another thread gives the config to setup mpls in packet-based mode. http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-Branch-Series-MPLS-Query/m-p/40680 security { forwarding-options { family { mpls { mode packet-based; } } } }

Yes, you're right. We've alreadey done so and we have mpls working .

Meanwhile we configured static nat as follows: 

 

nat {                                                                           
    static {                                                                    
        rule-set rs1 {                                                          
            from interface fe-0/0/0.0;                                          
            rule r1 {                                                           
                match {                                                         
                    destination-address 10.0.1.250/32;                          
                }                                                               
                then {                                                          
                    static-nat prefix 192.168.1.2/32;                           
                }                                                               
            }                                                                   
        }                                                                       
    }                                                                           
    proxy-arp {                                                                 
        interface fe-0/0/0.0 {                                                  
            address {                                                           
                10.0.1.250/32;                                                  
            }                                                                   
        }                                                                       
    }   

That doesn't work. We assume that it requires configuration of some inter-zonal security policies. But since we have mpls packet-based option enabled, junos is unable to commit configuration with both packet mode and security policies in it.  So the question is of ability to use NAT in statelss (packet-based) mode/ 

 

I am thinking you are right, and NAT requires flow mode. To be sure, I'd raise a case w/ JTAC to ask the question.

Thanks for note. The solution noted is quite interesting, but is not applicable to our case. It seems that with selective packet based forwarding applied only interface-based source NAT works. Other type of NATs  - not (I tested this on lab with different configs). 

 

Take a look at  http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf . It has an accurate flow diagram on page 2. NAT is part of flowd. It's interesting that interface-based source NAT would still work. I wonder where in the flow selective packet-based processing fits, or what it is about interface-based source NAT that makes it work.

 

 

I haven't tried this, but see whether the old packet-based "services nat" still works on SRX. http://www.juniper.net/techpubs/en_US/junos10.2/topics/usage-guidelines/services-configuring-nat-rul... has a writeup on it. This is what you'd use on M-Series and T-Series to do NAT (provided you have an AS-PIC), and it's how "packet-based" J-Series did NAT.

 

 

Well, I guess i might have some misconfiguration. I realised  that upon answers of juniper employees on tech-cafe event and reading app-notes. I'm going to have some more tests on lab equipment to see if your advices about selective packet-based mode are appliable.  

Hi,

 

Do you have update for this case?

 

Thanks,

Well, yes, kind of.  The task is little bit challenging. We are using selective packet services (see the link by Visitor above). And both NAT and mpls are working. Since we've just reached to that we're going to have some more tests to see if there are any drawbacks of this. =)