Routing
Highlighted
Routing

NAT ALG Problem on MX960

[ Edited ]
3 weeks ago

Dear all,

MX960 version 18.4R3.3

I have a problem with NATing traffic from the local network
When a client has a fake IP address PPTP and SIP does not work.

 

I have created an application and applied them in service NAT but without success

show configuration applications 
application VPN_GRE {
    protocol gre;
}
application VPN_IPIP {
    protocol ipip;
}
application-set ALG {
    application junos-pptp;
    application junos-ipsec-esp;
    application VPN_GRE;
    application VPN_IPIP;
}
rule NAT {
    match-direction input;
    term ALG {
        from {
            source-prefix-list {
                FAKE_IPS;
            }
            applications [ junos-pptp junos-ipsec-esp ];
            application-sets ALG;
        }
        then {
            translated {
                source-pool MainPools;
                translation-type {
                    napt-44;
                }
            }
        }
    }
    term EIM {
        from {
            source-prefix-list {
                FAKE_IPS;
            }
        }
        then {
            translated {
                source-pool MainPools;
                translation-type {
                    napt-44;
                }
                mapping-type endpoint-independent;
                filtering-type {
                    endpoint-independent;
                }
                address-pooling paired;
            }
        }
    }
}

Please, help me with the problem

 

Thanks,

 

5 REPLIES 5
Highlighted
Routing

Re: NAT ALG Problem on MX960

3 weeks ago

Hello There!

 

Hoping you are doing great, I'd like to know if you see an opened PINHOLE by PPTP under the following command:

 

>show services stateful-firewall conversations source-prefix X.X.X.X

 

In the realm of PPTP, TCP/1723 is a simple control channel whose sole purpose is to bring up a Microsoft specific secondary GRE (IP/47) tunnel. This GRE tunnel contains encapsulated PPP frames and is used for negotiating authentication, encryption, and passing actual data. 

 

The negotiation is as follows. Three-way handshake followed by PPTP Start-Control-Connection-Request and Reply then Coutgoing Call Request and Reply and then following the last reply from the PPTP Public Server it should send a PPP-LCO GRE encapsulated request to the private client. It is here that the Gate-Pinhole needs to be opened by the NAT engine. So we open a PINhole for the GRE session to get initiated from the public side towards the private side.  

 

If there is no Pinhole opened we should debug the MS-MPC / MS-MIC in order to detect why the ALG flow is not opening the respective session/flow.

 

Troubleshooting ALGs can start by simplifying looking at the flow/session table and grabbing the output of “show services alg statistics application-protocol 

 

Look at the output of the command “show services alg statistics application-protocol sip” to help troubleshoot ALG issues.

Issuing this command, you should see if your ALG is reporting decoding errors.

 

Please check and let me know your findings.


Regards,

Allan Quiros 

Highlighted
Routing

Re: NAT ALG Problem on MX960

3 weeks ago

Hello,

 


ppetro@mail.lviv.ua wrote:

 

I have a problem with NATing traffic from the local network
When a client has a fake IP address PPTP and SIP does not work.

 

You forgot "address-pooling paired"/APP in rule NAT term ALG.

The default is symmetric NAT, so without APP,  the applications that use >1 flow are bound to fail.

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Routing

Re: NAT ALG Problem on MX960

2 weeks ago

Thank you for your response.

But without success. I added address-pooling paired;

 

    rule NAT {                          
        match-direction input;          
        term ALG {                      
            from {                      
                source-prefix-list {    
                    FAKE_IPS;           
                }                       
                application-sets ALG;   
            }                           
            then {                      
                translated {            
                    source-pool MainPools;
                    translation-type {  
                        napt-44;        
                    }                   
                    address-pooling paired;
                }                       
            }                           
        }                               
        term EIM {                      
            from {                      
                source-prefix-list {    
                    FAKE_IPS;           
                }                       
            }                           
            then {                      
                translated {            
                    source-pool MainPools;
                    translation-type {  
                        napt-44;        
                    }                   
                    mapping-type endpoint-independent;
                    filtering-type {    
                        endpoint-independent;
                    }                   
                    address-pooling paired;
                }                       
            }                           
        }                               
    }    
application VPN_GRE {
    protocol gre;
}
application VPN_IPIP {
    protocol ipip;
}
application-set ALG {
    application junos-sip;
    application VPN_GRE;
    application junos-pptp;
    application VPN_IPIP;
    application junos-ipsec-esp;
}
Highlighted
Routing

Re: NAT ALG Problem on MX960

2 weeks ago

Hello,

 


ppetro@mail.lviv.ua wrote:

Thank you for your response.

But without success. I added address-pooling paired;

 

Right, do You have MS-DPC or MS-MPC or MS-MIC? How do You load-balance between NPUs if MS-MPC? Do You have AMS or do You do FBF load-balancing between ms- interfaces? Or simply 0/0 route with multiple ms- mexthops?

