Jump to content
Калькуляторы

Juniper MX960 CGNAT DHCP PPTP

Здравстуйте

 

Model: mx960
Junos: 18.4R3.3

 

Нужна помощь в устранение проблемы с NAT. Все настройки сделаны, НАТ работает, но клиенты не могут поднять PPTP через НАТ.

Я сделал настроики в НАТе для PPTP,

show configuration applications 
application VPN_GRE {
    protocol gre;
}
application VPN_IPIP {
    protocol ipip;
}
application-set ALG {
    application junos-sip;
    application VPN_GRE;
    application junos-pptp;
    application VPN_IPIP;
    application junos-ipsec-esp;
}


show configuration services nat    
pool MainPools {
    address X.X.X.X/24;
    address X.X.X.X/24;
    port {
        automatic {
            random-allocation;
        }
    }
    address-allocation round-robin;
    mapping-timeout 900;
}
rule NAT {
    match-direction input;
    term ALG {
        from {
            source-prefix-list {
                FAKE_IPS;
            }
            application-sets ALG;
        }
        then {
            translated {
                source-pool MainPools;
                translation-type {
                    napt-44;
                }
                address-pooling paired;
            }
        }
    }
    term EIM {
        from {
            source-prefix-list {
                FAKE_IPS;
            }
        }
        then {
            translated {
                source-pool MainPools;
                translation-type {
                    napt-44;
                }
                mapping-type endpoint-independent;
                filtering-type {
                    endpoint-independent;
                }
                address-pooling paired;
            }
        }
    }
} 

 

Клиенты натяться но PPTP Не подімаеться.

В логах вижу что неустанавливаеться GRE тунель(DROP).

 

Пробовал и в ручную создать правило

show configuration applications application PPTP 
application-protocol pptp;
protocol gre;
destination-port 1723;

Но не работает.

 

Может кто сталкивался с такой проблемой, помогите пожалуйста.

 

Спасибо

Share this post


Link to post
Share on other sites

У нас так, жалоб нет, но софт 17.3R3-S3.3:

applications {
    application dns-udp-10s {
        protocol udp;
        source-port 1-65535;
        destination-port 53;
        inactivity-timeout 10;
    }
    application https-1800s {
        protocol tcp;
        destination-port 443;
        inactivity-timeout 1800;
    }
    application icmp-30s {
        protocol icmp;
        inactivity-timeout 30;
    }
    application traceroute-30s {
        application-protocol traceroute;
        protocol udp;
        destination-port 33435-33450;
        ttl-threshold 30;
        inactivity-timeout 30;
    }
    application xmpp-1800s {
        protocol tcp;
        destination-port 5222-5223;
        inactivity-timeout 1800;
    }
    application smtp-ssl {
        protocol tcp;
        destination-port 465;
    }
    application pop3-ssl {
        protocol tcp;
        destination-port 995;
    }
    application-set apset-gprs-alg {
        application junos-ftp;
        application junos-pptp;
        application junos-sip;
    }
    application-set apset-alg-noeim-noeif {
        application junos-http;
        application junos-ftp;
        application junos-rtsp;
        application dns-udp-10s;
        application https-1800s;
        application icmp-30s;
        application xmpp-1800s;
        application traceroute-30s;
        application junos-ntp;
        application junos-telnet;
        application junos-rsh;
        application junos-ssh;
        application junos-pop3;
        application junos-smtp;
        application junos-imap;
        application junos-imaps;
        application pop3-ssl;
        application smtp-ssl;
        application junos-pptp;
        application junos-rpc-portmap-tcp;
        application junos-rpc-portmap-udp;
        application junos-tftp;
        application junos-sip;
    }
}

nat:

