SRX is to provide static NAT services for a multi-homed SCTP end point in trusted zone, will SRX translate IP header address AND IP address embeded in SCTP header's INIT block?
I could not find a definative answer anywhere in the documentation.
I have not used this feature, but reading the documentation this seems to say both addresses are translated.
In this example, you configure a GPRS SCTP profile by setting the limit rate parameter and the payload protocol parameter for SCTP inspection. If your policy includes the nat-only option, the payload IP addresses are translated, but they are not inspected.
The SCTP commands can be applied only to the policy configured with an SCTP profile.
If you remove the SCTP profile from the policy, the packets are forwarded without any inspection, and the IP address list in the packet payload will not be translated, even if the related static NAT is configured.
Thanks, I read this part too, but the documentation did not explicit say SCTP multi-homing with static NATs is supported because without multihoming there will be no IP addresses info embeded in SCTP header. I guess we just need to try it out.
The overview page does explicitly say ONLY static nat is supported.
SCTP has the following limitations and constraints:
A maximum of eight source IP addresses and eight destination IP addresses are allowed in an SCTP communication.
Only static IP NAT is supported; the interface packets (from one side: client or server) coming in must belong to the same zone.
I just checked the SCTP feature support on SRX. Static NAT for both IP and the payload is supported.
Here is the entire list of feature support for SCTP on SRX:
- IP header
- IP-list in the payload of INIT/INIT-ACK
- max support 64 upper layer protocols
- limit packets rate per association, for different upper layer protocols
I also referred to similar cases reported by some other customers using this. They see this feature to be working as expected. Please ensure Security policy is configured to explicity use the pre-defined application, "junos-g prs-sctp" and "junos-sctp-any".
I hope this helps.
Juniper TAC - CFTS
Here is the part I am little confused:
srx> show configuration groups junos-defaults | display set | match junos-gprs-sctpset groups junos-defaults applications application junos-gprs-sctp term t1 alg gprs-sctpset groups junos-defaults applications application junos-gprs-sctp term t1 protocol 132set groups junos-defaults applications application junos-gprs-sctp term t1 destination-port 0
srx> show configuration groups junos-defaults | display set | match junos-sctp-anyset groups junos-defaults applications application junos-sctp-any term t1 protocol 132
Seems that junos-gprs-sctp is what I need if SCTP is used by GPRS applications exclusively, why do I need permit both applications? looks to me that junos-sctp-any does not have "alg", would that mean it won't work with SCTP multi-homing if static NATs are involved?