inet {
                        filter {
                            input "$junos-input-filter";
                        }
                    }                      
                }
            }
        }
    }



  • 4.  RE: MX104 + cg-nat

    Posted 11-01-2017 09:57

    Thanks.

    It looks like nat is hapenning. I have mirrored traffic from border router and when i ping 8.8.8.8 from client i see packets with source address of my nat pool, and i see reply coming back to nat pool IP address, but subscriber did not receiving this reply.



  • 5.  RE: MX104 + cg-nat
    Best Answer

     
    Posted 11-01-2017 10:02

    Hi,

     

    Please paste the output of "show service session"

     

    Do you have return route for natted ip?

     

    Regards,

    Rahul



  • 6.  RE: MX104 + cg-nat

    Posted 11-01-2017 10:07

    Yes, i got this route distributed to iBGP.

    Service Set: NAT-SRV-SET, Session: 603980079, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP 5.188.203.30:42130 -> 1.1.1.2:1945 Drop O 1



  • 7.  RE: MX104 + cg-nat

     
    Posted 11-01-2017 10:10

    Nat is not working i believe from the output. There is no mapping.

     

    Please ping the DNS and collect "show service session"

     

    Regards,

    Rahul



  • 8.  RE: MX104 + cg-nat

    Posted 11-01-2017 10:15

    Done

     

     

    Service Set: NAT-SRV-SET, Session: 1946157221, ALG: icmp, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    ICMP      10.228.10.254        ->         8.8.8.8        Forward  I              47
    ICMP            8.8.8.8        -> 1.1.1.2        Forward  O              47
    
    Service Set: NAT-SRV-SET, Session: 1006632972, ALG: none, Flags: 0x300000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:42040  ->  98.139.180.149:80     Forward  I               3
    TCP      98.139.180.149:80     -> 1.1.1.2:54315  Forward  O               3
    
    Service Set: NAT-SRV-SET, Session: 301990310, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:34908  ->   185.60.216.35:80     Forward  I               3
    TCP       185.60.216.35:80     -> 1.1.1.2:54782  Forward  O               8
    
    Service Set: NAT-SRV-SET, Session: 1577058409, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:34907  ->   185.60.216.35:80     Forward  I               3
    TCP       185.60.216.35:80     -> 1.1.1.2:54735  Forward  O               8
    
    Service Set: NAT-SRV-SET, Session: 268435600, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:34906  ->   185.60.216.35:80     Forward  I               3
    TCP       185.60.216.35:80     -> 1.1.1.2:54538  Forward  O               8
    
    Service Set: NAT-SRV-SET, Session: 167772477, ALG: none, Flags: 0x300000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:42433  ->  91.218.112.167:443    Forward  I               5
    TCP      91.218.112.167:443    -> 1.1.1.2:54459  Forward  O              14

     



  • 9.  RE: MX104 + cg-nat

     
    Posted 11-01-2017 10:19

    Output look fine. Ping from subscriber to DNS as well as browsing failing?

     

    Do you have any other filter under lo0 or subscriber interface?

     

    Regards,

    Rahul N



  • 10.  RE: MX104 + cg-nat

    Posted 11-01-2017 10:25

    ONly one is under LO, permitting only specific exceptional traffic.



  • 11.  RE: MX104 + cg-nat

     
    Posted 11-01-2017 10:27

    Is browsing working for the subscribers? Just ping issue?

     

    What version you're using?

     

