Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  M20 /JunOS 6.4/NAT problem! Please Help!

    Posted 05-22-2008 06:51

    I have read about NAT services in Junos 6.4 document, but i had tried for three days,and still can't work out a workable conf for the M20 router.

     I think I can get help from your guys here,Please Help me! Thank you very much!!

     

    Here is the config in bri   ps:I still a little uncertian about the services interface sp-fpc/pic/* ,what's it really mean, I think i was a little "ciscoer".

    ~~~~~~~~~~~~~~~~~~~~~~~~~~

    interfaces {
        fe-0/0/1 {
            description inside;
            unit 0 {
                family inet {
                    service {
                        input {
                            service-set NAT;
                        }
                        output {
                            service-set NAT;
                        }
                    }
                    address 192.168.0.2/24;
                }
            }          
        }
        ge-1/0/0 {
            description outside;
            unit 0 {
                family inet {
                    filter {
                        input Sample;
                    }
                    address **.&&&.107.222/30;
                }
            }
        }
        sp-1/0/0 {
            unit 0 {
                family inet {
                    address 192.168.0.1/32 {
                        destination 192.168.0.50;
                    }
                }
            }
        }
       lo0 {
            unit 0 {
                family inet {
                    address 127.0.0.1/32;
                    address **.&&&.107.29/32;
                }
            }
        }
    }
    forwarding-options {
        sampling {
            input {
                family inet {
                    rate 20000;
                    run-length 2;
                }
            }
            output {
                cflowd 192.168.0.3 {
                    port 2055;
                    version 5;
                }
                interface sp-1/0/0 {
                    engine-id 1;
                    engine-type 136;
                    source-address 192.168.0.1;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop **.&&&.107.221;
        }
        autonomous-system 64857;
        forwarding-table {
            export load-balance;
        }
    }
    firewall {
        filter Sample {
            term Sample {
                then {
                    count Sample;
                    sample;
                    accept;
                }
            }
        }
    }
    services {
        stateful-firewall {
            rule 1 {
                match-direction input;
                term 1 {
                    from {
                        application-sets App;
                    }
                    then {
                        accept;
                    }
                }
                term accept {
                    then {
                        accept;
                    }
                }
            }
            rule 2 {
                match-direction output;
                term local {
                    from {
                        source-address {
                            192.168.0.1/32;
                        }
                    }
                    then {
                        accept;
                    }
                }
            }
        }
        nat {
            pool abc { 
                address **.&&&.107.30/32;
                port automatic;
            }
            rule 1 {
                match-direction input;
                term 1 {
                    then {
                        translated {
                            source-pool abc;
                            translation-type source dynamic;
                        }
                    }
                }
            }
        }
        service-set NAT {
            ##
            ## invalid path element 'ipsec-vpn-rule-sets'
            ##
            stateful-firewall-rules 1;
            stateful-firewall-rules 2;
            ##
            ## invalid path element 'ipsec-vpn-rule-sets'
            ##
            nat-rules 1;
            interface-service {
                service-interface sp-1/0/0;
            }
        }
    }
    applications {
        application ICMP {
            application-protocol icmp;
        }
        application FTP {
            application-protocol ftp;
            destination-port ftp;
        }
        application-set App {
            application FTP;
            application ICMP;
        }
    }


    #services
    #NAT
    #sp
    #interface
    #JUNOS
    #m20


  • 2.  RE: M20 /JunOS 6.4/NAT problem! Please Help!
    Best Answer

    Posted 05-24-2008 23:48

    First off, 6.4 is quite old version of JUNOS and has been end-of-support for a while now. But from what I can see from your configs it looks like you are trying to perform interface-style NAT on the ingress interface before being sent to the egress interface. Normally I see interface-style-NAT applied to the egress interface. Try applying your service filter to ge-1/0/0 and reverse your match-directions. So NAT rule 1 should be match-direction output, and stateful firewall rules 1 and 2 should be output and input respectively. Also remove the address configuration on the sp interface as the this is not needed for interface-style NAT (keep family inet).

     

    One more thing. Do you have an AS-PIC installed in your M20? You will need some sort of services PIC installed in order to perform NAT. Based on your configs you have a GE PIC in PIC slot 1/0/0. But your SP interface is also showing 1/0/0. Assuming you have some sort of services PIC, confirm the correct PIC slot as well and configure your SP interface accordingly.

     

    -Richard

     

     



  • 3.  RE: M20 /JunOS 6.4/NAT problem! Please Help!

    Posted 05-25-2008 08:32

    Thank you Richard,it's so kind of you to reply.

     I had known about the M20 in Junos 6.4 is very old indeed.

     and what i have tried to do is a only simple PAT services. just as simple as you did with a router 10 bucks worth.

     But i fail,and i research the internet,and i got a result as you had told me :

           It's not workable without a AS-PIC.

     

     I do have got a good education after this experiment, it makes me to know the config of Junos ( so "C style" and so "difico")

     but thanks dude,you are my teacher too.