SRX

last person joined: 12 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

Multiple static NAT to same prefix

  • 1.  Multiple static NAT to same prefix

    Posted 03-20-2018 03:21

    Hello

     

    I have a need to have 2 static NAT's going to the same server in the same subnet for a few different servers. A example 192.168.5.10 needs to have static NAT of 172.2.2.10 & 172.2.2.100. See config below.

     

    There are 3 subnets involved in total: 

    172.2.2.0/24
    10.8.9.0/24
    192.168.5.0/24

     

    I there are 6 servers in 10.8.9.0/24 which I need to communicate with but in a particualr way. Se below the bi directional way that should be allowed. In the 192.168.5.X subnet there are about 4 servers I need to have this setup with I have given 2 examples below and the others will be similar. 

     

    Server A

    172.2.2.10 <-> 10.8.9.10

    172.2.2.10 <-> 10.8.9.11

    172.2.2.10 <-> 10.8.9.13

    172.2.2.10 <-> 10.8.9.14

    172.2.2.100 <-> 10.8.9.100

    172.2.2.100 <-> 10.8.9.101

     

    Server B

    172.2.2.11 <-> 10.8.9.10

    172.2.2.11 <-> 10.8.9.11

    172.2.2.11 <-> 10.8.9.13

    172.2.2.11 <-> 10.8.9.14

     

    172.2.2.101 <-> 10.8.9.100

    172.2.2.101 <-> 10.8.9.101

     

    How can I get it to behave this way as from my understanding in the current setup below when 192.168.5.10 goes to communicate with 10.8.9.10 or 10.8.9.100 it will not know which static NAT is should present itself as?

     

     

    static {
                rule-set outside_inter {
                    from zone outside_inter;
                    rule inter1 {
                        description Server1_alpha;
                        match {
                            destination-address 172.2.2.10/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                    192.168.5.10/32;
                                }
                            }
                        }
                    }
                    rule inter2 {
                        description Server1_beta;
                        match {
                            destination-address 172.2.2.100/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                    192.168.5.10/32;
                                }
                            }
                        }
                    }

     


    #NAT
    #SRX


  • 2.  RE: Multiple static NAT to same prefix

    Posted 03-20-2018 12:47

    static nat is a one to one relationship so this will not work.

     

    You could configuration four destination nat rules that all point to the same pool address and then the outside traffic to those four addresses will be translated to the single server.  The replies will then keep the same association.

     



  • 3.  RE: Multiple static NAT to same prefix

    Posted 03-21-2018 04:12
      |   view attached

    I don't think thats what I want.

     

    For example I have 4 servers on a different interface in the 192.168.5.0/24 subnet. Currently I have a static nat for each server:

     

    192.168.5.10      static nat = 172.2.2.10

    192.168.5.11      static nat =172.2.2.11

    192.168.5.12      static nat = 172.2.2.12

    192.168.5.13      static nat =172.2.2.13

     

    This works and the servers access 10.8.9.10, 10.8.9.11, 10.8.9.12, 10.8.9.13 via a static route 10.8.9.0/24 next-hop 172.2.2.1;

     

    I now need in addition: 

     

    192.168.5.10      nat = 172.2.2.100

    192.168.5.11      nat =172.2.2.101

    192.168.5.12      nat = 172.2.2.102

    192.168.5.13      nat =172.2.2.103

     

    With these servers / setup communicating to 10.8.9.100, 10.8.9.101, 10.8.9.102, 10.8.9.103.

     

    An exmaple of comms would be:

    If 192.168.5.10 needs to talk to 10.8.9.10 it should present itself as 172.2.2.10

    If 192.168.5.10 needs to talk to 10.8.9.100 it should present itself as 172.2.2.100

     

    With the reverse of:

     

    If 10.8.9.10 needs to talk to 172.2.2.10 it should end up at  192.168.5.10

    If 10.8.9.100 needs to talk to 172.2.2.100 it should end up at  192.168.5.10

     

    I have attached an image which may help.