    Regards,

    Rahul N



  • 12.  RE: MX104 + cg-nat

    Posted 11-01-2017 10:37

    show version

    show version
    Model: mx104
    Junos: 15.1R5-S4.2
    JUNOS Base OS boot [15.1R5-S4.2]
    JUNOS Base OS Software Suite [15.1R5-S4.2]
    JUNOS Crypto Software Suite [15.1R5-S4.2]
    JUNOS Packet Forwarding Engine Support (MX104) [15.1R5-S4.2]
    JUNOS Web Management [15.1R5-S4.2]
    JUNOS Online Documentation [15.1R5-S4.2]
    JUNOS Services Application Level Gateways [15.1R5-S4.2]
    JUNOS Services Jflow Container package [15.1R5-S4.2]
    JUNOS Services Stateful Firewall [15.1R5-S4.2]
    JUNOS Services NAT [15.1R5-S4.2]
    JUNOS Services RPM [15.1R5-S4.2]
    JUNOS Services Captive Portal and Content Delivery Container package [15.1R5-S4.2]
    JUNOS Macsec Software Suite [15.1R5-S4.2]
    JUNOS Services Crypto [15.1R5-S4.2]
    JUNOS Services IPSec [15.1R5-S4.2]
    JUNOS Kernel Software Suite [15.1R5-S4.2]
    JUNOS Routing Software Suite [15.1R5-S4.2]
    

    Again i`ve checked for route on border router - it is present.

    On MX router:

    show route 1.1.1.0/24
    
    inet.0: 59 destinations, 63 routes (59 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    1.1.1.0/24 *[Static/1] 00:05:59
                        > via ms-1/0/0.20
    

    Looks good.

    Both ping and http not working.

     

    Maybe there is a mistake in routing-instance:

    NAT {
        instance-type virtual-router;
        interface ms-1/0/0.10;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop ms-1/0/0.10;
                route 10.228.8.0/24 next-table inet.0;
            }
        }
    }
    

    But it looks good to me.



  • 13.  RE: MX104 + cg-nat

     
    Posted 11-01-2017 10:46

    I need few output.

     

    Show subscribers xyz extensive

    show interface <subscriber interface> extenive

    show dynamic-profile session cliend-id < client-id>   <<< Client id can be derived from show subscribers xyz extensive output, session id >

    show service session < Please browse one site>  << need to check if there is DNS hit as previous output doesn't have any DNS hit

    Configuration

     

    Regards,

    Rahul N



  • 14.  RE: MX104 + cg-nat

    Posted 11-01-2017 10:54

    run show subscribers extensive

    Type: VLAN
    Logical System: default
    Routing Instance: default
    Interface: demux0.3221225472
    Interface type: Dynamic
    Underlying Interface: ge-0/0/1
    Dynamic Profile Name: VLAN-PROFILE-SVLAN
    Dynamic Profile Version: 1
    State: Active
    Session ID: 1
    PFE Flow ID: 41
    VLAN Id: 1000
    Login Time: 2017-11-01 19:29:43 EET
    
    Type: DHCP
    User Name: ge-0/0/1:1000&000403E80018&010B7465737473776974636832
    IP Address: 10.228.10.254
    IP Netmask: 255.255.252.0
    Logical System: default
    Routing Instance: default
    Interface: demux0.3221225472
    Interface type: Static
    Underlying Interface: demux0.3221225472
    Dynamic Profile Name: IP-DHCP-PROFILE-1
    Dynamic Profile Version: 1
    MAC Address: e4:18:6b:25:82:dd
    State: Active
    Radius Accounting ID: 2
    Session ID: 2
    PFE Flow ID: 41
    VLAN Id: 1000
    Agent Circuit ID: len 6
    00 04 03 e8 00 18
    Agent Remote ID: len 13
    01 0b 74 65 73 74 73 77 69 74 63 68 32
    Login Time: 2017-11-01 19:29:43 EET
    Service Sessions: 2
    DHCP Options: len 76
    35 01 01 39 02 05 dc 3d 07 01 e4 18 6b 25 82 dd 3c 06 6e 64
    68 63 70 63 0c 0c 4b 65 65 6e 65 74 69 63 5f 41 69 72 37 0b
    01 03 06 0f 1c 21 2a 2b 2c 79 f9 52 17 01 06 00 04 03 e8 00
    18 02 0d 01 0b 74 65 73 74 73 77 69 74 63 68 32
    IP Address Pool: 10-228-8-0
    Accounting interval: 7200
    
       Service Session ID: 3
       Service Session Name: RATE-LIMIT
       Service Session Version: 1
       State: Active
       Family: inet
       IPv4 Input Filter Name: var-ff-in_UID1001-demux0.3221225472-in
       IPv4 Output Filter Name: var-ff-out_UID1002-demux0.3221225472-out
       Service Activation time: 2017-11-01 19:29:46 EET
       Dynamic configuration:
         var-burst: 1000000
         var-bw: 8000000
         var-ff-in: var-ff-in_UID1001
         var-ff-out: var-ff-out_UID1002
         var-plr: var-plr_UID1000
    
