Routing
Highlighted
Routing

dynamic-nat44 or twice-dynamic-nat-44??

‎03-19-2020 11:58 PM

I'm trying to setup a dynamic nat 44 where once a client maps to a public IP, they can then receive unsolicited data back through the router. Currently it seems that they can only get data from established flows, but not from anything unsolicited (reverse flow). Since dynamic-nat44 assigns an entire IP to the client, can't it just allow data to flow back to the client? Is this a place I should use twice-dynamic-nat-44? 

4 REPLIES 4
Highlighted
Routing

Re: dynamic-nat44 or twice-dynamic-nat-44??

[ Edited ]
‎03-20-2020 01:57 AM

Hello,

 


@EchoB wrote:

I'm trying to setup a dynamic nat 44 where once a client maps to a public IP, they can then receive unsolicited data back through the router. 


 

Is it with port translation a.k.a. PAT or without port translation? And what is the platform please?

Please note that terminilogy You use is defined in RFC 2663 https://tools.ietf.org/html/rfc2663 and JUNOS for M/T/MX follows this terminology since 10.4 or so. JUNOS for SRX does not.

 

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Routing

Re: dynamic-nat44 or twice-dynamic-nat-44??

‎03-20-2020 09:19 AM

I'm using "dynamic-nat44" where I have a dynamic range of private IPs that will be NAT'd to a fixed range of public IPs (no PAT). The idea being once they are given an entire public IP, they can have full inbound and outbound communication on that public. Right now they get the public IP, but only established flows can receive inbound data. If i had to call it something else, what I'd want would be more like "dynamic 1:1 NAT". 

 

I dont want to use basic-nat44 because that requires the source and translated pools to be the same size. I have a dynamic number of source/private IPs. 

Highlighted
Routing

Re: dynamic-nat44 or twice-dynamic-nat-44??

‎03-20-2020 10:18 AM

Hello,

Ok so RFC 2663 terminology and Your terminology are aligned.

To accept incoming unsolicited connections, You don't need twice dynamic NAT, You need EIF (endpoint-independent filtering), RFC 4787 section 5 https://tools.ietf.org/html/rfc4787#section-5

Assuming You want to do this on MX with Services card, the CLI is this one

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/filtering...

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Routing

Re: dynamic-nat44 or twice-dynamic-nat-44??

[ Edited ]
‎03-20-2020 06:40 PM

Unfortunately endpoint-independent mapping and filtering only apply to NAPT; Junos complains about it as I try to setup that config. 😞  

 

Would port-forward-mappings work if I set it up for ports 1-65535? 😛 I'm going to try and see if that works. 

 

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/nat-port-forwarding-stat...

 

EDIT: A port-forwarding map only accepts 1 specific port mapped to 1 other specific port. No ranges allowed. 😕 

Feedback