JunOS Routing instance and NAT

[imagoon]

Here is my issue: JunOS 10.3R4 based firewall device that doesn't do source based routing. For this they recommend filtering. I have a guest wireless that is now 'working' with 2 zones (other zones are internal.)

IE

ArubaGuest > NAT table > Untrust and a policy that (at the moment) is Any:any ArubaGuest to Untrust. What I want to do is force *all* traffic out to the internet from that range and for it to ignore any routing tables it finds otherwise. The BGP routing table contains address that would route data from the guest wireless (which is basically 'untrust') through the internal networks. I would rather that data go out to the internet and land on the Datacenters firewalls. I did this on the netscreen's using a source based route that forced it in to 'untrust' which then dumped it to the internet. The JunOS unit recommends doing a forwarding routing instance that forwards packets.

IE:

firewall {
    filter ArubaGuest {
        term 1 {
            from {
                source-address {
                    172.17.0.0/16;
                }
            }
            then {
                routing-instance ArubaGuestRedirect;
            }
        }
        term 2 {
            then accept;
        }
    }
}



routing-instances {
    ArubaGuestRedirect {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 1.2.3.4;
            }
        }
    }
}

Putting this in the config makes the traffic go to the router but skips the NAT. I really need the guest network to NAT then be forced to the internet. All the examples only show redirecting to IPs.

Ideas?

 

[Cooky]

sorry, no idea how to do that in Junos - we're still running ScreenOS.
Any chance you guys have NSM that can provide some clues via the GUI?

 

[imagoon]

sorry, no idea how to do that in Junos - we're still running ScreenOS.
Any chance you guys have NSM that can provide some clues via the GUI?

I would call the GUI a.... "work in progress." When I originally bought the firewall you couldn't even do static NAT in the GUI. I haven't tried 11R1 yet because Juniper recommends 10R2 for that model. I went to 10R3 due to another bug I had found. I have a work around in place at the moment. I might just say "screw it" and crank a linksys firewall in there since it is just 'guest' lol.

 

[Jamsan]

Have you called Juniper? They've always been very helpful in getting oddball configs up and running for me (especially around NAT).

 

[imagoon]

Have you called Juniper? They've always been very helpful in getting oddball configs up and running for me (especially around NAT).

Not yet. It took them 6 months to admit that the websense redirect bug was their problem so I had low hopes.

 

[Cooky]

We usually have to escalate to the second level based in California to get decent support.
First level is hit or miss.

 

[Jamsan]

Not yet. It took them 6 months to admit that the websense redirect bug was their problem so I had low hopes.

While I've had similar experiences with Juniper (and more so Cisco), "basic" configuration items they've always been spot on with - usually at level 1 as well (if you can understand what they're saying).