Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Can't route traffic using Inline NAT

    Posted 04-25-2022 13:40
    Hi

    I'm trying to set up a lab with inline NAT on my MX router so directly connected server can access internet via outside link.
    So far NAT config look good as I could monitor the traffic goes via si-0/1/0 and NAT being done and the server can ping local IP (xx.xx.180.182) but not next hop (xx.xx.180.182) or the internet. Anyone can shed some light here please ?


    set system default-address-selection
    set chassis fpc 0 pic 1 inline-services bandwidth 1g
    set services service-set SVCSET-NAT nat-rules SNAT-RULE
    set services service-set SVCSET-NAT interface-service service-interface si-0/1/0.0
    set services nat pool p1 address xx.xx.180.200/32
    set services nat rule SNAT-RULE match-direction input
    set services nat rule SNAT-RULE term r1 from source-address 172.30.164.100/32
    set services nat rule SNAT-RULE term r1 then translated source-pool p1
    set services nat rule SNAT-RULE term r1 then translated translation-type basic-nat44
    set interfaces si-0/1/0 unit 0 family inet
    set interfaces ge-0/1/1 description "** INSIDE  test server **"
    set interfaces ge-0/1/1 unit 0 family inet no-redirects
    set interfaces ge-0/1/1 unit 0 family inet service input service-set SVCSET-NAT
    set interfaces ge-0/1/1 unit 0 family inet service output service-set SVCSET-NAT
    set interfaces ge-0/1/1 unit 0 family inet address 172.30.164.1/24
    set interfaces xe-2/0/0 description "** OUTSIDE to internet **"
    set interfaces xe-2/0/0 unit 0 bandwidth 10g
    set interfaces xe-2/0/0 unit 0 family inet no-redirects
    set interfaces xe-2/0/0 unit 0 family inet address xx.xx.180.181/30
    set interfaces lo0 unit 0 family inet address 172.30.164.250/32
    set routing-options static route 0.0.0.0/0 next-hop xx.xx.180.182


    netops@test-mx-re0> show services inline nat pool
    Interface: si-0/1/0, Service set: SVCSET-NAT
    NAT pool: p1, Translation type: BASIC NAT44
    Address range: xx.xx.180.200-xx.xx.180.200
    NATed packets: 3648, deNATed packets: 50, Errors: 0, Skipped packets: 0
    netops@test-mx-re0> show route terse
    inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    A V Destination P Prf Metric 1 Metric 2 Next hop AS path
    * ? 0.0.0.0/0 S 5 >xx.xx.180.182
    * ? xx.xx.180.180/30 D 0 >xe-2/0/0.0
    * ? xx.xx.180.181/32 L 0 Local
    * ? xx.xx.180.200/32 S 1 Service
    * ? 10.20.20.0/24 D 0 >fxp0.0
    * ? 10.20.20.200/32 L 0 Local
    * ? 10.20.16.0/24 S 5 >10.20.20.1
    * ? 172.30.164.0/24 D 0 >ge-0/1/1.0
    * ? 172.30.164.1/32 L 0 Local
    * ? 172.30.164.250/32 D 0 >lo0.0
    inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    A V Destination P Prf Metric 1 Metric 2 Next hop AS path
    * ? ff02::2/128 I 0 MultiRecv
    netops@test-mx-re0> show route table inet.0
    inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    0.0.0.0/0 *[Static/5] 05:19:35
    > to xx.xx.180.182 via xe-2/0/0.0
    xx.xx.180.180/30 *[Direct/0] 05:19:35 > via xe-2/0/0.0
    xx.xx.180.181/32 *[Local/0] 05:19:35 Local via xe-2/0/0.0
    xx.xx.180.200/32 *[Static/1] 03:09:50 Service to SVCSET-NAT
    10.20.20.0/24 *[Direct/0] 05:22:10 > via fxp0.0
    10.20.20.200/32 *[Local/0] 05:22:10 Local via fxp0.0
    10.20.16.0/24 *[Static/5] 05:22:07 > to 10.20.20.1 via fxp0.0
    172.30.164.0/24 *[Direct/0] 03:38:29 > via ge-0/1/1.0
    172.30.164.1/32 *[Local/0] 03:38:29 Local via ge-0/1/1.0
    172.30.164.250/32 *[Direct/0] 00:47:13 > via lo0.0
    netops@test-mx-re0> ping xx.xx.180.181
    PING xx.xx.180.181 (xx.xx.180.181): 56 data bytes
    64 bytes from xx.xx.180.181: icmp_seq=0 ttl=64 time=0.170 ms
    64 bytes from xx.xx.180.181: icmp_seq=1 ttl=64 time=0.081 ms
    ^C
    --- xx.xx.180.181 ping statistics ---
    2 packets transmitted, 2 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 0.081/0.126/0.170/0.045 ms
    netops@test-mx-re0> ping xx.xx.180.182
    PING xx.xx.180.182 (xx.xx.180.182): 56 data bytes
    ^C
    --- xx.xx.180.182 ping statistics ---
    3 packets transmitted, 0 packets received, 100% packet loss
    netops@test-mx-re0> ping xx.xx.180.182 bypass-routing
    PING xx.xx.180.182 (xx.xx.180.182): 56 data bytes
    64 bytes from xx.xx.180.182: icmp_seq=0 ttl=255 time=1.263 ms
    64 bytes from xx.xx.180.182: icmp_seq=1 ttl=255 time=1.851 ms
    ^C
    --- xx.xx.180.182 ping statistics ---
    2 packets transmitted, 2 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 1.263/1.557/1.851/0.294 ms

