Appendix B PPTP and GRE Tunneling Through NAT

Similar documents
Network Address Translation Commands

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

This Technical Support Note shows the different options available in the Firewall menu of the ADTRAN OS Web GUI.

Network Protocol Configuration

PPTP Server Access Through The

Configuring Static and Dynamic NAT Translation

Chapter 11 Network Address Translation

Howto: How to configure static port mapping in the corporate router/firewall for Panda GateDefender Integra VPN networks

Chapter 12 Supporting Network Address Translation (NAT)

Configuring Network Address Translation (NAT)

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Network Address Translation (NAT)

IP Filtering for Patton RAS Products

GregSowell.com. Mikrotik Security

21.4 Network Address Translation (NAT) NAT concept

Polycom. RealPresence Ready Firewall Traversal Tips

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Galileo International. Firewall & Proxy Specifications

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

Source-Connect Network Configuration Last updated May 2009

NAT & IP Masquerade. Internet NETWORK ADDRESS TRANSLATION INTRODUCTION. NAT & IP Masquerade Page 1 of 5. Internal PC

Cisco Which VPN Solution is Right for You?

Firewall Defaults and Some Basic Rules

Protocol Security Where?

Configuring the BIG-IP and Check Point VPN-1 /FireWall-1

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

How Your Computer Accesses the Internet through your Wi-Fi for Boats Router

CSCI Firewalls and Packet Filtering

Chapter 11 Cloud Application Development

2. IP Networks, IP Hosts and IP Ports

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Linux Routers and Community Networks

Firewall Load Balancing

Technical Support Information

Security Technology: Firewalls and VPNs

Firewalls P+S Linux Router & Firewall 2013

NAT Configuration. Contents. 1 NAT Configuration. 1.1 NAT Overview NAT Configuration

Sample Configuration Using the ip nat outside source static

Introduction to Network Address Translation

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Cisco Configuring Commonly Used IP ACLs

Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

Creating a VPN with overlapping subnets

Terminal Server Configuration and Reference Errata

Configuring IP Load Sharing in AOS Quick Configuration Guide

Application Note. Stateful Firewall, IPS or IDS Load- Balancing

Topic 7 DHCP and NAT. Networking BAsics.

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

ASA/PIX: Load balancing between two ISP - options

Securing Networks with PIX and ASA

Configuring Static and Dynamic NAT Simultaneously

Firewall Firewall August, 2003

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Analyze Traffic with Monitoring Interfaces and Packet Forwarding

Dynamic Host Configuration Protocol (DHCP) 02 NAT and DHCP Tópicos Avançados de Redes

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Introduction of Intrusion Detection Systems

Understanding and Configuring NAT Tech Note PAN-OS 4.1

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP LTM for SIP Traffic Management

Virtual Fragmentation Reassembly

Sample Configuration Using the ip nat outside source list C

Tech-Note Bridges Vs Routers Version /06/2009. Bridges Vs Routers

Interconnecting Cisco Network Devices 1 Course, Class Outline

GPRS / 3G Services: VPN solutions supported

Configuring Network Address Translation

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Implementing and Managing Security for Network Communications

LinkProof And VPN Load Balancing

About Firewall Protection

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

NAT (Network Address Translation)

VMware vcloud Air Networking Guide

IP Filter/Firewall Setup

Internet Protocol (IP) IP - Network Layer. IP Routing. Advantages of Connectionless. CSCE 515: Computer Network Programming IP routing

Firewalls. Chapter 3

- Introduction to Firewalls -

Internetwork Expert s CCNA Security Bootcamp. IOS Firewall Feature Set. Firewall Design Overview

IPv6 Tunnels through Routers with NAT 1.6. Consulintel

Ficha técnica de curso Código: IFCAD111

How To Configure Apple ipad for Cyberoam L2TP

nexvortex Setup Guide

Topics NS HS12 2 CINS/F1-01

Network Security 2. Module 2 Configure Network Intrusion Detection and Prevention

UIP1868P User Interface Guide

Configuring NetFlow Secure Event Logging (NSEL)

Lecture Objectives. Lecture 6 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs. Agenda. Nomadic Services. Agenda. Nomadic Services Functions

DSL-G604T Install Guides

IPv6 Fundamentals: A Straightforward Approach

IP - The Internet Protocol

< Introduction > This technical note explains how to connect New SVR Series to DSL Modem or DSL Router. Samsung Techwin Co., Ltd.