Please post the complete sanitized configuration.

HTH

Thx

Alex

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Routing

Re: NAT ALG Problem on MX960

[ Edited ]
2 weeks ago

I am using MS-MPC

 

I made the balancing by a simple configuration

show configuration interfaces ams0 
load-balancing-options {
    member-interface mams-11/1/0;
    member-interface mams-11/2/0;
    member-interface mams-11/3/0;
    member-failure-options {
        redistribute-all-traffic {
            enable-rejoin;
        }
    }
}
unit 1 {
    family inet;
}
unit 10 {
    family inet;
    service-domain inside;
}
unit 20 {
    family inet;
    service-domain outside;
}

But now I use a simple interface without any aggregation 

 show configuration interfaces ms-11/0/0 
unit 0 {
    family inet;
}
unit 10 {
    family inet;
    service-domain inside;
}
unit 20 {
    family inet;
    service-domain outside;
}

 

Service configuration

 

captive-portal-content-delivery {
    rule r1 {
        match-direction input;
        term 3 {
            then {
                redirect https://auth.;
            }
        }
    }
    profile redir-prof {
        cpcd-rules r1;
    }
    traceoptions {
        file cpcd.log size 1m;
        flag all;
    }
}
service-set sset2 {
    service-set-options {
        routing-engine-services;
    }
    captive-portal-content-delivery-profile redir-prof;
    interface-service {
        service-interface si-0/0/0;
    }
}
service-set NAT {
    nat-options {
        max-sessions-per-subscriber 2048;
    }
    nat-rules NAT;
    next-hop-service {
        inside-service-interface ms-11/0/0.10;
        outside-service-interface ms-11/0/0.20;
    }
}
nat {
    pool MainPools {
        address X.X.X.X/24;
        address X.X.X.X/24;
        port {
            automatic {
                random-allocation;
            }
        }                               
        address-allocation round-robin;
        mapping-timeout 900;
    }
    rule NAT {
        match-direction input;
        term ALG {
            from {
                source-prefix-list {
                    FAKE_IPS;
                }
                application-sets ALG;
            }
            then {
                translated {
                    source-pool MainPools;
                    translation-type {
                        napt-44;
                    }
                    address-pooling paired;
                }
            }
        }
        term EIM {
            from {
                source-prefix-list {
                    FAKE_IPS;
                }
            }
            then {
                translated {
                    source-pool MainPools;
                    translation-type {
                        napt-44;
                    }
                    mapping-type endpoint-independent;
                    filtering-type {
                        endpoint-independent;
                    }
                    address-pooling paired;
                }
            }
        }
    }
}

Dynamic profile(active profile which is being used by the client)

 

IPDemux {
    interfaces {
        demux0 {
            unit 3221230608 {
                demux-options {
                    underlying-interface demux0.3221230493;
                }
                family {
                    inet {
                        demux-source {
                            10.0.3.36/32;
                        }
                        filter {
                            input NAT precedence 100;
                        }
                        unnumbered-address lo0.0;
                    }
                }
            }
        }
    }
}
svc-global-ipoe {
    interfaces {
        demux0 {
            unit 3221230493 {
                vlan-tags outer NONE inner NONE;
                family {
                    inet {
                        filter {
                            input INET_IN_UID1022 precedence 50;
                            output INET_IN_UID1022 precedence 50;
                        }
                    }
                }
            }
        }
    }
    firewall {
        family {
            inet {
                filter INET_IN_UID1022 {
                    interface-specific;
                    term 1 {
                        then {
                            policer POLICER_IN_UID1021;
                            service-accounting;
                            accept;
                        }
                    }
                }                       
                filter INET_OUT_UID1024 {
                    interface-specific;
                    term 1 {
                        then {
                            policer POLICER_OUT_UID1023;
                            service-accounting;
                            accept;
                        }
                    }
                }
            }
        }
        policer POLICER_IN_UID1021 {
            if-exceeding {
                bandwidth-limit 102400k;
                burst-size-limit 512k;
            }
            then discard;
        }
        policer POLICER_OUT_UID1023 {
            if-exceeding {
                bandwidth-limit 102400k;
                burst-size-limit 512k;
            }
            then discard;
        }
    }
}

Filter NAT

show configuration firewall family inet filter NAT 
interface-specific;
term 100 {
    from {
        source-prefix-list {
            FAKE_IPS;
        }
    }
    then {
        routing-instance NAT;
    }
}
term 199 {
    then accept;
}

Routing-instance

 show configuration routing-instances                          
NAT {
    instance-type virtual-router;
    interface ms-11/0/0.10;
    routing-options {
        static {
            route 10.0.0.0/15 next-table inet.0;
            route 0.0.0.0/0 next-hop ms-11/0/0.10;
        }
    }
}

 

Thank you for you help