Routing
Reply
Contributor
GustavO
Posts: 73
Registered: ‎04-29-2009
0
Accepted Solution

Source NAT on J-Series with JUNOS 9.5

So after tearing my hair out all day over reading examples about NAT I've finally come up with a configuration i think should work but doesn't fully... Being pretty new to JUNOS, the mess with NAT, JUNOS, JUNOS-ES, pre-9.5 or 9.5 really makes you grasp for your breath.

 

I want to NAT all traffic from 192.168.4.0/24 (in zone trust on interface ge-0/0/3.0) to all other hosts (in zone untrust on interface ge-0/0/2.0) BUT traffic to same zone/interface but with destination 192.168.0.0/16

 

My configuration looks like this

gustav@dev-j2320# show security

nat {

    source {

        rule-set service-net-nat {

            from interface ge-0/0/3.0;

            to interface ge-0/0/2.0;

            rule nat-defeat {

                match {

                    source-address 192.168.4.0/24;

                    destination-address 192.168.0.0/16;

                }

                then {

                    source-nat off;

                }

            }

            rule service-net-nat {

                match {

                    source-address 192.168.4.0/24;

                }

                then {

                    source-nat interface;

                }

            }

        }

    }

}

zones {

    security-zone trust {

        host-inbound-traffic {

            system-services {

                all;

            }

            protocols {

                all;

            }

        }

        interfaces {

            ge-0/0/3.0;

        }

    }

    security-zone untrust {

        host-inbound-traffic {

            system-services {

                all;

            }

            protocols {

                all;

            }

        }

        interfaces {

            ge-0/0/2.0;

        }

    }

}

policies {

    from-zone trust to-zone untrust {

        policy default-permit {

            match {

                source-address any;

                destination-address any;

                application any;

            }

            then {

                permit;

            }

        }

    }

    from-zone untrust to-zone trust {

        policy default-permit {

            match {

                source-address any;

                destination-address any;

                application any;

            }

            then {

                permit;

            }

        }

    }               

}

 

I can se that ALL traffic gets translated, even to the 192.168.0.0/16 subnet, the rule nat-defeat gets zero hits and so on. How is this possible? What am I missing? 

 

All help kindly appreciated! 

Contributor
GustavO
Posts: 73
Registered: ‎04-29-2009
0

Re: Source NAT on J-Series with JUNOS 9.5

I good nights sleep made me come up with the idea of maybe rebooting the router to see what happens, so I did that first thing in the morning. And to much of my dismay, I don't know wheter to laugh or cry, it now works with the exact same configuration as below. Lesson learnt i suppose...
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.