Routing

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Can't route traffic using Inline NAT

    Posted 04-25-2022 13:40
    Hi

    I'm trying to set up a lab with inline NAT on my MX router so directly connected server can access internet via outside link.
    So far NAT config look good as I could monitor the traffic goes via si-0/1/0 and NAT being done and the server can ping local IP (xx.xx.180.182) but not next hop (xx.xx.180.182) or the internet. Anyone can shed some light here please ?


    set system default-address-selection
    set chassis fpc 0 pic 1 inline-services bandwidth 1g
    set services service-set SVCSET-NAT nat-rules SNAT-RULE
    set services service-set SVCSET-NAT interface-service service-interface si-0/1/0.0
    set services nat pool p1 address xx.xx.180.200/32
    set services nat rule SNAT-RULE match-direction input
    set services nat rule SNAT-RULE term r1 from source-address 172.30.164.100/32
    set services nat rule SNAT-RULE term r1 then translated source-pool p1
    set services nat rule SNAT-RULE term r1 then translated translation-type basic-nat44
    set interfaces si-0/1/0 unit 0 family inet
    set interfaces ge-0/1/1 description "** INSIDE  test server **"
    set interfaces ge-0/1/1 unit 0 family inet no-redirects
    set interfaces ge-0/1/1 unit 0 family inet service input service-set SVCSET-NAT
    set interfaces ge-0/1/1 unit 0 family inet service output service-set SVCSET-NAT
    set interfaces ge-0/1/1 unit 0 family inet address 172.30.164.1/24
    set interfaces xe-2/0/0 description "** OUTSIDE to internet **"
    set interfaces xe-2/0/0 unit 0 bandwidth 10g
    set interfaces xe-2/0/0 unit 0 family inet no-redirects
    set interfaces xe-2/0/0 unit 0 family inet address xx.xx.180.181/30
    set interfaces lo0 unit 0 family inet address 172.30.164.250/32
    set routing-options static route 0.0.0.0/0 next-hop xx.xx.180.182


    netops@test-mx-re0> show services inline nat pool
    Interface: si-0/1/0, Service set: SVCSET-NAT
    NAT pool: p1, Translation type: BASIC NAT44
    Address range: xx.xx.180.200-xx.xx.180.200
    NATed packets: 3648, deNATed packets: 50, Errors: 0, Skipped packets: 0
    netops@test-mx-re0> show route terse
    inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    A V Destination P Prf Metric 1 Metric 2 Next hop AS path
    * ? 0.0.0.0/0 S 5 >xx.xx.180.182
    * ? xx.xx.180.180/30 D 0 >xe-2/0/0.0
    * ? xx.xx.180.181/32 L 0 Local
    * ? xx.xx.180.200/32 S 1 Service
    * ? 10.20.20.0/24 D 0 >fxp0.0
    * ? 10.20.20.200/32 L 0 Local
    * ? 10.20.16.0/24 S 5 >10.20.20.1
    * ? 172.30.164.0/24 D 0 >ge-0/1/1.0
    * ? 172.30.164.1/32 L 0 Local
    * ? 172.30.164.250/32 D 0 >lo0.0
    inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    A V Destination P Prf Metric 1 Metric 2 Next hop AS path
    * ? ff02::2/128 I 0 MultiRecv
    netops@test-mx-re0> show route table inet.0
    inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    0.0.0.0/0 *[Static/5] 05:19:35
    > to xx.xx.180.182 via xe-2/0/0.0
    xx.xx.180.180/30 *[Direct/0] 05:19:35 > via xe-2/0/0.0
    xx.xx.180.181/32 *[Local/0] 05:19:35 Local via xe-2/0/0.0
    xx.xx.180.200/32 *[Static/1] 03:09:50 Service to SVCSET-NAT
    10.20.20.0/24 *[Direct/0] 05:22:10 > via fxp0.0
    10.20.20.200/32 *[Local/0] 05:22:10 Local via fxp0.0
    10.20.16.0/24 *[Static/5] 05:22:07 > to 10.20.20.1 via fxp0.0
    172.30.164.0/24 *[Direct/0] 03:38:29 > via ge-0/1/1.0
    172.30.164.1/32 *[Local/0] 03:38:29 Local via ge-0/1/1.0
    172.30.164.250/32 *[Direct/0] 00:47:13 > via lo0.0
    netops@test-mx-re0> ping xx.xx.180.181
    PING xx.xx.180.181 (xx.xx.180.181): 56 data bytes
    64 bytes from xx.xx.180.181: icmp_seq=0 ttl=64 time=0.170 ms
    64 bytes from xx.xx.180.181: icmp_seq=1 ttl=64 time=0.081 ms
    ^C
    --- xx.xx.180.181 ping statistics ---
    2 packets transmitted, 2 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 0.081/0.126/0.170/0.045 ms
    netops@test-mx-re0> ping xx.xx.180.182
    PING xx.xx.180.182 (xx.xx.180.182): 56 data bytes
    ^C
    --- xx.xx.180.182 ping statistics ---
    3 packets transmitted, 0 packets received, 100% packet loss
    netops@test-mx-re0> ping xx.xx.180.182 bypass-routing
    PING xx.xx.180.182 (xx.xx.180.182): 56 data bytes
    64 bytes from xx.xx.180.182: icmp_seq=0 ttl=255 time=1.263 ms
    64 bytes from xx.xx.180.182: icmp_seq=1 ttl=255 time=1.851 ms
    ^C
    --- xx.xx.180.182 ping statistics ---
    2 packets transmitted, 2 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 1.263/1.557/1.851/0.294 ms