Category: Informational Juniper Networks, Inc. August Load Sharing using IP Network Address Translation (LSNAT)

Netfilter. GNU/Linux Kernel version 2.4+ Setting up firewall to allow NIS and NFS traffic. January 2008

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0

Implementing Network Address Translation and Port Redirection in epipe

Transcription:

Appendix B PPTP and GRE Tunneling Through NAT This appendix describes Point-to-Point Tunneling Protocol (PPTP) and Generic Routing Encapsulation (GRE) tunneling through Network Address Translation (NAT). It supplements information in the following JUNOSe Release 6.1.x guides: JUNOSe IP Services Configuration Guide, Chapter 11, Configuring Layer 2 Services over GRE JUNOSe IP Services Configuration Guide, Chapter 3, Configuring NAT JUNOSe Command Reference Overview You can configure NAT traversal support for GRE flows using simple translations (Basic NAT). Because PPTP uses an enhanced GRE encapsulation for the PPP payload, configuring for GRE flows also supports NAT traversal for PPTP tunnels. NOTE: Neither port translation (NAPT) nor Firewall traversal for GRE packets is supported for GRE flows. When configured, the following types of translations are supported for GRE and PPTP tunnels: Inside source static simple translations (inbound and outbound) Outside source static simple translations (inbound and outbound) Inside source dynamic simple translations (inbound and outbound) Outside source dynamic simple translations (inbound and outbound) Combinations of the preceding translations (for example, twice NAT) Overview 61

JUNOSe 6.1.4 Release Notes Packet Discard Rules For all supported types of traffic (TCP, UDP, ICMP, and GRE), NAT discards packets in the following cases: When the translation table is full (that is, no more entries can be added). When the address pool is exhausted for outbound packets with inside source dynamic translation. When no match can be found for the destination addresses of inbound packets. When the address pool is exhausted for inbound packets with outside source dynamic translation. In addition, NAT discards GRE packets under the following conditions: When the GRE packets match an NAPT rule. When Firewall is functioning. Tunnel Configurations Through NAT PPTP uses enhanced GRE encapsulation for PPP payloads. After the PPTP tunnel setup process, PPP packets are exchanged using GRE encapsulation. It is critical that a NAT device that resides between PPTP client and PPTP server allow GRE flows. This section contains NAT configuration examples for both inside and outside PPTP tunnel setup through NAT. Clients on an Inside Network In this example, a subscriber on the inside network is initiating PPTP tunnels to a PPTP server located in the outside network. The PPTP connection to the server traverses an E-series router that has NAT enabled. Figure 1: PPTP Tunnels on an Inside Network Inside interface 13.1.2.1 Outside interface 11.11.11.2 11.11.11.1 PPTP server PPTP client 13.1.2.3 PPTP request SA = 13.1.2.3 DA = 11.11.11.1 Inside source static simple translation installed 13.1.2.3 20.0.0.1 PPTP request SA = 20.0.0.1 DA = 11.11.11.1 g013291 62 Packet Discard Rules

Appendix B: PPTP and GRE Tunneling Through NAT The router has installed an inside source static simple translation in its translation table as follows: Inside Local Address 13.1.2.3 20.0.0.1 Inside Global Address The PPTP client initiates its tunnels to the server at 11.11.11.1. The E-series router translates the SA from inside local 13.1.2.3 to inside global SA 20.0.0.1. Because GRE traffic can pass through NAT, all matching PPTP control packets are translated and forwarded to the destination. Clients on an Outside Network In this example, an outside subscriber initiates PPTP tunnels to a PPTP server located in the service provider network. The PPTP connection to the server traverses an E-series router that has NAT enabled. Figure 2: PPTP Tunnels on an Outside Network Outside interface 13.1.2.1 Inside interface 11.11.11.2 11.11.11.1 PPTP client 13.1.2.3 Access network PPTP server PPTP request SA = 13.1.2.3 DA = 20.0.0.1 Inside source static simple translation installed 11.11.11.1 20.0.0.1 g013292 The router has installed an inside source static simple translation in its translation table as follows: Inside Local Address 11.11.11.1 20.0.0.1 Inside Global Address The PPTP client initiates its tunnels to the inside global address 20.0.0.1. The E-series router translates packets destined for address 20.0.0.1 and forwards them to the inside local address of 11.11.11.1. Because GRE traffic can pass through NAT, all matching PPTP control packets are translated and forwarded to the destination. Tunnel Configurations Through NAT 63

