Routing
Highlighted
Routing

Inline NAT problem on Juniper MX204

‎07-10-2019 12:39 AM

Hello,

By following Juniper document, I can get 1:1 NAT works on Juniper MX204. Unfortunately, there are 2 issues I am facing.
1. Traceroute result from user show asterisk (*) like below output.

Tracing route to google.com [172.217.194.102]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.10.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9    42 ms    42 ms    42 ms  172.217.194.102

Trace complete.

2. When I tried to change IP of the NAT pool, the internet is not working at all. MX does not translate to the new configured IP pool, instead revert back to old IP pool is working. Please advise.

 

Regards,

Seyma
JNCIP-ENT, SEC, SP
4 REPLIES 4
Highlighted
Routing

Re: Inline NAT problem on Juniper MX204

‎07-10-2019 01:09 AM

Hi Seyma,

 

Traceoute requires a response from the target server and each of the intermediate hops to create its output. If a router doesn't generate a Time-to-live exceeded response, traceroute will not know anything about that hop. A hop that outputs * * * means that the router at that hop doesn't respond to the type of packet you were using for the traceroute (by default it's UDP on Unix-like and ICMP on Windows). However, you get the response from the end point confirming that the connection is successful.

 

Regarding the new IP for the NAT pool, can you share both the configurations and NAT translations to undertand further.

 

Thanks,
Pradeep
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

 

 

Highlighted
Routing

Re: Inline NAT problem on Juniper MX204

‎07-10-2019 02:07 AM

Hi Seyma,

 

Can you share the configuration? Are you doing interface-style NAT or Next-hop style NAT?

What do you see under "show services inline nat pool"?

 

Regards,
Rahul

Highlighted
Routing

Re: Inline NAT problem on Juniper MX204

‎07-10-2019 02:10 AM

Hello Pradeep,

 

Thanks for your input. Regarding to problem with new IP pool, I have fixed it. It's not related to NAT but routing issue where one of the IP inside the pool was blocked on other router.

 

Any advise for solution regarding to traceroute output?

 

Regards

Seyma
JNCIP-ENT, SEC, SP
Highlighted
Routing

Re: Inline NAT problem on Juniper MX204

‎07-10-2019 02:11 AM

Hello,


@Seyma wrote:


1. Traceroute result from user show asterisk (*) like below output.

Tracing route to google.com [172.217.194.102]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.10.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9    42 ms    42 ms    42 ms  172.217.194.102

Trace complete.

 


Translating public IP address embedded into ICMP payload back into private requires ICMP ALG.

Otherwise, if a host receives ICMP DU with public IP inside the payload, it discards it because this embedded IP does not match any of its interface IPs.

Inline NAT does not support any ALGs at all so asterisks are expected with JUNOS inline NAT.

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Feedback