Hi
I'm trying to set up a lab with inline NAT on my MX router so directly connected server can access internet via outside link.
So far NAT config look good as I could monitor the traffic goes via si-0/1/0 and NAT being done and the server can ping local IP (xx.xx.180.182) but not next hop (xx.xx.180.182) or the internet. Anyone can shed some light here please ?
set system default-address-selection
set chassis fpc 0 pic 1 inline-services bandwidth 1g
set services service-set SVCSET-NAT nat-rules SNAT-RULE
set services service-set SVCSET-NAT interface-service service-interface si-0/1/0.0
set services nat pool p1 address xx.xx.180.200/32
set services nat rule SNAT-RULE match-direction input
set services nat rule SNAT-RULE term r1 from source-address 172.30.164.100/32
set services nat rule SNAT-RULE term r1 then translated source-pool p1
set services nat rule SNAT-RULE term r1 then translated translation-type basic-nat44
set interfaces si-0/1/0 unit 0 family inet
set interfaces ge-0/1/1 description "** INSIDE test server **"
set interfaces ge-0/1/1 unit 0 family inet no-redirects
set interfaces ge-0/1/1 unit 0 family inet service input service-set SVCSET-NAT
set interfaces ge-0/1/1 unit 0 family inet service output service-set SVCSET-NAT
set interfaces ge-0/1/1 unit 0 family inet address 172.30.164.1/24
set interfaces xe-2/0/0 description "** OUTSIDE to internet **"
set interfaces xe-2/0/0 unit 0 bandwidth 10g
set interfaces xe-2/0/0 unit 0 family inet no-redirects
set interfaces xe-2/0/0 unit 0 family inet address xx.xx.180.181/30
set interfaces lo0 unit 0 family inet address 172.30.164.250/32
set routing-options static route 0.0.0.0/0 next-hop xx.xx.180.182
netops@test-mx-re0> show services inline nat pool
Interface: si-0/1/0, Service set: SVCSET-NAT
NAT pool: p1, Translation type: BASIC NAT44
Address range: xx.xx.180.200-xx.xx.180.200
NATed packets: 3648, deNATed packets: 50, Errors: 0, Skipped packets: 0
netops@test-mx-re0> show route terse
inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
A V Destination P Prf Metric 1 Metric 2 Next hop AS path
* ? 0.0.0.0/0 S 5 >xx.xx.180.182
* ? xx.xx.180.180/30 D 0 >xe-2/0/0.0
* ? xx.xx.180.181/32 L 0 Local
* ? xx.xx.180.200/32 S 1 Service
* ? 10.20.20.0/24 D 0 >fxp0.0
* ? 10.20.20.200/32 L 0 Local
* ? 10.20.16.0/24 S 5 >10.20.20.1
* ? 172.30.164.0/24 D 0 >ge-0/1/1.0
* ? 172.30.164.1/32 L 0 Local
* ? 172.30.164.250/32 D 0 >lo0.0
inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
A V Destination P Prf Metric 1 Metric 2 Next hop AS path
* ? ff02::2/128 I 0 MultiRecv
netops@test-mx-re0> show route table inet.0
inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 05:19:35
> to xx.xx.180.182 via xe-2/0/0.0
xx.xx.180.180/30 *[Direct/0] 05:19:35 > via xe-2/0/0.0
xx.xx.180.181/32 *[Local/0] 05:19:35 Local via xe-2/0/0.0
xx.xx.180.200/32 *[Static/1] 03:09:50 Service to SVCSET-NAT
10.20.20.0/24 *[Direct/0] 05:22:10 > via fxp0.0
10.20.20.200/32 *[Local/0] 05:22:10 Local via fxp0.0
10.20.16.0/24 *[Static/5] 05:22:07 > to 10.20.20.1 via fxp0.0
172.30.164.0/24 *[Direct/0] 03:38:29 > via ge-0/1/1.0
172.30.164.1/32 *[Local/0] 03:38:29 Local via ge-0/1/1.0
172.30.164.250/32 *[Direct/0] 00:47:13 > via lo0.0
netops@test-mx-re0> ping xx.xx.180.181
PING xx.xx.180.181 (xx.xx.180.181): 56 data bytes
64 bytes from xx.xx.180.181: icmp_seq=0 ttl=64 time=0.170 ms
64 bytes from xx.xx.180.181: icmp_seq=1 ttl=64 time=0.081 ms
^C
--- xx.xx.180.181 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.081/0.126/0.170/0.045 ms
netops@test-mx-re0> ping xx.xx.180.182
PING xx.xx.180.182 (xx.xx.180.182): 56 data bytes
^C
--- xx.xx.180.182 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
netops@test-mx-re0> ping xx.xx.180.182 bypass-routing
PING xx.xx.180.182 (xx.xx.180.182): 56 data bytes
64 bytes from xx.xx.180.182: icmp_seq=0 ttl=255 time=1.263 ms
64 bytes from xx.xx.180.182: icmp_seq=1 ttl=255 time=1.851 ms
^C
--- xx.xx.180.182 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.263/1.557/1.851/0.294 ms
netops@test-mx-re0> monitor traffic no-resolve interface si-0/1/0
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on si-0/1/0, capture size 96 bytes
15:00:22.131738 In IP xx.xx180.200 > xx.xx180.181: ICMP echo request, id 1, seq 357, length 40
15:00:22.131859 Out IP xx.xx180.181 > xx.xx180.200: ICMP echo reply, id 1, seq 357, length 40
15:00:23.139625 In IP xx.xx180.200 > xx.xx180.181: ICMP echo request, id 1, seq 358, length 40
15:00:23.139747 Out IP xx.xx180.181 > xx.xx180.200: ICMP echo reply, id 1, seq 358, length 40
15:00:24.155887 In IP xx.xx180.200 > xx.xx180.181: ICMP echo request, id 1, seq 359, length 40
15:00:24.156011 Out IP xx.xx180.181 > xx.xx180.200: ICMP echo reply, id 1, seq 359, length 40
netops@test-mx-re0> ping 8.8.8.8 source xx.xx.180.181
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=116 time=64.006 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=63.600 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 63.600/63.803/64.006/0.203 ms
------------------------------
Nati Danan
------------------------------