JUNOSe 6.1.4 Release Notes GRE Flows Through NAT Because PPTP requires the use of GRE flows, the examples in the previous section also work for any GRE traffic flows that traverse NAT. GRE flows can terminate at an E-series router if NAT is or is not enabled. When the router receives locally terminating inbound GRE packets, the router transmits the packets to the tunnel server module for GRE processing. If the packets require translating, they are again sent through the tunnel server module. NOTE: Only inner IP headers are translated for terminating GRE flows; outer IP headers are never translated. For outbound GRE packets, the process works in reverse. If the packets require translation, the router transmits the packets to the tunnel server module for translation. If the packets are destined for a GRE tunnel, they are again sent through the tunnel server module where an outer header is prepended to the packet and the packet is then sent to the appropriate GRE tunnel. Displaying Translation Entries The show ip nat translations command displays current translations that reside in the translation table. Simple translation entries appear with inside/outside and local/global address information. Extended entries appear with added protocol and port numbers (or query ID). Using verbose mode additionally provides the time since creation and time since last use for each translation entry. show ip nat translations Use to display current translations that reside in the NAT translation table. Field descriptions Prot Protocol (TCP, UDP, ICMP, or GRE) for this translation entry; this field appears only for extended table entries Inside local Inside local IP address for this translation entry; this field also provides the port number, separated by a colon ( : ) for extended entries Inside global Inside global IP address for this translation entry; this field also provides the port number, separated by a colon ( : ) for extended entries Outside global Outside global IP address for this translation entry; this field also provides the port number, separated by a colon ( : ) for extended entries Outside local Outside local IP address for this translation entry; this field also provides the port number, separated by a colon ( : ) for extended entries 64 GRE Flows Through NAT

Appendix B: PPTP and GRE Tunneling Through NAT Time since creation Amount of time elapsed since the translation entry appeared in the translation table (hh:mm:ss format) Time since last use Amount of time elapsed since the translation entry was used (hh:mm:ss format) Example 1 host1#show ip nat translations Prot Inside local Inside global Outside global Outside local ---- --------------- --------------- -------------- ---------------- GRE 13.1.2.1:* 20.0.0.1:* --- --- ICMP 13.1.2.2:4 20.0.0.2:4 --- --- TCP 13.1.2.3:20 20.0.0.3:50 --- --- NOTE: Because they are not NAPT translations, port numbers for GRE translations appear as asterisks (*). Example 2 host1#show ip nat translations verbose Time Time Inside Outside Outside since since Prot Inside local global global local creation last use ---- ------------ ----------- ----------- ----------- ------------ ------------ --- 20.0.0.3 30.0.0.3 --- --- 00:04:50 00:00:01 --- 21.0.0.3 30.208.0.3 --- --- 00:02:12 00:00:01 --- 21.0.0.4 30.208.0.4 --- --- 00:02:12 00:00:01 --- --- --- 50.0.0.3 70.0.0.3 00:03:24 Never --- --- --- 51.0.0.3 70.208.0.3 00:01:44 00:00:01 --- --- --- 51.0.0.4 70.208.0.4 00:01:44 00:00:01 UDP --- --- 50.50.0.3:8 70.50.0.3:8 00:03:10 Never 7 108 UDP 22.0.0.4:63 30.224.0.3: --- --- 00:02:12 00:00:01 4097 UDP 22.0.0.3:63 30.224.0.3: --- --- 00:02:12 00:00:01 4096 TCP --- --- 50.50.0.3:8 70.50.0.3:8 00:03:10 Never 0 008 UDP 20.50.0.3:87 30.50.0.3:8 --- --- 00:03:35 Never 108 Displaying Translation Entries 65

