Routing
Reply
Visitor
jamesf
Posts: 2
Registered: ‎03-20-2009
0

Basic NAT question

Hello,  I have been trying for some days to configure a J4350 running JUNOS-ES 9.4R1.8 to perform basic NAT.

 

I have a range of external addresses.  Each external address needs to be mapped to an internal address.  I am using ge-0/0/0.0 as the external interface, and ge-0/0/3.0 as the internal interface.

For setup purposes, the external network is 192.168.1.0/24 and the internal network is 192.168.2.0/24.

The example NAT I am trying to set up should map 192.168.1.202 to 192.168.2.10.

 

I have tried many many difference approaches, using the documentation and examples from the internet with no sucess.  While I'm not a routing expert, I'm frankly quite surprised that a basic feature is so hard to set up, and that the documentation doesn't address what is surely a common request more directly.

 

Anyway, what I currently have is:

 

interfaces { ge-0/0/0 { description WAN0; mtu 1500; gigether-options { auto-negotiation remote-fault local-interface-online; } unit 0 { family inet { address 192.168.1.201/24; } } } ge-0/0/2 { description LAN1; unit 0 { family inet; } } ge-0/0/3 { description LAN0; unit 0 { family inet { address 192.168.2.1/24; } } } lo0 { unit 0 { family inet { address 127.0.0.1/32; } } } } routing-options { static { route 0.0.0.0/0 next-hop 192.168.1.1; } } security { nat { destination-nat dst-nat-test address 192.168.2.10; interface ge-0/0/0.0 { proxy-arp { address { 192.168.1.202; } } } interface ge-0/0/3.0 { source-nat { pool src-nat-test { address { 192.168.2.10; } } } } } screen { ids-option untrust-screen { icmp { fragment; large; flood; ping-death; } ip { tear-drop; } tcp { port-scan; syn-flood; land; winnuke; } } } zones { security-zone trust { address-book { address test-int 192.168.2.10/32; } host-inbound-traffic { system-services { all; } } interfaces { ge-0/0/3.0; } } security-zone untrust { address-book { address test-ext 192.168.1.202/32; } screen untrust-screen; host-inbound-traffic { system-services { all; } } interfaces { ge-0/0/0.0; } } } policies { from-zone trust to-zone untrust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } policy nat-test { match { source-address test-int; destination-address any; application any; } then { permit { source-nat { pool src-nat-test; } } } } } from-zone trust to-zone trust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone untrust { policy nat-test { match { source-address any; destination-address test-ext; application any; } then { permit { destination-nat { dst-nat-test; } } } } } default-policy { deny-all; } } flow { traceoptions { file test.log size 1m; flag basic-datapath; } } }

 

 

What am I doing wrong?

Visitor
jamesf
Posts: 2
Registered: ‎03-20-2009
0

Re: Basic NAT question

[ Edited ]

I should also mention that I've tried static-nat, with the following configuration:

 

interfaces { ge-0/0/0 { description WAN0; mtu 1500; gigether-options { auto-negotiation remote-fault local-interface-online; } unit 0 { family inet { address 192.168.1.201/24; } } } ge-0/0/2 { description LAN1; unit 0 { family inet; } } ge-0/0/3 { description LAN0; unit 0 { family inet { address 192.168.2.1/24; } } } lo0 { unit 0 { family inet { address 127.0.0.1/32; } } } } routing-options { static { route 0.0.0.0/0 next-hop 192.168.1.1; } } security { nat { interface ge-0/0/0.0 { allow-incoming; static-nat 192.168.1.202/32 host 192.168.2.10/32; } } screen { ids-option untrust-screen { icmp { fragment; large; flood; ping-death; } ip { tear-drop; } tcp { port-scan; syn-flood; land; winnuke; } } } zones { security-zone trust { address-book { address test-int 192.168.2.10/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/3.0; } } security-zone untrust { address-book { address test-ext 192.168.1.202/32; } screen untrust-screen; host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.0; } } } policies { from-zone trust to-zone untrust { policy test-out { match { source-address any; destination-address any; application any; } then { permit { source-nat { interface; } } } } } from-zone untrust to-zone junos-global { policy test-in { match { source-address any; destination-address static_nat_192.168.1.202_32; application any; } then { permit; } } } default-policy { permit-all; } } flow { traceoptions { file test.log size 1m; flag basic-datapath; packet-filter fl1 { source-prefix 192.168.2.10/32; } } } }

 

 

 

The amount time invested in attemping to get a very basic configuration to work correctly is getting rather silly.  As it looks now we shal probably have to hire a consultant, due to the appallingly poor quality of the juniper documentation (the above configuration was pretty much lifted verbatim from the documentation, however does not actually work).

 

If it comes to this, for such a basic problem, I can assure you that my company will never again consider any product or service produced by your company.

Message Edited by jamesf on 03-20-2009 12:02 PM
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: Basic NAT question

Your static NAT configs look fine to me. I saw that you enabled flow traceoptions. What did the flow trace output show? Also you may want to add another filter for traffic destined for your static NAT address.

 

Also you may find this application note useful.

 

http://kb.juniper.net/kb/documents/public/junos_es/JUNOS_ES_VPN_with_Overlapping_Subnets.pdf

 

The app note is regarding a scenario with VPNs and overlapping subnets at both ends. But the static NAT configuration should be usable for you. 

 

-Richard

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.