       Service Session ID: 4
       Service Session Name: NAT
       Service Session Version: 1
       State: Active
       Family: inet
       IPv4 Input Filter Name: NAT-demux0.3221225472-in
       Service Activation time: 2017-11-01 19:29:54 EET
    
    

    run show interfaces demux0.3221225472 extensive

      Logical interface demux0.3221225472 (Index 536870953) (SNMP ifIndex 200000041) (Generation 2)
        Flags: Up VLAN-Tag [ 0x8100.1000 ]  Encapsulation: ENET2
        Demux:
          Underlying interface: ge-0/0/1 (Index 151)
        Bandwidth: 0
        Traffic statistics:
         Input  bytes  :              1076976
         Output bytes  :               939275
         Input  packets:                 5036
         Output packets:                 2573
        Local statistics:
         Input  bytes  :                19724
         Output bytes  :                17754
         Input  packets:                  273
         Output packets:                  267
        Transit statistics:
         Input  bytes  :              1057252                 5592 bps
         Output bytes  :               921521                 8056 bps
         Input  packets:                 4763                    2 pps
         Output packets:                 2306                    2 pps
        Protocol inet, MTU: 9178, Generation: 0, Route table: 0
          Flags: Unnumbered
          Donor interface: lo0.0 (Index 321)
          Preferred source address: 10.228.8.1
          Input Filters: var-ff-in_UID1001-demux0.3221225472-in (50), NAT-demux0.3221225472-in (100)
          Output Filters: var-ff-out_UID1002-demux0.3221225472-out (50)
          Addresses, Flags: Is-Primary
            Destination: Unspecified, Local: 10.228.8.1, Broadcast: Unspecified, Generation: 0
    
    IP-DHCP-PROFILE-1 {
        interfaces {
            demux0 {
                unit 3221225472 {
                    family {
                        inet {
                            unnumbered-address lo0.0 preferred-source-address 10.228.8.1;
                        }
                    }
                }
            }
        }
    }
    RATE-LIMIT {
        interfaces {
            demux0 {
                unit 3221225472 {
                    family {
                        inet {
                            filter {
                                input var-ff-in_UID1001 precedence 50;
                                output var-ff-out_UID1002 precedence 50;
                            }
                        }
                    }
                }
            }
        }
        firewall {
            family {
                inet {
                    filter var-ff-in_UID1001 {
                        interface-specific;
                        term 1 {
                            then {
                                policer var-plr_UID1000;
                                sample;
                                port-mirror;
                                accept;
                            }
                        }
                    }
                    filter var-ff-out_UID1002 {
                        interface-specific;
                        term 1 {
                            then {
                                policer var-plr_UID1000;
                                sample;
                                port-mirror;
                                accept;
                            }
                        }
                    }
                }
            }
            policer var-plr_UID1000 {
                logical-interface-policer;
                if-exceeding {
                    bandwidth-limit 8000000;
                    burst-size-limit 1000000;
                }
                then discard;
            }
        }
    }
    NAT {
        interfaces {
            demux0 {
                unit 3221225472 {
                    family {
                        inet {
                            filter {
                                input NAT precedence 100;
                            }
                        }
                    }
                }
            }
        }
    }
    

    show service session

    There are no dns queries because of firewall rule dns servers are located in 10.228.0.0/16

    filter NAT {
        interface-specific;
        term 15 {
            from {
                source-address {
                    10.228.8.0/22;
                }
                destination-address {
                    10.228.0.0/16;
                }
            }
            then accept;
        }
        term 100 {
            from {
                source-address {
                    10.228.8.0/22;
                }
            }
            then {
                count NAT-FW;
                routing-instance NAT;
            }
        }
        term 20 {
            then accept;
        }
    }
    

     