     

     



  • 4.  RE: Multiple static NAT to same prefix

    Posted 03-22-2018 03:28

    You cannot use static nat for this function.  Static nat is limited to a single ip address to a single ip address mapping. 1-to-1.

     

    You will need to configure source and destination nat for each ip address and add to the rule the desired other side ip address.  example for one source.

     

    root@none# show security nat source
    pool 5-10 {
        address {
            172.2.2.10/32;
        }
    }
    rule-set servers {
        from zone AAA;

        to zone BBB
        rule 1 {
            match {
                source-address 192.168.5.10/32;
                destination-address 192.168.5.0/24;
            }
            then {
                source-nat {
                    pool {
                        5-10;
                    }
                }
            }
        }
    }

     

     



  • 5.  RE: Multiple static NAT to same prefix

    Posted 03-22-2018 03:37

    OK but the example you have given how can I have 172.2.2.100 going to 192.168.5.10 as well? 192.168.5.10 needs to have 2 ips in the same subnet.



  • 6.  RE: Multiple static NAT to same prefix

    Posted 03-22-2018 03:53

    Would I not need something like the below per 192.168.5.x address?:

     

    pool 5-10A {
        address {
            172.2.2.10/32;
        }
    }
    rule-set servers {
        from zone AAA;
    
        to zone BBB
        rule 1 {
            match {
                source-address 192.168.5.10/32;
                destination-address {
    				10.8.9.10;
    				10.8.9.11;
    				10.8.9.12;
    				10.8.9.13;
    
    				}
            }
            then {
                source-nat {
                    pool {
                        5-10A;
                    }
                }
            }
        }
    }
    pool 5-10B {
        address {
            172.2.2.100/32;
        }
    }
    rule-set servers {
        from zone AAA;
    
        to zone BBB
        rule 2 {
            match {
                source-address 192.168.5.10/32;
                destination-address {
    				10.8.9.100;
    				10.8.9.101;
    				10.8.9.102;
    				10.8.9.103;
    
    				}
            }
            then {
                source-nat {
                    pool {
                        5-10B;
                    }
                }
            }
        }
    }


  • 7.  RE: Multiple static NAT to same prefix

    Posted 03-22-2018 09:46

    Or would this be a simpler way of doing it?

     

    source {
    	pool src-nat-pool-1 {
    		address {
    			172.2.2.10/32 to 172.2.2.13/32;
    		}
    		host-address-base 192.168.5.10/32;
    	}
    	pool src-nat-pool-2 {
    		address {
    			172.2.2.100/32 to 172.2.2.103/32;
    		}
    		host-address-base 192.168.5.10/32;
    	}
    	rule-set rs1 {
    		from zone trust;
    		to zone untrust;
    		rule r1 {
    			match {
    				source-address 192.168.5.0/24;
    				destination-address {
    								10.8.9.10;
    								10.8.9.11;
    								10.8.9.12;
    								10.8.9.13;
    								}
    			}
    			then {
    				source-nat {
    					pool {
    						src-nat-pool-1;
    					}
    				}
    			}
    		}
    		rule r2 {
    			match {
    				source-address 192.168.5.0/24;
    				destination-address {
    								10.8.9.100;
    								10.8.9.101;
    								10.8.9.102;
    								10.8.9.103;
    								}
    			}
    			then {
    				source-nat {
    					pool {
    						src-nat-pool-2;
    					}
    				}
    			}
    		}
    	}
    }
    		proxy-arp {
    			interface reth1.0 {
    				address {
    					172.2.2.10/32 to 172.2.2.13/32;
    					172.2.2.100/32 to 172.2.2.103/32;
    				}
    			}
    		}
     


  • 8.  RE: Multiple static NAT to same prefix

    Posted 03-23-2018 02:29

    Sorry, I'm getting confused on what the rules are that you want to enforce.

     

    If all four address are in the pool, your rule will round robin through the addresses as additional sessions hit the rule.