    netops@test-mx-re0> monitor traffic no-resolve interface si-0/1/0
    verbose output suppressed, use <detail> or <extensive> for full protocol decode
    Address resolution is OFF.
    Listening on si-0/1/0, capture size 96 bytes

    15:00:22.131738 In IP xx.xx180.200 > xx.xx180.181: ICMP echo request, id 1, seq 357, length 40
    15:00:22.131859 Out IP xx.xx180.181 > xx.xx180.200: ICMP echo reply, id 1, seq 357, length 40
    15:00:23.139625 In IP xx.xx180.200 > xx.xx180.181: ICMP echo request, id 1, seq 358, length 40
    15:00:23.139747 Out IP xx.xx180.181 > xx.xx180.200: ICMP echo reply, id 1, seq 358, length 40
    15:00:24.155887 In IP xx.xx180.200 > xx.xx180.181: ICMP echo request, id 1, seq 359, length 40
    15:00:24.156011 Out IP xx.xx180.181 > xx.xx180.200: ICMP echo reply, id 1, seq 359, length 40

    netops@test-mx-re0> ping 8.8.8.8 source xx.xx.180.181
    PING 8.8.8.8 (8.8.8.8): 56 data bytes
    64 bytes from 8.8.8.8: icmp_seq=0 ttl=116 time=64.006 ms
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=63.600 ms
    ^C
    --- 8.8.8.8 ping statistics ---
    2 packets transmitted, 2 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 63.600/63.803/64.006/0.203 ms




    ------------------------------
    Nati Danan
    ------------------------------


  • 2.  RE: Can't route traffic using Inline NAT

    Posted 04-26-2022 05:27
    Does the upstream device have a route for nat pool p1 address xx.xx.180.200/32  that points to the xx.xx.180.181??  


  • 3.  RE: Can't route traffic using Inline NAT

    Posted 04-26-2022 05:27
    Hi

    This was resolved with route back on next hop router for the NAT address. now access to internet works.
    Al this time I monitored  the xe-2/0/0 outside interface to see packets comes in and not getting back but for some reason it gives no output.
    same things with ge-0/1/1 inside interface and si-0/1/0.

    Anyone knows how can I monitor the traffic after NAT being performed   ?

    Thanks

    ------------------------------
    Nati Danan
    ------------------------------