    Service Set: NAT-SRV-SET, Session: 704643211, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP      88.198.177.100:443    ->   10.228.10.254:57144  Drop     I               1
    
    Service Set: NAT-SRV-SET, Session: 402653325, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP     128.199.196.176:47385  -> 1.1.1.147:13403  Drop     O               1
    
    Service Set: NAT-SRV-SET, Session: 100663318, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP       139.59.80.251:52813  -> 1.1.1.171:15069  Drop     O               1
    
    Service Set: NAT-SRV-SET, Session: 671088956, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP       138.197.162.5:54075  -> 1.1.1.177:10266  Drop     O               1
    
    Service Set: NAT-SRV-SET, Session: 67109177, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP       185.60.216.35:80     ->   10.228.10.254:38710  Drop     I               1
    
    Service Set: NAT-SRV-SET, Session: 335544394, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP      173.194.73.138:80     ->   10.228.10.254:48409  Drop     I               1
    
    Service Set: NAT-SRV-SET, Session: 671089077, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:38710  ->   185.60.216.35:80     Forward  I               1
    TCP       185.60.216.35:80     -> 1.1.1.129:58663  Forward  O               1
    
    Service Set: NAT-SRV-SET, Session: 939524314, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP     128.199.196.176:47385  -> 1.1.1.222:12420  Drop     O               1
    
    Service Set: NAT-SRV-SET, Session: 536871243, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP      173.194.73.138:80     ->   10.228.10.254:48411  Drop     I               1
    
    Service Set: NAT-SRV-SET, Session: 1040187767, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP        60.254.8.122:45514  -> 1.1.1.168:23     Drop     O               1
    
    Service Set: NAT-SRV-SET, Session: 704643158, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP     128.199.196.176:47385  -> 1.1.1.136:12336  Drop     O               1
    
    Service Set: NAT-SRV-SET, Session: 905969680, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP        5.188.203.30:42130  -> 1.1.1.166:1231   Drop     O               1
    
    Service Set: NAT-SRV-SET, Session: 905970171, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP      125.99.100.111:3992   -> 1.1.1.245:23     Drop     O               1
    
    Service Set: NAT-SRV-SET, Session: 1107296263, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP     128.199.196.176:47385  -> 1.1.1.232:13234  Drop     O               1
    
    Service Set: NAT-SRV-SET, Session: 335544818, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP       46.105.148.85:443    ->   10.228.10.254:60234  Drop     I               1
    
    Service Set: NAT-SRV-SET, Session: 402653648, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP         79.79.33.35:53714  -> 1.1.1.236:23     Drop     O               1
    
    Service Set: NAT-SRV-SET, Session: 469762344, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP       170.238.51.52:44710  -> 1.1.1.234:23     Drop     O               1
    
    Service Set: NAT-SRV-SET, Session: 838861236, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP      88.198.177.100:443    ->   10.228.10.254:57160  Drop     I               1
    
    Service Set: NAT-SRV-SET, Session: 1442840729, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP        5.188.203.30:42130  -> 1.1.1.184:1231   Drop     O               1
    
    Service Set: NAT-SRV-SET, Session: 671089122, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP       89.249.246.86:45503  -> 1.1.1.149:2201   Drop     O               1
    
    Service Set: NAT-SRV-SET, Session: 335544417, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP     128.199.196.176:47385  -> 1.1.1.128:13742  Drop     O               1
    
    Service Set: NAT-SRV-SET, Session: 268435560, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP        42.243.69.53:31855  -> 1.1.1.217:23     Drop     O               1
    
    Service Set: NAT-SRV-SET, Session: 100663773, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP       46.105.148.85:443    ->   10.228.10.254:60218  Drop     I               1
    
    Service Set: NAT-SRV-SET, Session: 469762559, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP       185.60.216.35:80     ->   10.228.10.254:38697  Drop     I               1
    
    Service Set: NAT-SRV-SET, Session: 167772660, ALG: none, Flags: 0x0040, IP Action: no, Offload: no, Asymmetric: no
    TCP      190.96.118.111:63295  -> 1.1.1.199:445    Drop     O               1
    