     

    So you would build your rule set around those parameters.  If you need to specifically control which of the four server addresses are involved then the pool would be 1 address.  If they can rotate then they can be combined.

     

    the match addresses act as an OR within the same list of source or destination.

    Any match addresses destination AND with any source address in the list.

     



  • 9.  RE: Multiple static NAT to same prefix

    Posted 03-23-2018 02:50

    Oh, well thats not what I need. So the below is what I need to impliment per server in the 192.168.5.0/24 range?

    On interface reth0.0 I have the 192.168.5.0/24 network here I have 4 servers that need to speak to another subnet 10.8.9.0/24 thats connected to reth1.0 on 172.2.2.0/24 viaa static route. In reth1.0 I need these 4 servers to have 2 IPs each. One 2 one NAT is in place and works for 1 IP per server but as I now need 2 IP's this is why I need to change solution. IP's can not rotate as this traffic is SIP.

     

    Thanks 

     

    pool 5-10A {
        address {
            172.2.2.10/32;
        }
    }
    rule-set servers {
        from zone AAA;
    
        to zone BBB
        rule 1 {
            match {
                source-address 192.168.5.10/32;
                destination-address {
    				10.8.9.10;
    				10.8.9.11;
    				10.8.9.12;
    				10.8.9.13;
    
    				}
            }
            then {
                source-nat {
                    pool {
                        5-10A;
                    }
                }
            }
        }
    }
    pool 5-10B {
        address {
            172.2.2.100/32;
        }
    }
    rule-set servers {
        from zone AAA;
    
        to zone BBB
        rule 2 {
            match {
                source-address 192.168.5.10/32;
                destination-address {
    				10.8.9.100;
    				10.8.9.101;
    				10.8.9.102;
    				10.8.9.103;
    
    				}
            }
            then {
                source-nat {
                    pool {
                        5-10B;
                    }
                }
            }
        }
    }


  • 10.  RE: Multiple static NAT to same prefix

    Posted 03-23-2018 03:14

    Still not positive I follow but this looks valid to me where address one talks to the first 4 addresses for nat and address 2 will talk to the second four addresses for nat.

     

    Naturally, these rules kick in on the first packet that initiates the connection.  So if the servers initiate traffic from those 4 addresses back to the first nat address a rule set also needs to be in place from zone BBB to zone AAA as well.

     



  • 11.  RE: Multiple static NAT to same prefix

    Posted 03-23-2018 03:29

    The 172.2.2.0/24 & 10.8.9.0/24 subnets are on my supplier CISCO router I simply on reth1.0 setup one of those IP's. How would I apply this rule going back would proxy-arp not work here?



  • 12.  RE: Multiple static NAT to same prefix

    Posted 03-23-2018 03:57

    Do you mean something like this?

     

    destination {
    		pool dst-nat-pool-1 {
    			address 192.168.5.10/32;
    		}
    		rule-set rs1 {
    			from zone BBB;
    			rule r1 {
    				match {
    					destination-address 172.2.2.10/32;
    				}
    				then {
    					destination-nat pool dst-nat-pool-1;
    				}
    			}
    		}
    	}


  • 13.  RE: Multiple static NAT to same prefix

    Posted 03-24-2018 03:46

    Sorry for all the confusion.

     

    What I mean is that nat and security policy rules apply in the direction zone to zone of the first packet in the session. Reply traffic is covered by this policy for that session.  Proxy-arp is needed if the nat ip address is in the same subnet as the interface ip address on the SRX.

     

    So the nat and security rules need to be in place from zone AAA to zone BBB if the server in zone AAA sends the first syn packet. 

     

    Or the reverse if the conversation starts with the server in BBB. 

     

    Or both if either can be the first speaker.

     



  • 14.  RE: Multiple static NAT to same prefix

    Posted 03-24-2018 03:49
    Both can be the initial speaker. So what I need in this case? I'm getting confused what config to use.


