SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Behavior of NAT source pool with no PAT

    Posted 01-20-2019 23:12

    Dear team,

     

    Today we tested the features NAT source pool with no PAT. As your mindset, if we have 3 sessions (ssh, telnet, ping), the SRX device will translate to 3 IPs but in realistic, just NAT to 1 IP. It seems NAT with no PAT, the behavior is similar with address-persistent, right?

     

     

     

     

    Session ID: 8420, Policy name: trust-to-untrust/4, Timeout: 1718, Valid
    In: 10.10.1.2/59266 --> 172.16.1.2/23;tcp, If: ge-0/0/2.0, Pkts: 11, Bytes: 516
    Out: 172.16.1.2/23 --> 172.16.1.4/59266;tcp, If: ge-0/0/1.0, Pkts: 10, Bytes: 496

    Session ID: 8424, Policy name: trust-to-untrust/4, Timeout: 1730, Valid
    In: 10.10.1.2/59273 --> 172.16.1.2/22;tcp, If: ge-0/0/2.0, Pkts: 12, Bytes: 2025
    Out: 172.16.1.2/22 --> 172.16.1.4/59273;tcp, If: ge-0/0/1.0, Pkts: 10, Bytes: 2477

    Session ID: 8548, Policy name: trust-to-untrust/4, Timeout: 2, Valid
    In: 10.10.1.2/2429 --> 172.16.1.2/1;icmp, If: ge-0/0/2.0, Pkts: 1, Bytes: 60
    Out: 172.16.1.2/1 --> 172.16.1.4/2429;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60

     

    Thanks,

    ThinhND



  • 2.  RE: Behavior of NAT source pool with no PAT
    Best Answer

    Posted 01-21-2019 00:05

    Hello there,

     

    @thinhnd wrote:

    It seems NAT with no PAT, the behavior is similar with address-persistent, right?

     

     

     Correct. And it is spelled out as such in techdocs:

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/nat-security-source-and-source-pool.html

    The following types of source NAT are supported:

- Translation of the original source IP address to the egress interface’s IP address (also called interface NAT). Port address translation is always performed.

- Translation of the original source IP address to an IP address from a user-defined address pool without port address translation. The association between the original source IP address to the translated source IP address is dynamic. However, once there is an association, the same association is used for the same original source IP address for new traffic that matches the same NAT rule.

    HTH

    Thx

    Alex



  • 3.  RE: Behavior of NAT source pool with no PAT

     
    Posted 01-21-2019 00:35

    Hi 

     

    Just did a quick lab test to verify. Yes, this is expected behavior. Below command helps to check the IP mapping.

     

    > show security nat source paired-address

    root@srx> show security nat source paired-address

    Pool name: TEST
    Internal address External address
    192.168.10.10 192.168.20.5

     

    https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-security-nat-source-paired-address.html


    With port-translation on there is no output in this table.

     

    Regards,

     

    Vikas