    Service Set: NAT-SRV-SET, Session: 469762542, ALG: icmp, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    ICMP      10.228.10.254        ->         8.8.4.4        Forward  I               5
    ICMP            8.8.4.4        -> 1.1.1.129        Forward  O               5
    
    Service Set: NAT-SRV-SET, Session: 939524293, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:48412  ->  173.194.73.138:80     Forward  I               3
    TCP      173.194.73.138:80     -> 1.1.1.129:59279  Forward  O               5
    
    Service Set: NAT-SRV-SET, Session: 1275068542, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:48411  ->  173.194.73.138:80     Forward  I               3
    TCP      173.194.73.138:80     -> 1.1.1.129:59175  Forward  O               6
    
    Service Set: NAT-SRV-SET, Session: 1409286209, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:54663  ->  173.194.73.139:80     Forward  I               3
    TCP      173.194.73.139:80     -> 1.1.1.129:58875  Forward  O               6
    
    Service Set: NAT-SRV-SET, Session: 436207923, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:48409  ->  173.194.73.138:80     Forward  I               3
    TCP      173.194.73.138:80     -> 1.1.1.129:58933  Forward  O               7
    
    Service Set: NAT-SRV-SET, Session: 1442841054, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:60234  ->   46.105.148.85:443    Forward  I               5
    TCP       46.105.148.85:443    -> 1.1.1.129:58726  Forward  O               8
    
    Service Set: NAT-SRV-SET, Session: 872415238, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:57160  ->  88.198.177.100:443    Forward  I               5
    TCP      88.198.177.100:443    -> 1.1.1.129:59048  Forward  O               8
    
    Service Set: NAT-SRV-SET, Session: 671089039, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:42273  ->  98.138.253.109:80     Forward  I               3
    TCP      98.138.253.109:80     -> 1.1.1.129:59077  Forward  O               3
    
    Service Set: NAT-SRV-SET, Session: 369099240, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:42272  ->  98.138.253.109:80     Forward  I               3
    TCP      98.138.253.109:80     -> 1.1.1.129:59330  Forward  O               3
    
    Service Set: NAT-SRV-SET, Session: 436208067, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:42398  ->  98.139.180.149:80     Forward  I               3
    TCP      98.139.180.149:80     -> 1.1.1.129:59382  Forward  O               3
    
    Service Set: NAT-SRV-SET, Session: 234881038, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:60229  ->   46.105.148.85:443    Forward  I               5
    TCP       46.105.148.85:443    -> 1.1.1.129:58840  Forward  O              11
    
    Service Set: NAT-SRV-SET, Session: 1073741949, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:57155  ->  88.198.177.100:443    Forward  I               5
    TCP      88.198.177.100:443    -> 1.1.1.129:58474  Forward  O              11
    
    Service Set: NAT-SRV-SET, Session: 1543504253, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:54576  ->   206.190.36.45:80     Forward  I               3
    TCP       206.190.36.45:80     -> 1.1.1.129:58396  Forward  O               3
    
    Service Set: NAT-SRV-SET, Session: 503316813, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:38697  ->   185.60.216.35:80     Forward  I               3
    TCP       185.60.216.35:80     -> 1.1.1.129:59384  Forward  O               8
    
    Service Set: NAT-SRV-SET, Session: 2013266201, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:38696  ->   185.60.216.35:80     Forward  I               3
    TCP       185.60.216.35:80     -> 1.1.1.129:59202  Forward  O               8
    
    Service Set: NAT-SRV-SET, Session: 1543504162, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:38695  ->   185.60.216.35:80     Forward  I               3
    TCP       185.60.216.35:80     -> 1.1.1.129:59331  Forward  O               8
    
    Service Set: NAT-SRV-SET, Session: 1476395062, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:38694  ->   185.60.216.35:80     Forward  I               3
    TCP       185.60.216.35:80     -> 1.1.1.129:58948  Forward  O               8
    
    Service Set: NAT-SRV-SET, Session: 1543504108, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:55610  ->  173.194.73.100:80     Forward  I               3
    TCP      173.194.73.100:80     -> 1.1.1.129:58454  Forward  O               8
    