  • 15.  RE: Multiple static NAT to same prefix

    Posted 03-24-2018 03:55

    So you will need nat and security policies in both directions.

     

    What is the ip address mapping you want to see on the conversations at the end of the process?

    This is where I am confused, I am not sure now what transformations you actually want to see happen.

     

    table 1:  AAA to BBB

    source address(s) > destination address(s)  > which one uses which nat address

     

    Table 2: BBB to AAA

    source address(s) > destination address(s)  > which one uses which nat address

     



  • 16.  RE: Multiple static NAT to same prefix

    Posted 03-26-2018 01:50
      |   view attached

    Please see attached image. On my SRX I have 4 servers on reth0 their local interfaces on the server itself are 192.168.5.0/24. On reth1 is where I have the other subnet 172.2.2.0/24 and where all this NAT translation is taking place. There is a static route there to 10.8.9.0/24.

     

    Basically any traffic in black font will only speak to servers with black font in the remote section. Also traffic in blue font will only speak to to servers with blue font in the remote section. NAT translation should be done based on this.

     

    I hope this makes sense.



  • 17.  RE: Multiple static NAT to same prefix

    Posted 03-26-2018 03:11

    Ok that is more clear to me now.  You will need eight pairs of policy to allow for initiating communicatios in both directions.  This is a sample pair for the first server black color.  Source nat from the left to right and destination nat from the right to the left.

     

    root@none# show security nat source
    pool 5-10 {
        address {
            172.2.2.10/32;
        }
    }
    rule-set servers {
        from zone AAA;
        to zone BBB
        rule 1 {
            match {
                source-address 192.168.5.10/32;
                 destination-address 10.8.9.10/32;
                destination-address 10.8.9.11/32;
                destination-address 10.8.9.12/32;
                destination-address 10.8.9.13/32;
            }
            then {
                source-nat {
                    pool {
                        5-10;
                    }
                }
            }
        }
    }

    [edit security nat destination]
    root@none# show
    pool 5-10 {
        address 192.168.5.10/32;
    }
    rule-set servers {
        from zone BBB;
        rule 1 {
            match {
                source-address [ 10.8.9.10/32 10.8.9.11/32 10.8.9.12/32 10.8.9.13/32 ];
                destination-address 172.2.2.10/32;
            }
            then {
                destination-nat {
                    pool {
                        5-10;
                    }
                }
            }
        }
    }

     



  • 18.  RE: Multiple static NAT to same prefix

    Posted 03-26-2018 03:31

    OK thank I will give it a go and report back. Do I still need to use proxy-arp?



  • 19.  RE: Multiple static NAT to same prefix

    Posted 03-27-2018 02:45

    Proxy arp is required if your nat addresses are in the same subnet as an SRX interface.

     

    If the nat addresses are routed to the SRX and NOT on the interface configuration then proxy arp is not required.

     



  • 20.  RE: Multiple static NAT to same prefix

    Posted 05-02-2018 05:19
      |   view attached

    I have made my config live but am seeing some strange behaviour. My system is clustered so I have node 0 and node 1 with node 0 being the primary (I have checked). For someon reason node 0 and node 1 are being used here.

     

    Also as in this exampe for some reason the port have increminted by 1. On my equipment ports being used for example are 10102 & 30824 but the Juniper seems to be translating 10103 & 30825.



  • 21.  RE: Multiple static NAT to same prefix

    Posted 05-02-2018 09:11

    I think this maybe related to "port no-translation", missing from my config. As I'm using SIP the media ports need to be correct and default behaviour for source NAT seems to be PAT. I will give it a try.



  • 22.  RE: Multiple static NAT to same prefix

    Posted 05-02-2018 14:13

    Yes, it seems likely that PAT is responsible for the port change you are seeing.

     

    As the the sessions you see on node1, this is normal.  you will note they are labeled "backup" while sessions on node 0 are "active".  These are the syncing of the session table being done at all times so your node1 is ready to take over all the active sessions should node 0 fail.

