Junos OS

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  M20 /JunOS 6.4/NAT problem! Please Help!

    Posted 05-22-2008 06:51

    I have read about NAT services in Junos 6.4 document, but i had tried for three days,and still can't work out a workable conf for the M20 router.

     I think I can get help from your guys here,Please Help me! Thank you very much!!

     

    Here is the config in bri   ps:I still a little uncertian about the services interface sp-fpc/pic/* ,what's it really mean, I think i was a little "ciscoer".

    ~~~~~~~~~~~~~~~~~~~~~~~~~~

    interfaces {
        fe-0/0/1 {
            description inside;
            unit 0 {
                family inet {
                    service {
                        input {
                            service-set NAT;
                        }
                        output {
                            service-set NAT;
                        }
                    }
                    address 192.168.0.2/24;
                }
            }          
        }
        ge-1/0/0 {
            description outside;
            unit 0 {
                family inet {
                    filter {
                        input Sample;
                    }
                    address **.&&&.107.222/30;
                }
            }
        }
        sp-1/0/0 {
            unit 0 {
                family inet {
                    address 192.168.0.1/32 {
                        destination 192.168.0.50;
                    }
                }
            }
        }
       lo0 {
            unit 0 {
                family inet {
                    address 127.0.0.1/32;
                    address **.&&&.107.29/32;
                }
            }
        }
    }
    forwarding-options {
        sampling {
            input {
                family inet {
                    rate 20000;
                    run-length 2;
                }
            }
            output {
                cflowd 192.168.0.3 {
                    port 2055;
                    version 5;
                }
                interface sp-1/0/0 {
                    engine-id 1;
                    engine-type 136;
                    source-address 192.168.0.1;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop **.&&&.107.221;
        }
        autonomous-system 64857;
        forwarding-table {
            export load-balance;
        }
    }
    firewall {
        filter Sample {
            term Sample {
                then {
                    count Sample;
                    sample;
                    accept;
                }
            }
        }
    }
    services {
        stateful-firewall {
            rule 1 {
                match-direction input;
                term 1 {
                    from {
                        application-sets App;
                    }
                    then {
                        accept;
                    }
                }
                term accept {
                    then {
                        accept;
                    }
                }
            }
            rule 2 {
                match-direction output;
                term local {
                    from {
                        source-address {
                            192.168.0.1/32;
                        }
                    }
                    then {
                        accept;
                    }
                }
            }
        }
        nat {
            pool abc { 
                address **.&&&.107.30/32;
                port automatic;
            }
            rule 1 {
                match-direction input;
                term 1 {
                    then {
                        translated {
                            source-pool abc;
                            translation-type source dynamic;
                        }
                    }
                }
            }
        }
        service-set NAT {
            ##
            ## invalid path element 'ipsec-vpn-rule-sets'
            ##
            stateful-firewall-rules 1;
            stateful-firewall-rules 2;
            ##
            ## invalid path element 'ipsec-vpn-rule-sets'
            ##
            nat-rules 1;
            interface-service {
                service-interface sp-1/0/0;
            }
        }
    }
    applications {
        application ICMP {
            application-protocol icmp;
        }
        application FTP {
            application-protocol ftp;
            destination-port ftp;
        }
        application-set App {
            application FTP;
            application ICMP;
        }
    }


    #services
    #NAT
    #sp
    #interface
    #JUNOS
    #m20


  • 2.  RE: M20 /JunOS 6.4/NAT problem! Please Help!
    Best Answer

    Posted 05-24-2008 23:48

    First off, 6.4 is quite old version of JUNOS and has been end-of-support for a while now. But from what I can see from your configs it looks like you are trying to perform interface-style NAT on the ingress interface before being sent to the egress interface. Normally I see interface-style-NAT applied to the egress interface. Try applying your service filter to ge-1/0/0 and reverse your match-directions. So NAT rule 1 should be match-direction output, and stateful firewall rules 1 and 2 should be output and input respectively. Also remove the address configuration on the sp interface as the this is not needed for interface-style NAT (keep family inet).

     

    One more thing. Do you have an AS-PIC installed in your M20? You will need some sort of services PIC installed in order to perform NAT. Based on your configs you have a GE PIC in PIC slot 1/0/0. But your SP interface is also showing 1/0/0. Assuming you have some sort of services PIC, confirm the correct PIC slot as well and configure your SP interface accordingly.

     

    -Richard

     

     



  • 3.  RE: M20 /JunOS 6.4/NAT problem! Please Help!

    Posted 05-25-2008 08:32

    Thank you Richard,it's so kind of you to reply.

     I had known about the M20 in Junos 6.4 is very old indeed.

     and what i have tried to do is a only simple PAT services. just as simple as you did with a router 10 bucks worth.

     But i fail,and i research the internet,and i got a result as you had told me :

           It's not workable without a AS-PIC.

     

     I do have got a good education after this experiment, it makes me to know the config of Junos ( so "C style" and so "difico")

     but thanks dude,you are my teacher too.