Routing

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Source NAT on J-Series with JUNOS 9.5

    Posted 07-16-2009 14:27

    So after tearing my hair out all day over reading examples about NAT I've finally come up with a configuration i think should work but doesn't fully... Being pretty new to JUNOS, the mess with NAT, JUNOS, JUNOS-ES, pre-9.5 or 9.5 really makes you grasp for your breath.

     

    I want to NAT all traffic from 192.168.4.0/24 (in zone trust on interface ge-0/0/3.0) to all other hosts (in zone untrust on interface ge-0/0/2.0) BUT traffic to same zone/interface but with destination 192.168.0.0/16

     

    My configuration looks like this

    gustav@dev-j2320# show security

    nat {

        source {

            rule-set service-net-nat {

                from interface ge-0/0/3.0;

                to interface ge-0/0/2.0;

                rule nat-defeat {

                    match {

                        source-address 192.168.4.0/24;

                        destination-address 192.168.0.0/16;

                    }

                    then {

                        source-nat off;

                    }

                }

                rule service-net-nat {

                    match {

                        source-address 192.168.4.0/24;

                    }

                    then {

                        source-nat interface;

                    }

                }

            }

        }

    }

    zones {

        security-zone trust {

            host-inbound-traffic {

                system-services {

                    all;

                }

                protocols {

                    all;

                }

            }

            interfaces {

                ge-0/0/3.0;

            }

        }

        security-zone untrust {

            host-inbound-traffic {

                system-services {

                    all;

                }

                protocols {

                    all;

                }

            }

            interfaces {

                ge-0/0/2.0;

            }

        }

    }

    policies {

        from-zone trust to-zone untrust {

            policy default-permit {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

        from-zone untrust to-zone trust {

            policy default-permit {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }               

    }

     

    I can se that ALL traffic gets translated, even to the 192.168.0.0/16 subnet, the rule nat-defeat gets zero hits and so on. How is this possible? What am I missing? 

     

    All help kindly appreciated! 


    #J-Series
    #2320
    #9.5
    #NAT


  • 2.  RE: Source NAT on J-Series with JUNOS 9.5
    Best Answer

    Posted 07-17-2009 01:10
    I good nights sleep made me come up with the idea of maybe rebooting the router to see what happens, so I did that first thing in the morning. And to much of my dismay, I don't know wheter to laugh or cry, it now works with the exact same configuration as below. Lesson learnt i suppose...