SRX

Hello,

According to Juniper documentation the max-session-number in persistent NAT is defined as "Maximum number of sessions with which a persistent NAT binding can be associated. The default is 30 sessions."

http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfig-security/persistent-nat-config-overview-section.html

This is confusing me a little - I thought each NAT binding was representative of ONE session. What does it mean by 'session' in this case?

I have included an extract from a persistent-nat table if it helps.

Persistent NAT Bindings on FPC7 PIC0:
     Internal                        Reflective                  Source     Type             Left_time/  Curr_Sess_Num/  Source
 In_IP          In_Port I_Proto Ref_IP          Ref_Port R_Proto NAT Pool                    Conf_time   Max_Sess_Num    NAT Rule
10.1.10.208     2826    tcp    172.16.16.1     43118     tcp      RULE_A_pool any-remote-host 6950/7200   0/30      RULE_A
10.1.10.203     4377    tcp    172.16.16.1     55165     tcp      RULE_A_pool any-remote-host 4948/7200   0/30      RULE_A
10.1.10.208     2693    tcp    172.16.16.1     60408     tcp      RULE_A_pool any-remote-host 6766/7200   0/30      RULE_A
10.1.18.91      2200    tcp    172.16.16.1     40528     tcp      RULE_A_pool any-remote-host 5970/7200   0/30        RULE_A
10.68.4.188     1385    tcp    172.16.16.1     51026     tcp      RULE_A_pool any-remote-host    -/7200   1/30        RULE_A
10.1.10.208     2459    tcp    172.16.16.1     52858     tcp      RULE_A_pool any-remote-host 6336/7200   0/30      RULE_A
10.1.10.208     1735    tcp    172.16.16.1     49979     tcp      RULE_A_pool any-remote-host 4982/7200   0/30      RULE_A
10.74.4.254     1164    tcp    172.16.16.1     48889     tcp      RULE_A_pool any-remote-host    -/7200   1/30        RULE_A
10.74.4.254     1165    tcp    172.16.16.1     32845     tcp      RULE_A_pool any-remote-host    -/7200   1/30        RULE_A
10.120.4.189    3767    tcp    172.16.16.1     57819     tcp      RULE_A_pool any-remote-host    -/7200   1/30        RULE_A
10.120.4.189    3768    tcp    172.16.16.1     46075     tcp      RULE_A_pool any-remote-host    -/7200   1/30        RULE_A
10.136.4.198    1296    tcp    172.16.16.1     61465     tcp      RULE_A_pool any-remote-host    -/7200   1/30        RULE_A
10.68.4.228     1268    tcp    172.16.16.1     57425     tcp      RULE_A_pool any-remote-host    -/7200   1/30        RULE_A

Kind Regards,

Alshan

Hello,

---

@Alshan wrote:

 

 

This is confusing me a little - I thought each NAT binding was representative of ONE session. 

 

 

 

---

This is not entirely true in case of peer-to-peer traffic (Bittorrent, for instance) where many sessions can be originated by internal end host using same private.src.IP+src.port combo towards many external peers with varying dst.IP+dst.port.

Consequently, these sessions can reuse the same Xlated.public.src.IP+xlated.port combo on SRX.

The relationship between private.src.IP+src.port<->public.xlated.src.IP+xlated.port is called "binding" or "mapping" depending on which RFC You read 
The maximum number of sessions which can be allowed through any single persistent NAT binding is configured using "max-session-number" knob.

HTH

Thanks
Alex

Hi Alex,

Thanks for your reply. If I understand correctly, this is different to port-overload (which you can't use with persistent nat), because it is the initiating host that is selecting the same source port multiple times?

Regards,

Alshan

Correct.

P2p (e.g. Bittorent) end host uses single/same source port for communicating to multiple remote peers.

HTH

Thanks

Alex

Hi Alex,

Thanks for your help again. Accepted as solution + Kudos 🙂

Regards,

Alshan.