SRX

Expand all | Collapse all

SCTP multi-home support with static NAT

Jump to Best Answer
  • 1.  SCTP multi-home support with static NAT

    Posted 02-06-2019 14:00

    Hi, all,

     

    SRX is to provide static NAT services for a multi-homed SCTP end point in trusted zone, will SRX translate IP header address AND IP address embeded in SCTP header's INIT block?

     

    I could not find a definative answer anywhere in the documentation.


    Thanks,



  • 2.  RE: SCTP multi-home support with static NAT

     
    Posted 02-06-2019 16:37

    I have not used this feature, but reading the documentation this seems to say both addresses are translated.

     

    In this example, you configure a GPRS SCTP profile by setting the limit rate parameter and the payload protocol parameter for SCTP inspection. If your policy includes the nat-only option, the payload IP addresses are translated, but they are not inspected.

     
    Note

    The SCTP commands can be applied only to the policy configured with an SCTP profile.

    If you remove the SCTP profile from the policy, the packets are forwarded without any inspection, and the IP address list in the packet payload will not be translated, even if the related static NAT is configured.

     

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-gprs-sctp-configuration.html

     



  • 3.  RE: SCTP multi-home support with static NAT

    Posted 02-06-2019 16:58

    Thanks, I read this part too, but the documentation did not explicit say SCTP multi-homing with static NATs is supported because without multihoming there will be no IP addresses info embeded in SCTP header. I guess we just need to try it out.



  • 4.  RE: SCTP multi-home support with static NAT

     
    Posted 02-06-2019 17:06

    The overview page does explicitly say ONLY static nat is supported.

     

    SCTP has the following limitations and constraints:

    • IP Addresses

      • A maximum of eight source IP addresses and eight destination IP addresses are allowed in an SCTP communication.

      • Only static IP NAT is supported; the interface packets (from one side: client or server) coming in must belong to the same zone.

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-gprs-sctp.html

     



  • 5.  RE: SCTP multi-home support with static NAT
    Best Answer

     
    Posted 02-06-2019 21:10

    Hello 

     

    I just checked the SCTP feature support on SRX. Static NAT for both IP and the payload is supported.

     

    Here is the entire list of feature support for SCTP on SRX:

     

    •   Policy based SCTP inspection
    •   Packet sanity check
    •   Stateful inspection
    •   Static NAT: 

                   - IP header​

                   - IP-list in the payload of INIT/INIT-ACK​

    •    IPv6 and NAT-PT
    •    Multi-chunk inspection
    •    SCTP over IPsec
    •    HA and ISSU
    •    Protocol blocking: 

       - max support 64 upper layer protocols

    •    Rate limiting:

       - limit packets rate per association, for different upper layer protocols

     

    I also referred to similar cases reported by some other customers using this. They see this feature to be working as expected. Please ensure Security policy is configured to explicity use the pre-defined application, "junos-g prs-sctp" and "junos-sctp-any".

     

    I hope this helps.

     

    Regards,

     

    Vikas

    Juniper TAC - CFTS



  • 6.  RE: SCTP multi-home support with static NAT

    Posted 02-07-2019 15:18

    Here is the part I am little confused:

    srx> show configuration groups junos-defaults | display set | match junos-gprs-sctp
    set groups junos-defaults applications application junos-gprs-sctp term t1 alg gprs-sctp
    set groups junos-defaults applications application junos-gprs-sctp term t1 protocol 132
    set groups junos-defaults applications application junos-gprs-sctp term t1 destination-port 0

    srx> show configuration groups junos-defaults | display set | match junos-sctp-any
    set groups junos-defaults applications application junos-sctp-any term t1 protocol 132

     

    Seems that junos-gprs-sctp is what I need if  SCTP is used by GPRS applications exclusively, why do I need permit both applications? looks to me that junos-sctp-any does not have "alg", would that mean it won't work with SCTP multi-homing if static NATs are involved?