Junos and Junosphere
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
zucl
Visitor
zucl
Posts: 4
Registered: ‎05-21-2008
0
Accepted Solution

M20 /JunOS 6.4/NAT problem! Please Help!

Options

‎05-22-2008 06:50 AM

I have read about NAT services in Junos 6.4 document, but i had tried for three days,and still can't work out a workable conf for the M20 router.

 I think I can get help from your guys here,Please Help me! Thank you very much!!

 

Here is the config in bri   ps:I still a little uncertian about the services interface sp-fpc/pic/* ,what's it really mean, I think i was a little "ciscoer".

~~~~~~~~~~~~~~~~~~~~~~~~~~

interfaces {
    fe-0/0/1 {
        description inside;
        unit 0 {
            family inet {
                service {
                    input {
                        service-set NAT;
                    }
                    output {
                        service-set NAT;
                    }
                }
                address 192.168.0.2/24;
            }
        }          
    }
    ge-1/0/0 {
        description outside;
        unit 0 {
            family inet {
                filter {
                    input Sample;
                }
                address **.&&&.107.222/30;
            }
        }
    }
    sp-1/0/0 {
        unit 0 {
            family inet {
                address 192.168.0.1/32 {
                    destination 192.168.0.50;
                }
            }
        }
    }
   lo0 {
        unit 0 {
            family inet {
                address 127.0.0.1/32;
                address **.&&&.107.29/32;
            }
        }
    }
}
forwarding-options {
    sampling {
        input {
            family inet {
                rate 20000;
                run-length 2;
            }
        }
        output {
            cflowd 192.168.0.3 {
                port 2055;
                version 5;
            }
            interface sp-1/0/0 {
                engine-id 1;
                engine-type 136;
                source-address 192.168.0.1;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop **.&&&.107.221;
    }
    autonomous-system 64857;
    forwarding-table {
        export load-balance;
    }
}
firewall {
    filter Sample {
        term Sample {
            then {
                count Sample;
                sample;
                accept;
            }
        }
    }
}
services {
    stateful-firewall {
        rule 1 {
            match-direction input;
            term 1 {
                from {
                    application-sets App;
                }
                then {
                    accept;
                }
            }
            term accept {
                then {
                    accept;
                }
            }
        }
        rule 2 {
            match-direction output;
            term local {
                from {
                    source-address {
                        192.168.0.1/32;
                    }
                }
                then {
                    accept;
                }
            }
        }
    }
    nat {
        pool abc { 
            address **.&&&.107.30/32;
            port automatic;
        }
        rule 1 {
            match-direction input;
            term 1 {
                then {
                    translated {
                        source-pool abc;
                        translation-type source dynamic;
                    }
                }
            }
        }
    }
    service-set NAT {
        ##
        ## invalid path element 'ipsec-vpn-rule-sets'
        ##
        stateful-firewall-rules 1;
        stateful-firewall-rules 2;
        ##
        ## invalid path element 'ipsec-vpn-rule-sets'
        ##
        nat-rules 1;
        interface-service {
            service-interface sp-1/0/0;
        }
    }
}
applications {
    application ICMP {
        application-protocol icmp;
    }
    application FTP {
        application-protocol ftp;
        destination-port ftp;
    }
    application-set App {
        application FTP;
        application ICMP;
    }
}

Message 1 of 3 (12,037 Views)
 
Reply
Distinguished Expert Distinguished Expert
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: M20 /JunOS 6.4/NAT problem! Please Help!

Options

‎05-24-2008 11:48 PM

First off, 6.4 is quite old version of JUNOS and has been end-of-support for a while now. But from what I can see from your configs it looks like you are trying to perform interface-style NAT on the ingress interface before being sent to the egress interface. Normally I see interface-style-NAT applied to the egress interface. Try applying your service filter to ge-1/0/0 and reverse your match-directions. So NAT rule 1 should be match-direction output, and stateful firewall rules 1 and 2 should be output and input respectively. Also remove the address configuration on the sp interface as the this is not needed for interface-style NAT (keep family inet).

 

One more thing. Do you have an AS-PIC installed in your M20? You will need some sort of services PIC installed in order to perform NAT. Based on your configs you have a GE PIC in PIC slot 1/0/0. But your SP interface is also showing 1/0/0. Assuming you have some sort of services PIC, confirm the correct PIC slot as well and configure your SP interface accordingly.

 

-Richard

 

 

Message 2 of 3 (11,995 Views)
 
Reply
zucl
Visitor
zucl
Posts: 4
Registered: ‎05-21-2008
0

Re: M20 /JunOS 6.4/NAT problem! Please Help!

Options

‎05-25-2008 08:32 AM

Thank you Richard,it's so kind of you to reply.

 I had known about the M20 in Junos 6.4 is very old indeed.

 and what i have tried to do is a only simple PAT services. just as simple as you did with a router 10 bucks worth.

 But i fail,and i research the internet,and i got a result as you had told me :

       It's not workable without a AS-PIC.

 

 I do have got a good education after this experiment, it makes me to know the config of Junos ( so "C style" and so "difico")

 but thanks dude,you are my teacher too.

Message 3 of 3 (11,986 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.