    Service Set: NAT-SRV-SET, Session: 1275068746, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:48395  ->  173.194.73.138:80     Forward  I               3
    TCP      173.194.73.138:80     -> 1.1.1.129:58482  Forward  O               8
    
    Service Set: NAT-SRV-SET, Session: 469762241, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:54647  ->  173.194.73.139:80     Forward  I               3
    TCP      173.194.73.139:80     -> 1.1.1.129:58823  Forward  O               8
    
    Service Set: NAT-SRV-SET, Session: 2080375092, ALG: none, Flags: 0x200000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:39278  ->  173.194.73.102:80     Forward  I               3
    TCP      173.194.73.102:80     -> 1.1.1.129:58913  Forward  O               8
    
    Service Set: NAT-SRV-SET, Session: 503316503, ALG: none, Flags: 0x300000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:60218  ->   46.105.148.85:443    Forward  I               5
    TCP       46.105.148.85:443    -> 1.1.1.129:58845  Forward  O              13
    
    Service Set: NAT-SRV-SET, Session: 33554661, ALG: none, Flags: 0x300000, IP Action: no, Offload: no, Asymmetric: no
    TCP       10.228.10.254:57144  ->  88.198.177.100:443    Forward  I               5
    TCP      88.198.177.100:443    -> 1.1.1.129:58656  Forward  O              14
    
    


  • 15.  RE: MX104 + cg-nat

     
    Posted 11-01-2017 11:14

    Please remove service-profile rate-limit and check once.  Just activate service-profile NAT for testing purpose.

     

    Regards,

    Rahul N



  • 16.  RE: MX104 + cg-nat

    Posted 11-01-2017 11:54

    Removed RATE-LIMIT. No change.

    Type: VLAN
    Logical System: default
    Routing Instance: default
    Interface: demux0.3221225472
    Interface type: Dynamic
    Underlying Interface: ge-0/0/1
    Dynamic Profile Name: VLAN-PROFILE-SVLAN
    Dynamic Profile Version: 1
    State: Active
    Session ID: 1
    PFE Flow ID: 41
    VLAN Id: 1000
    Login Time: 2017-11-01 19:29:43 EET
    
    Type: DHCP
    User Name: ge-0/0/1:1000&000403E80018&010B7465737473776974636832
    IP Address: 10.228.10.254
    IP Netmask: 255.255.252.0
    Logical System: default
    Routing Instance: default
    Interface: demux0.3221225472
    Interface type: Static
    Underlying Interface: demux0.3221225472
    Dynamic Profile Name: IP-DHCP-PROFILE-1
    Dynamic Profile Version: 1
    MAC Address: e4:18:6b:25:82:dd
    State: Active
    Radius Accounting ID: 2
    Session ID: 2
    PFE Flow ID: 41
    VLAN Id: 1000
    Agent Circuit ID: len 6
    00 04 03 e8 00 18
    Agent Remote ID: len 13
    01 0b 74 65 73 74 73 77 69 74 63 68 32
    Login Time: 2017-11-01 19:29:43 EET
    Service Sessions: 1
    DHCP Options: len 76
    35 01 01 39 02 05 dc 3d 07 01 e4 18 6b 25 82 dd 3c 06 6e 64
    68 63 70 63 0c 0c 4b 65 65 6e 65 74 69 63 5f 41 69 72 37 0b
    01 03 06 0f 1c 21 2a 2b 2c 79 f9 52 17 01 06 00 04 03 e8 00
    18 02 0d 01 0b 74 65 73 74 73 77 69 74 63 68 32
    IP Address Pool: 10-228-8-0
    Accounting interval: 7200
    
       Service Session ID: 4
       Service Session Name: NAT
       Service Session Version: 1
       State: Active
       Family: inet
       IPv4 Input Filter Name: NAT-demux0.3221225472-in
       Service Activation time: 2017-11-01 19:29:54 EET
    


  • 17.  RE: MX104 + cg-nat

    Posted 11-01-2017 15:11

    Lools like problem solved.

    My mistake was in routing-instance:

    was  route 10.228.8.0/24 next-table inet.0

    correct mask is /22

    Thanks for help!