Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
how does this LAB is going to work and port overloading is off ????
* it is suppose that if it is off the SRX will not be able to differntiate between 2 hosts using the same source port
I hope that this info also answers some of your other questions
you need to differentiate between packet based NAT (what a router is typically doing) and flow-base NAT (what a firewall does)
In packet based NAT typically the router looks only at the field he needs to translate and thus they need to be unique and therefore without PAT only a single translation is possible.
In flow based NAT the firewall looks at a bunch of flow information (incoming Interface, SA,DA,protocol,SP,DP) and as long as at least one of them is different he can differentiate the flow.
so for example 2 sessions from 2 host with the same SA and packet to the same destination and port will suceed when at least the Sourceport (SP) is different.
In the unlikely case of also the same sourceport, one session will not conclude and a reopening will use the next sourceport-number and then suceed
That means that you can have many,many translations without needing PAT when using a firewall
so in the above LAB, If 2 users connect to facebook, one of them will be denied ,correct ?
No, both will be allowed. Without port overloading there is 64k possible source NAT translations on single interface. With port overloading you can have up to 32x64k translations as long as there are different destination addresses.
Source NAT doesn't only change SRC IP but also (by default) SRC PORT. So when two local hosts want to connect to the same DST IP & PORT firewall will translete them to different SRC PORT and this way will be able to differentiate them.
126.96.36.199:9999 -> 188.8.131.52:80
184.108.40.206:8888 -> 220.127.116.11:80
18.104.22.168:6666 -> 22.214.171.124:80
126.96.36.199:7777 -> 188.8.131.52:80
With port overloading you can have multiple (up to 32) translations from same SRC PORT when sessions are destined to different DSC IP.
To expand on what wuddy and alex said, this is a special scenario that you turn off port-overloading.
By default, a single IP address can allow 65,535 ports with about 64K unassigned ports available for use.
Port-overloading is enabled by default on the SRX which will increase this number based on the following: This feature can potentially allow the same IP/port combination to be used by the same host when opening multiple sessions concurrently but to different addresses. For e.g:
session 1 = 10.10.10.10:4444 -> 184.108.40.206:80session 2 = 10.10.10.10:4444 -> 220.127.116.11:80
session 2 = 10.10.10.10:4444 -> 18.104.22.168:80 <===This is theorectically possible!
In order to allow external SIP clients to connect to Internal SIP phones, the STUN client/server communication requires that the IP/Port be the same and consistent. This could break the end to end communication with STUN clients. When configuring the any-remote-host persistent NAT type with Interface NAT, you have to explicitly disable port overloading.
Good explanations. I guess the initial confusion comes from the assumption that "PAT" is the same as "port overloading", which is NOT the case. There is a more extensive discussion in this old thread:
please check your private messages