BGP Nat Problem

last person joined: 10 hours ago

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Back to discussions

Expand all | Collapse all

BGP Nat Problem

Jump to Best Answer

1. BGP Nat Problem

0 Recommend
Erdem
Posted 12-01-2016 05:44

Reply Reply Privately
Hi.

I have a problem .NAT Does not work properly ,i'm trying to set up EBGP in virtual router and use it for internet connections via my PI-Address ,but when i'm tryng to reach internet using NAT i can't reach anything.But From routing Instance i can ping everything ,and BGP working fine....

Juniper Model : srx240h2
Software Version:12.3X48-D35.7

Can someone please tell me what I am doing wrong?

Thanks!

Here is my configuration

set security nat source pool PI-Inet-Address routing-instance vrflite
set security nat source pool PI-Inet-Address address 1.1.1.2/32
set security nat source pool PI-Inet-Address port no-translation
set security nat source pool PI-Inet-Address address-shared
set security nat source rule-set lan-to-ISP-BGP from zone lan
set security nat source rule-set lan-to-ISP-BGP to zone ISP-BGP
set security nat source rule-set lan-to-ISP-BGP rule bgp-source-nat-rule match source-address 10.27.64.14/32
set security nat source rule-set lan-to-ISP-BGP rule bgp-source-nat-rule match destination-address 0.0.0.0/0
set security nat source rule-set lan-to-ISP-BGP rule bgp-source-nat-rule then source-nat pool PI-Inet-Address
set security policies from-zone ISP-BGP to-zone ISP-BGP policy isp-to-isp match source-address any
set security policies from-zone ISP-BGP to-zone ISP-BGP policy isp-to-isp match destination-address any
set security policies from-zone ISP-BGP to-zone ISP-BGP policy isp-to-isp match application any
set security policies from-zone ISP-BGP to-zone ISP-BGP policy isp-to-isp then permit
set security policies from-zone ISP-BGP to-zone lan policy ISP-to-lan match source-address any
set security policies from-zone ISP-BGP to-zone lan policy ISP-to-lan match destination-address any
set security policies from-zone ISP-BGP to-zone lan policy ISP-to-lan match application any
set security policies from-zone ISP-BGP to-zone lan policy ISP-to-lan then permit
set security policies from-zone lan to-zone ISP-BGP policy lan-to-ISP match source-address any
set security policies from-zone lan to-zone ISP-BGP policy lan-to-ISP match destination-address any
set security policies from-zone lan to-zone ISP-BGP policy lan-to-ISP match application any
set security policies from-zone lan to-zone ISP-BGP policy lan-to-ISP then permit
set security policies from-zone lan to-zone lan policy lan-to-lan match source-address any
set security policies from-zone lan to-zone lan policy lan-to-lan match destination-address any
set security policies from-zone lan to-zone lan policy lan-to-lan match application any
set security policies from-zone lan to-zone lan policy lan-to-lan then permit
set security zones security-zone lan host-inbound-traffic system-services all
set security zones security-zone lan host-inbound-traffic protocols all
set security zones security-zone lan interfaces reth1.0
set security zones security-zone ISP-BGP host-inbound-traffic system-services ping
set security zones security-zone ISP-BGP host-inbound-traffic system-services ssh
set security zones security-zone ISP-BGP host-inbound-traffic system-services ike
set security zones security-zone ISP-BGP interfaces reth3.0 host-inbound-traffic system-services ping
set security zones security-zone ISP-BGP interfaces reth3.0 host-inbound-traffic system-services rpm
set security zones security-zone ISP-BGP interfaces lo0.0 host-inbound-traffic system-services ping
set security zones security-zone ISP-BGP interfaces lo0.0 host-inbound-traffic system-services rpm

set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet filter input-list GoToISP
set interfaces reth1 unit 0 family inet address 10.0.1.2/30
set interfaces reth3 redundant-ether-options redundancy-group 3
set interfaces reth3 unit 0 family inet address 1.1.1.2/30
set interfaces lo0 unit 0 family inet address 2.2.2.1/26

