SRX

Expand all | Collapse all

Source nat with interface

Jump to Best Answer
  • 1.  Source nat with interface

    Posted 11-21-2017 16:22

    Hi everyone.

    I am trying to figure out if I can do SOURCE NAT on SRX with a interface but with no port translation.

     

     

     

    [edit security nat source]

    set rule-set rs1 from zone trust set rule-set rs1 to zone untrust

    set rule-set rs1 rule r1 match source-address 0.0.0.0/0

    set rule-set rs1 rule r1 match destination-address 0.0.0.0/0

    set rule-set rs1 rule r1 then source-nat interface

    https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

     

     

    Thanks and have a nice day!!



  • 2.  RE: Source nat with interface

    Posted 11-21-2017 16:52

    Why would you want to?  That would mean that only the first host that uses a port will be allowed.  This can cause major traffic issues.



  • 3.  RE: Source nat with interface

    Posted 11-21-2017 19:05

     

    Thanks for your response

     

    here is back ground:

     

    We are using multicast sparse dense mode, SRX uses loopback if one avaible or the lowest IP on the box to source REGISTER MESSAGE

    Our set up

    Multicast source----SRX  f1 202.202.202.1/24--------202.202.202.10/24 BROCADE ( RP)---REST OF MULTICAST NETWORK.

     

    We have no control on RP and beyond, so REGSITER message must source from 202.202.202.1 in order for rp to accept it

    At ay given time  only 202.202.202 1 will be used  by PIM REGISTER MESSAGE as source IP  if  the destination is 202.202.202.10,  all other traffic will pass without NAT 



  • 4.  RE: Source nat with interface

    Posted 11-21-2017 19:18
    Have you tried to configure a pool with the 202.202.202.1 address and use no translation on that? You would also probably want to set the destination for the nat instead of having it nat everything.


  • 5.  RE: Source nat with interface
    Best Answer

    Posted 11-22-2017 00:20

    Can you try following example...??

     

    set security nat source pool p1 address 1.1.1.1/32 to 1.1.1.1/32
    set security nat source pool p1 port no-translation
    set security nat source rule-set 1 from zone trust
    set security nat source rule-set 1 to zone untrust
    set security nat source rule-set 1 rule mcast-nat match source-address 234.5.6.7/32
    set security nat source rule-set 1 rule mcast-nat then source-nat pool p1