    netops@test-mx-re0> monitor traffic no-resolve interface si-0/1/0
    verbose output suppressed, use <detail> or <extensive> for full protocol decode
    Address resolution is OFF.
    Listening on si-0/1/0, capture size 96 bytes

    15:00:22.131738 In IP xx.xx180.200 > xx.xx180.181: ICMP echo request, id 1, seq 357, length 40
    15:00:22.131859 Out IP xx.xx180.181 > xx.xx180.200: ICMP echo reply, id 1, seq 357, length 40
    15:00:23.139625 In IP xx.xx180.200 > xx.xx180.181: ICMP echo request, id 1, seq 358, length 40
    15:00:23.139747 Out IP xx.xx180.181 > xx.xx180.200: ICMP echo reply, id 1, seq 358, length 40
    15:00:24.155887 In IP xx.xx180.200 > xx.xx180.181: ICMP echo request, id 1, seq 359, length 40
    15:00:24.156011 Out IP xx.xx180.181 > xx.xx180.200: ICMP echo reply, id 1, seq 359, length 40

    netops@test-mx-re0> ping 8.8.8.8 source xx.xx.180.181
    PING 8.8.8.8 (8.8.8.8): 56 data bytes
    64 bytes from 8.8.8.8: icmp_seq=0 ttl=116 time=64.006 ms
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=63.600 ms
    ^C
    --- 8.8.8.8 ping statistics ---
    2 packets transmitted, 2 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 63.600/63.803/64.006/0.203 ms




    ------------------------------
    Nati Danan
    ------------------------------


  • 2.  RE: Can't route traffic using Inline NAT

    Posted 04-26-2022 05:27
    Does the upstream device have a route for nat pool p1 address xx.xx.180.200/32  that points to the xx.xx.180.181??  


  • 3.  RE: Can't route traffic using Inline NAT

    Posted 04-26-2022 05:27
    Hi

    This was resolved with route back on next hop router for the NAT address. now access to internet works.
    Al this time I monitored  the xe-2/0/0 outside interface to see packets comes in and not getting back but for some reason it gives no output.
    same things with ge-0/1/1 inside interface and si-0/1/0.

    Anyone knows how can I monitor the traffic after NAT being performed   ?

    Thanks

    ------------------------------
    Nati Danan
    ------------------------------