set routing-options interface-routes rib-group inet Global
set routing-options static rib-group Secondary
set routing-options rib-groups Global import-rib inet.0
set routing-options rib-groups Global import-rib vrflite.inet.0
set routing-options rib-groups Secondary import-rib inet.0
set routing-options rib-groups Secondary import-rib vrflite.inet.0
set routing-options rib-groups Secondary import-policy static-input

set policy-options policy-statement static-input term filter-default-routes from route-filter 0.0.0.0/0 exact
set policy-options policy-statement static-input term filter-default-routes then reject
set policy-options policy-statement static-input term filter-static-bgp-routes from route-filter 1.1.1.0/26 exact
set policy-options policy-statement static-input term filter-static-bgp-routes then reject
set policy-options policy-statement static-input then accept
set policy-options policy-statement EBGP-input term allowall then accept
set policy-options policy-statement EBGP-output term out-networks from route-filter 1.1.1.0/24 exact
set policy-options policy-statement EBGP-output term out-networks then accept
set policy-options policy-statement EBGP-output then reject

set firewall family inet filter GoToISP term 3 from source-address 10.27.64.14/32
set firewall family inet filter GoToISP term 3 from destination-address 0.0.0.0/0
set firewall family inet filter GoToISP term 3 from destination-address 172.16.0.0/12 except
set firewall family inet filter GoToISP term 3 from destination-address 192.168.0.0/16 except
set firewall family inet filter GoToISP term 3 from destination-address 10.0.0.0/8 except
set firewall family inet filter GoToISP term 3 then log
set firewall family inet filter GoToISP term 3 then routing-instance vrflite

set routing-instances vrflite instance-type virtual-router
set routing-instances vrflite interface lo0.0
set routing-instances vrflite interface reth3.0
set routing-instances vrflite routing-options interface-routes rib-group inet Global
set routing-instances vrflite routing-options static route 10.27.64.0/24 next-table inet.0
set routing-instances vrflite routing-options router-id 1.1.1.2
set routing-instances vrflite protocols bgp local-as 22222
set routing-instances vrflite protocols bgp group EBGP type external
set routing-instances vrflite protocols bgp group EBGP multipath
set routing-instances vrflite protocols bgp group EBGP neighbor 1.1.1.1 import EBGP-input
set routing-instances vrflite protocols bgp group EBGP neighbor 1.1.1.1 export EBGP-output
set routing-instances vrflite protocols bgp group EBGP neighbor 1.1.1.1 peer-as 11111
set routing-instances vrflite protocols bgp group EBGP neighbor 1.1.1.1 local-as 22222

Also , here is example of Flow session
Session ID: 3253, Policy name: lan-to-ISP/26, State: Active, Timeout: 10, Valid
In: 10.27.64.14/2927 --> 8.8.8.8/4806;icmp, If: reth1.0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/4806 --> 1.1.1.2/2927;icmp, If: reth3.0, Pkts: 0, Bytes: 0
2. RE: BGP Nat Problem
Best Answer

0 Recommend
aarseniev
Posted 12-01-2016 07:58

Reply Reply Privately
Hello,

Looks like Your return packets are not making it back to Your SRX. I see You are trying to advertise 1.1.1.0/24 out:

set policy-options policy-statement EBGP-output term out-networks from route-filter 1.1.1.0/24 exact

Question : do You have this exact route in the table vrflite.inet.0?

Please post the printouts:

show route table vrflite extensive | no-more show route advertising-protocol bgp 1.1.1.1 extensive | no-more

HTH

Thx
Alex
3. RE: BGP Nat Problem

0 Recommend
Erdem
Posted 12-01-2016 13:40

Reply Reply Privately
Yep,you are right,when i added route it seems like looking fine!I'm glad that you helped me ,thanks !

I'll mark that my problem solved.

SRX

BGP Nat Problem

Erdem12-01-2016 05:44

aarseniev12-01-2016 07:58Best Answer

Erdem12-01-2016 13:40

1. BGP Nat Problem

2. RE: BGP Nat Problem Best Answer

3. RE: BGP Nat Problem

2. RE: BGP Nat Problem
Best Answer