services {
    captive-portal-content-delivery {
        rule redirect-rule {
            match-direction input;
            term 1 {
                then {
                    redirect https://xxx.xxx.xxx.xxx;
                }
            }
        }
        profile my-redirect {
            cpcd-rules redirect-rule;
        }
        inactive: traceoptions {
            file cp.log size 1m files 2 world-readable;
            flag all;
        }
    }
    service-set SSET {
        syslog {
            host xxx.xxx.xxx.xxx {
                services any;
                log-prefix MX960-BRAS;
                port 514;
                class {
                    nat-logs;
                }
                source-address xxx.xxx.xxx.xxx;
            }
        }
        max-flows 20m;
        nat-options {
            max-sessions-per-subscriber 2000;
        }
        service-set-options;
        stateful-firewall-rules FW-RULE;
        nat-rules RULE-PBA;
        next-hop-service {
            inside-service-interface ams0.1;
            outside-service-interface ams0.2;
        }
    }
    service-set sset-redirect {
        service-set-options {
            subscriber-awareness;
            routing-engine-services;
        }
        captive-portal-content-delivery-profile my-redirect;
        interface-service {
            service-interface si-10/0/0;
        }
    }
    stateful-firewall {
        rule FW-RULE {
            match-direction input;
            term t1 {
                from {
                    source-address {
                        100.64.0.0/15;
                    }
                }
                then {
                    accept;
                }
            }
            term t2 {
                then {
                    discard;
                }
            }
        }
    }
    nat {
        pool CG-NAT-POOL {
            address xxx.xxx.xxx.0/24;
            port {
                range low 1024 high 65535 random-allocation;
                secured-port-block-allocation block-size 64 max-blocks-per-address 32 active-block-timeout 120;
            }
            address-allocation round-robin;
            mapping-timeout 300;
            ei-mapping-timeout 120;
        }
        rule RULE-PBA {
            match-direction input;
            term t1 {
                from {
                    source-address {
                        100.64.0.0/15;
                    }
                    application-sets apset-alg-noeim-noeif;
                }
                then {
                    translated {
                        source-pool CG-NAT-POOL;
                        translation-type {
                            napt-44;
                        }
                        address-pooling paired;
                    }
                }
            }
            term t2 {
                from {
                    source-address {
                        100.64.0.0/15;
                    }
                }
                then {
                    translated {
                        source-pool CG-NAT-POOL;
                        translation-type {
                            napt-44;
                        }
                        mapping-type endpoint-independent;
                        filtering-type {
                            endpoint-independent;
                        }
                        address-pooling paired;
                    }
                }
            }
        }

        rule-set RS-NAT-PBA {
            rule RULE-PBA;
        }
    }
}

 

Share this post


Link to post
Share on other sites
On 6/26/2020 at 2:56 AM, JohnnyL said:

У нас так, жалоб нет, но софт 17.3R3-S3.3:


applications {
    application dns-udp-10s {
        protocol udp;
        source-port 1-65535;
        destination-port 53;
        inactivity-timeout 10;
    }
    application https-1800s {
        protocol tcp;
        destination-port 443;
        inactivity-timeout 1800;
    }
    application icmp-30s {
        protocol icmp;
        inactivity-timeout 30;
    }
    application traceroute-30s {
        application-protocol traceroute;
        protocol udp;
        destination-port 33435-33450;
        ttl-threshold 30;
        inactivity-timeout 30;
    }
    application xmpp-1800s {
        protocol tcp;
        destination-port 5222-5223;
        inactivity-timeout 1800;
    }
    application smtp-ssl {
        protocol tcp;
        destination-port 465;
    }
    application pop3-ssl {
        protocol tcp;
        destination-port 995;
    }
    application-set apset-gprs-alg {
        application junos-ftp;
        application junos-pptp;
        application junos-sip;
    }
    application-set apset-alg-noeim-noeif {
        application junos-http;
        application junos-ftp;
        application junos-rtsp;
        application dns-udp-10s;
        application https-1800s;
        application icmp-30s;
        application xmpp-1800s;
        application traceroute-30s;
        application junos-ntp;
        application junos-telnet;
        application junos-rsh;
        application junos-ssh;
        application junos-pop3;
        application junos-smtp;
        application junos-imap;
        application junos-imaps;
        application pop3-ssl;
        application smtp-ssl;
        application junos-pptp;
        application junos-rpc-portmap-tcp;
        application junos-rpc-portmap-udp;
        application junos-tftp;
        application junos-sip;
    }
}

nat:


services {
    captive-portal-content-delivery {
        rule redirect-rule {
            match-direction input;
            term 1 {
                then {
                    redirect https://xxx.xxx.xxx.xxx;
                }
            }
        }
        profile my-redirect {
            cpcd-rules redirect-rule;
        }
        inactive: traceoptions {
            file cp.log size 1m files 2 world-readable;
            flag all;
        }
    }
    service-set SSET {
        syslog {
            host xxx.xxx.xxx.xxx {
                services any;
                log-prefix MX960-BRAS;
                port 514;
                class {
                    nat-logs;
                }
                source-address xxx.xxx.xxx.xxx;
            }
        }
        max-flows 20m;
        nat-options {
            max-sessions-per-subscriber 2000;
        }
        service-set-options;
        stateful-firewall-rules FW-RULE;
        nat-rules RULE-PBA;
        next-hop-service {
            inside-service-interface ams0.1;
            outside-service-interface ams0.2;
        }
    }
    service-set sset-redirect {
        service-set-options {
            subscriber-awareness;
            routing-engine-services;
        }
        captive-portal-content-delivery-profile my-redirect;
        interface-service {
            service-interface si-10/0/0;
        }
    }
    stateful-firewall {
        rule FW-RULE {
            match-direction input;
            term t1 {
                from {
                    source-address {
                        100.64.0.0/15;
                    }
                }
                then {
                    accept;
                }
            }
            term t2 {
                then {
                    discard;
                }
            }
        }
    }
    nat {
        pool CG-NAT-POOL {
            address xxx.xxx.xxx.0/24;
            port {
                range low 1024 high 65535 random-allocation;
                secured-port-block-allocation block-size 64 max-blocks-per-address 32 active-block-timeout 120;
            }
            address-allocation round-robin;
            mapping-timeout 300;
            ei-mapping-timeout 120;
        }
        rule RULE-PBA {
            match-direction input;
            term t1 {
                from {
                    source-address {
                        100.64.0.0/15;
                    }
                    application-sets apset-alg-noeim-noeif;
                }
                then {
                    translated {
                        source-pool CG-NAT-POOL;
                        translation-type {
                            napt-44;
                        }
                        address-pooling paired;
                    }
                }
            }
            term t2 {
                from {
                    source-address {
                        100.64.0.0/15;
                    }
                }
                then {
                    translated {
                        source-pool CG-NAT-POOL;
                        translation-type {
                            napt-44;
                        }
                        mapping-type endpoint-independent;
                        filtering-type {
                            endpoint-independent;
                        }
                        address-pooling paired;
                    }
                }
            }
        }

        rule-set RS-NAT-PBA {
            rule RULE-PBA;
        }
    }
}

 

Большое спасибо за ответ!
Пробую, то же самое, все равно не устанавливаеться. Есть подозрение что это связано с тем что что-то не включил. Так как без applications-set настроек оно доходит до кстановки GRE тунеля(так Windows говорит) но потом вываливаеться с ошибкой.

Может что то в system chasis надо добавить

Вот что у меня
 

fpc 11 {
    pic 0 {
        adaptive-services {
            service-package {
                extension-provider {
                    package jservices-cpcd;
                    package jservices-mss;
                    syslog {
                        daemon any;
                        external any;   
                    }
                }
            }
        }
    }
    pic 1 {
        adaptive-services {
            service-package {
                extension-provider {
                    package jservices-cpcd;
                    package jservices-mss;
                    syslog {
                        daemon any;
                        external any;
                    }
                }
            }
        }
    }
    pic 2 {
        adaptive-services {
            service-package {
                extension-provider {
                    package jservices-cpcd;
                    package jservices-mss;
                    syslog {
                        daemon any;
                        external any;
                    }
                }
            }
        }
    }
    pic 3 {
        adaptive-services {
            service-package {
                extension-provider {
                    package jservices-cpcd;
                    package jservices-mss;
                    syslog {
                        daemon any;
                        external any;
                    }
                }
            }
        }
    }
}
network-services enhanced-ip;

 

 

image.thumb.png.493d748c577b9197537326c76ffe4cf9.png

 

Спасибо за помощь!

 

Edited by vpeleh

Share this post


Link to post
Share on other sites

Нашел!
надо обязательно выставить в chassis

fpc 11 {
    pic 0 {
        adaptive-services {
            service-package layer-3;
        }
    }

@JohnnyL большое спасибо за помощь!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now