     



  • 23.  RE: Multiple static NAT to same prefix

    Posted 05-02-2018 14:37

    Hum I get the below error on commit check:

     

    Ha data plane will be running in active-active mode, source NAT pool (no port translation) contains too few addresses(at least 2 addresses needed), traffic goes to node 1 will be BLOCKED!



  • 24.  RE: Multiple static NAT to same prefix

    Posted 05-02-2018 14:49

    So you may be configured in active/active mode then.  What is the output from

     

    show chassis cluster information

     

    A/A deploys are less typical and generally only recommended in certain circumstances.  Is this an existing setup or a new deploy?

     



  • 25.  RE: Multiple static NAT to same prefix

    Posted 05-03-2018 00:52
    node0:
    --------------------------------------------------------------------------
    Redundancy Group Information:
    
        Redundancy Group 0 , Current State: primary, Weight: 255
    
            Time            From           To             Reason
            Nov  1 14:57:05 hold           secondary      Hold timer expired
            Nov  1 16:17:20 secondary      primary        Remote is in secondary hold
    
        Redundancy Group 1 , Current State: primary, Weight: 255
    
            Time            From           To             Reason
            Nov  1 14:57:05 hold           secondary      Hold timer expired
            Nov  1 15:27:01 secondary      primary        Remote yield (200/0)
    
    Chassis cluster LED information:
        Current LED color: Green
        Last LED change reason: No failures
    
    node1:
    --------------------------------------------------------------------------
    Redundancy Group Information:
    
        Redundancy Group 0 , Current State: secondary, Weight: 255
    
            Time            From           To             Reason
            May 30 21:54:14 hold           secondary      Hold timer expired
            Nov  1 14:51:38 secondary      primary        Only node present
            Nov  1 16:17:20 primary        secondary-hold Manual failover
            Nov  1 16:22:20 secondary-hold secondary      Ready to become secondary
    
        Redundancy Group 1 , Current State: secondary, Weight: -255
    
            Time            From           To             Reason
            Oct 27 10:21:12 primary        secondary-hold Monitor failed: IF
            Oct 27 10:21:13 secondary-hold secondary      Ready to become secondary
            Nov  1 14:51:38 secondary      ineligible     Fabric link down
            Nov  1 14:51:42 ineligible     primary        Only node present
            Nov  1 15:27:01 primary        secondary-hold Monitor failed: IF
            Nov  1 15:27:02 secondary-hold secondary      Ready to become secondary
    
    Chassis cluster LED information:
        Current LED color: Amber
        Last LED change reason: Monitored objects are down
    
    Failure Information:
    
        Interface Monitoring Failure Information:
            Redundancy Group 1, Monitoring status: Failed
              Interface                 Status
              reth3                     Monitor Failed
                ge-7/0/11               Down
              reth2                     Monitor Failed
                ge-7/0/9                Down
    
    {primary:node0}
    


  • 26.  RE: Multiple static NAT to same prefix

    Posted 05-03-2018 03:08

    This is an active/passive cluster configuration.  It appears this is a limitation on clustering that you cannot use no port translation for a single ip address.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB31275

     



  • 27.  RE: Multiple static NAT to same prefix

    Posted 05-03-2018 03:24

    I have seen this KB, in this instance this lan is only connected to node0, so if it was to fail over anyway it would work. So am I ok to use this config with this in mind?



  • 28.  RE: Multiple static NAT to same prefix

    Posted 05-04-2018 02:41

    I would interpret that the same way then.   So if it does commit with just a warning it should work.

     



  • 29.  RE: Multiple static NAT to same prefix

    Posted 05-04-2018 14:43

    your nodes are showing a normal table here.  Note that the sessions on node 1 are marked

    State: backup

    These are simply copies of the sessons sent over to node 1 for use only in the event of a failure on node 0.

     

    I don't think the SRX is changing ports by one.  That is not how the port translation process works it moves items to random high ports.