NAT na zwykłym interfejsie działa OK, na subinterfejsie z tagiem nie działa. Niestety w przeciwieństwie do CISCO nie można wykreować zwykłych subinterfejsów, tylko subinterfejsy z tagowaniem VLAN.
Problem polega na tym, że potrzebuję przypisać te adresy do subinterfejsów, aby móc wykreować kilka instancji NAT.
Może to jakiś mój błąd w ogólnym podejściu do problemu ?
To nie jest moja pierwsza styczność z Juniperem i nigdy konfiguracja tych urządzeń nie była tak przyjemna i intuicyjna jak CISCO. Niestety nie miałem wpływu na to co wybrał klient i teraz muszę się męczyć z tym cudem.
Pozdrawiam i liczę na wsparcie
Oto mój konfig:
Kod: Zaznacz cały
## Last changed: 2014-03-31 16:05:29 CEST
version 11.4R5.5;
system {
host-name root;
domain-name .................;
time-zone Europe/Warsaw;
root-authentication {
encrypted-password "$1$r4Lp45Hs$gcbhU4Qt4HluffNfrcwAj1";
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface [ vlan.0 ge-0/0/0.0 ];
}
https {
system-generated-certificate;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
vlan-tagging;
unit 0 {
vlan-id 1;
family inet;
}
unit 1111 {
vlan-id 1111;
family inet {
address .................;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 172.16.1.4/16;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop ................;
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to interface ge-0/0/0.1111;
rule source-nat-rule {
match {
source-address 172.16.0.0/16;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
address-book {
...............................
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
address-book {
...............................
}
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
ping;
http;
https;
}
}
}
ge-0/0/0.1111;
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}