Junos
Junos

NAT configuration in M7i

‎05-08-2010 09:22 PM

Hii all..

 

How to know the error of NAT configuration if the result is something like this?

 

 

admin# run show services stateful-firewall flows
Interface: sp-1/2/0, Service set: NAT
Flow                                                State    Dir       Frm count
ICMP        172.16.0.2       -> 119.110.105.33       Watch    O              12
    NAT source      172.16.0.2         ->  119.110.105.33
ICMP    119.110.105.33       -> 119.110.105.33       Watch    I               0
    NAT dest    119.110.105.33         ->      172.16.0.2
admin# run show services stateful-firewall statistics
Interface   Service set          Accept      Discard       Reject       Errors
sp-1/2/0    NAT                     147          0            0            0
[edit]
admin# run show services stateful-firewall statistics
Interface   Service set          Accept      Discard       Reject       Errors
sp-1/2/0    NAT                     148          0            0            0
[edit]
admin#

 

 

 

admin# run show services stateful-firewall flows

Interface: sp-1/2/0, Service set: NATFlow                                              

 State                                                                            Dir       Frm            count

ICMP        172.16.0.2       -> 119.110.105.33       Watch    O              12    

      NAT source      172.16.0.2         ->  119.110.105.33

ICMP    119.110.105.33       -> 119.110.105.33   Watch    I               0    

       NAT dest    119.110.105.33         ->      172.16.0.2


admin# run show services stateful-firewall statisticsInterface  

Service set                       Accept      Discard       Reject       Errors

sp-1/2/0    NAT                     147          0                  0              0
[edit]admin# run show services stateful-firewall statistics

Interface   Service set          Accept      Discard       Reject       Errors

sp-1/2/0    NAT                     148               0                      0            0
[edit]admin#

1 REPLY 1
Junos

Re: NAT configuration in M7i

[ Edited ]
‎05-08-2010 11:45 PM

Hello there,

Is 119.110.105.33 a part of Your public NAT prefix?

If yes then You get such flows if You have source NAT configured and someone from inside sends a packet towards Your NAT prefix. If there are no valid reasons why someone from inside would have to communicate with Your public NAT range, then 

You could exclude Your public NAT prefix from allowable destinations in Your SFW policy. Example below:

 

 

set services stateful-firewall rule default match-direction outbound
set services stateful-firewall rule default term 1 from destination-address 0/0
set services stateful-firewall rule default term 1 from destination-address <your public NAT prefix> except
set services stateful-firewall rule default term 1 then accept

 

 

 Regards

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !