SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  interface nat 'port-overloading off' - what does it mean?

    Posted 05-06-2011 13:58

    Hi all,

     

    I've read in the documentation that to turn on persistent NAT for interface-based source NAT,

    we need to configure the following,

     

    set security nat source interface port-overloading off

     

    Does anybody happen to know what is port-overloading, after all?

    I thought it is PAT, but when you configure 'port-overloading off', PAT still works for

    translations to the interface address (and persistent NAT also seems to work

    correctly). I also tried to initiate sessions from different ip addresses - everything

    gets translated to the interface address as usual. So what this setting does?

     



  • 2.  RE: interface nat 'port-overloading off' - what does it mean?

    Posted 05-06-2011 14:44

    Persistent-nat allows outside devices to initiate connections to internal devices using their post-NAT addresses.  PAT is not supported when using persistent-nat and therefore, if using persistent-nat with interface-based nat port overloading (i.e. PAT) must be explicitly disabled.  Persistent-nat is a rule specific option.

     

    This is not the same as 'address-persistent' NAT.  Address-persistent NAT ensures that hosts use the same NAT address for multiple-concurrent sessions.  This option is global setting, turned on under the 'security nat source' context.



  • 3.  RE: interface nat 'port-overloading off' - what does it mean?

    Posted 05-07-2011 01:16

    Hi aweck,

    Can you give me a reference in the doc where is it said that persistent NAT
    is not supported with PAT? Or that port-overloading = PAT? As I can see,
    this is not what is really happening on SRX! And that's why I'm asking.

    Here's my config. Outgoing interface ip is 192.168.10.1.

    pk@srx# show security nat source  
    interface {
        port-overloading off;
    }
    rule-set rs1 {
        from zone untrust;
        to zone trust;
        rule 10 {
            match {
                source-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    interface {
                        persistent-nat {
                            permit target-host;
                            inactivity-timeout 180;
                        }
                    }
                }
            }
        }
    }

    I initiate SSH session from 192.168.1.10 to 192.168.10.100.

    Session ID: 33939, Policy name: default-policy/2, Timeout: 1796, Valid
      In: 192.168.1.10/53034 --> 192.168.10.100/22;tcp, If: ge-0/0/8.0, Pkts: 11, Bytes: 1608
      Out: 192.168.10.100/22 --> 192.168.10.1/7051;tcp, If: ge-0/0/9.0, Pkts: 11, Bytes: 2304

    You can see that PAT is happening and S-NAT is done to the interface ip.
    The persistent NAT table is populated with the reflective transport
    address and port (which are address and port after S-NAT):

    pk@srx# run show security nat source persistent-nat-table all                                                          
         Internal                Reflective          Source     Type             Left_time/  Curr_Sess_Num/  Source
     In_IP          In_Port Ref_IP          Ref_Port NAT Pool                    Conf_time   Max_Sess_Num    NAT Rule
    192.168.1.10    53034   192.168.10.1    7051     interface  target-host         -/180      1/30          10       

    And if i connect to 192.168.10.1 port 7051, in creates the session and lets me
    in (D-NATing me to 192.168.1.10).

    So you see: persistent NAT is working. PAT is happeneing. What is 'port-overloading off'
    command for?



  • 4.  RE: interface nat 'port-overloading off' - what does it mean?

    Posted 05-07-2011 03:32

    Interesting...

     

    Here is reference where it says port-overloading is not supported with persistent-nat:

    http://www.juniper.net/techpubs/en_US/junos11.1/information-products/topic-collections/security/software-all/security/topic-42825.html

     

    Port-overloading is another term for PAT, but I could not find this stated explicitly in the NAT section of the Sec. Admin guide.

     

    What version of Junos are you running?  Also, is this a connection that was initiated after the configuration changes were made and any previous sessions had closed or expired?



  • 5.  RE: interface nat 'port-overloading off' - what does it mean?

    Posted 05-07-2011 03:50

    Hi!

     

    Correct, this was initiated after commit, and no other sessions are there.

    From output for persistent-nat-table it is seen that persistent NAT is working,

    and Ref_Port matches one from 'security flow session'.

     

    Junos 10.4R3, SRX240.

     

    Thanks,

     



  • 6.  RE: interface nat 'port-overloading off' - what does it mean?

    Posted 10-06-2011 01:11

    What is port overloading? I think that it doesn't literally equal PAT, per RFC4787, It is regarding source port collision in NAT.

    I do not have adequate knowledge about Persistent-NAT, but I'll read the documents.

    Actually, I'm confused how can one external interface address holds sessions beyond 64K, so I read some RFCs besides RFC4787 and approach the answer.

     

     



  • 7.  RE: interface nat 'port-overloading off' - what does it mean?
    Best Answer

    Posted 10-06-2011 11:26

    Hi

    Let me explain my current understandidng of this topic. For example, we have
    a following network

    10.1.1.1 (private host) -------- SRX external ip = 1.1.1.1 -------- inet

    Lets assume 10.1.1.1 initiates sessions to 2.2.2.2 and 3.3.3.3 in the internet, using
    source port 1111 and destination port 9999.

    When these requests are translated (interface-based nat on SRX), they can be,
    in principle, translated to the same address and port 1.1.1.1:5555 (number 5555 is
    just for example). These sessions (their traffic) still can be distinguished,
    because the destination addresses are different:

    session 1 = 1.1.1.1:5555 -> 2.2.2.2:9999
    session 2 = 1.1.1.1:5555 -> 3.3.3.3:9999

    From my understanding, this is called port overloading (5555 is used for both sessions!).
    Obviously, in the general case this allows for more than 64K sessions to be translated
    to the interface ip.

    Also, it is clear that persistent NAT (incoming connections to external ip/port from
    any other host - in case of any-remote-host at least) will not work correctly with port
    overloading understood in that way. So you have to turn it off.

    So, PAT = address overloading. It is not the same as port-overloading.
    Port overloading is using 1 source port for more than 1 session. For persistent
    NAT from the interface ip, you have to turn off port-overloading, not PAT (PAT can't
    be turned off in this case).

    This is just my understanding of the question. I was unable to find a clear
    explanation in the doc.



  • 8.  RE: interface nat 'port-overloading off' - what does it mean?

    Posted 11-02-2011 21:37

    Helpful!!!



  • 9.  RE: interface nat 'port-overloading off' - what does it mean?

    Posted 06-25-2015 18:34

    Hello all, I need when a private IP open a UDP session from 192.168.1.1:9000 to some public address like 2.2.2.2:4444 the external interface take the same port "9000" in this case to nat it. This feature maybe is disabling Port address traslation right? how I have to do this



  • 10.  RE: interface nat 'port-overloading off' - what does it mean?

    Posted 11-11-2016 14:23

    Pk, I'm happy that I have found your post. Great explanation! Thank you!