JUNOSe 6.1.4 Release Notes Commands in the JUNOSe Command Reference This section presents commands that have been modified for this release and are relevant to features that are presented in this release. ip nat translation Description Changes or disables translation timeouts, per virtual router, for existing and newly created translations in the translation table. All timeouts for this command support a range of 1 2147483 seconds (about 25 days). The no version enables the timer using its default value. NOTE: GRE translations are used as optimizations to discard GRE traffic. You can use the gre-timeout keyword to control GRE aging timeout, even though we do not support NAPT for GRE. The GRE aging timer has no effect on any simple translations GRE might use. Syntax ip nat translation { timeout udp-timeout dns-timeout tcp-timeout finrst-timeout icmp-timeout gre-timeout } seconds no ip nat translation { timeout udp-timeout dns-timeout tcp-timeout finrst-timeout icmp-timeout gre-timeout} timeout Sets aging time for dynamic translations (except for overloaded translations); default value is 86400 seconds (24 hours) udp-timeout Sets aging time for UDP protocol translations; default value is 300 seconds (5 minutes) dns-timeout Sets aging time for DNS protocol translations (port 53 on TCP or UDP); default value is 60 seconds tcp-timeout Sets aging time for TCP protocol translations; default value is 86400 seconds (24 hours) first-timeout Sets aging time for TCP connections terminated with RST or FIN flags; default value is 60 seconds icmp-timeout Sets aging time for ICMP protocol translations; default value is 300 seconds (5 minutes) gre-timeout Sets aging time for GRE protocol translations; default value is 300 seconds (5 minutes) seconds Number of seconds before the router removes an unused NAT table entry Mode Global Configuration 66 Commands in the JUNOSe Command Reference

Appendix B: PPTP and GRE Tunneling Through NAT clear ip nat translation Description Clears all or the specified NAT table entries. There is no no version. Syntax clear ip nat translation * clear ip nat translation inside insideglobalipaddress insidelocalipaddress clear ip nat translation outside outsidelocalipaddress outsideglobalipaddress clear ip nat translation { tcp udp icmp} inside insideglobalipaddress insideglobalport insidelocalipaddress insidelocalport clear ip nat translation { tcp udp icmp gre } inside insideglobalipaddress * insidelocalipaddress * clear ip nat translation { tcp udp icmp } inside insideglobalipaddress insideglobalport insidelocalipaddress insidelocalport outside outsidelocalipaddress outsidelocalport outsideglobalipaddress outsideglobalport * Clears all translations when used in the clear ip nat translation command * Matches any global or local port to remove inside source extended TCP, UDP, ICMP or GRE translations for the specified global IP address and local IP address when used in the clear ip nat translation { tcp udp icmp gre } inside insideglobalipaddress * insidelocalipaddress * command inside Specifies an inside address insideglobalipaddress Inside global IP address insidelocalipaddress Inside local IP address outside Specifies an outside address outsidelocalipaddress Outside local IP address outsideglobalipaddress Outside global IP address tcp Specifies a TCP port translation udp Specifies a UDP port translation icmp Specifies an ICMP port translation gre Specifies a GRE translation insideglobalport Inside global port number insidelocalport Inside local port number outsideglobalport Outside global port number outsidelocalport Outside local port number Mode Privileged Exec Commands in the JUNOSe Command Reference 67

JUNOSe 6.1.4 Release Notes show ip nat translations Description Displays translations that reside in the NAT translation table. Syntax show ip nat translations [ static dynamic ] [ tcp udp icmp gre ]* [ verbose ] [ filter ] show ip nat translations inside insidelocalipaddress [ localport ] [ insideglobalipaddress [ globalport ] ] [ verbose ] [ filter ] show ip nat translations outside outsideglobalipaddress [ globalport ] [ outsidelocalipaddress [ localport ] ] [ verbose ] [ filter ] static Displays static translations dynamic Displays dynamic translations tcp Displays TCP port translations udp Displays UDP port translations icmp Displays ICMP port translations gre Displays GRE translations * Indicates that one or more parameters can be repeated multiple times in a list in the command line inside Specifies an inside address insideglobalipaddress Inside global IP address insidelocalipaddress Inside local IP address outside Specifies an outside address outsidelocalipaddress Inside local IP address outsideglobalipaddress Inside global IP address localport Local port value globalport Global port value verbose Additionally displays the time since creation and time since last use for each translation entry filter See Filtering show Commands in About This Guide Mode User Exec 68 Commands in the JUNOSe Command Reference

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information