SRX Services Gateway
Reply
Trusted Contributor
Jadmin
Posts: 28
Registered: ‎08-27-2010
0
Accepted Solution

NAT on packet-based configuration

[ Edited ]

Hi there! 

 

Is it possible to use SRX-series device(primarily branch devices(SRX100,SRX210(220/240))) as completely stateless(packet-based) router? 

The question above is stated upon our configuration needs: 

Our branch device should use mpls. So it is to be packet-based. But at the same time it should use NAT (static, one-to-one static NAT) . As far as I know, mpls cannot be enabled in flow-based mode. Thus NAT is a statefull process. So there is kind of dilemma of using a device in either of modes. 

 

 

 

 

 

Contributor
pkcpkc
Posts: 89
Registered: ‎11-10-2010
0

Re: NAT on packet-based configuration

another thread gives the config to setup mpls in packet-based mode. http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-Branch-Series-MPLS-Query/m-p/40680 security { forwarding-options { family { mpls { mode packet-based; } } } }
Trusted Contributor
Jadmin
Posts: 28
Registered: ‎08-27-2010
0

Re: NAT on packet-based configuration

Yes, you're right. We've alreadey done so and we have mpls working .

Meanwhile we configured static nat as follows: 

 

nat {                                                                           
    static {                                                                    
        rule-set rs1 {                                                          
            from interface fe-0/0/0.0;                                          
            rule r1 {                                                           
                match {                                                         
                    destination-address 10.0.1.250/32;                          
                }                                                               
                then {                                                          
                    static-nat prefix 192.168.1.2/32;                           
                }                                                               
            }                                                                   
        }                                                                       
    }                                                                           
    proxy-arp {                                                                 
        interface fe-0/0/0.0 {                                                  
            address {                                                           
                10.0.1.250/32;                                                  
            }                                                                   
        }                                                                       
    }   

That doesn't work. We assume that it requires configuration of some inter-zonal security policies. But since we have mpls packet-based option enabled, junos is unable to commit configuration with both packet mode and security policies in it.  So the question is of ability to use NAT in statelss (packet-based) mode/ 

 

Super Contributor
tbehrens
Posts: 349
Registered: ‎04-30-2010
0

Re: NAT on packet-based configuration

I am thinking you are right, and NAT requires flow mode. To be sure, I'd raise a case w/ JTAC to ask the question.

Recognized Expert
Visitor
Posts: 121
Registered: ‎08-30-2010

Re: NAT on packet-based configuration

Hi Jadmin,

 

SRX Branch end devices also support selective packet based forwarding.Please refer to the following app note for more information . http://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf

Trusted Contributor
Jadmin
Posts: 28
Registered: ‎08-27-2010
0

Re: NAT on packet-based configuration

Thanks for note. The solution noted is quite interesting, but is not applicable to our case. It seems that with selective packet based forwarding applied only interface-based source NAT works. Other type of NATs  - not (I tested this on lab with different configs). 

 

Super Contributor
tbehrens
Posts: 349
Registered: ‎04-30-2010
0

Re: NAT on packet-based configuration

[ Edited ]

Take a look at  http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf . It has an accurate flow diagram on page 2. NAT is part of flowd. It's interesting that interface-based source NAT would still work. I wonder where in the flow selective packet-based processing fits, or what it is about interface-based source NAT that makes it work.

 

 

I haven't tried this, but see whether the old packet-based "services nat" still works on SRX. http://www.juniper.net/techpubs/en_US/junos10.2/topics/usage-guidelines/services-configuring-nat-rul... has a writeup on it. This is what you'd use on M-Series and T-Series to do NAT (provided you have an AS-PIC), and it's how "packet-based" J-Series did NAT.

 

 

Trusted Contributor
Jadmin
Posts: 28
Registered: ‎08-27-2010
0

Re: NAT on packet-based configuration

Well, I guess i might have some misconfiguration. I realised  that upon answers of juniper employees on tech-cafe event and reading app-notes. I'm going to have some more tests on lab equipment to see if your advices about selective packet-based mode are appliable.  

Contributor
blacksmith
Posts: 21
Registered: ‎04-12-2010
0

Re: NAT on packet-based configuration

Hi,

 

Do you have update for this case?

 

Thanks,

Trusted Contributor
Jadmin
Posts: 28
Registered: ‎08-27-2010
0

Re: NAT on packet-based configuration

[ Edited ]

Well, yes, kind of.  The task is little bit challenging. We are using selective packet services (see the link by Visitor above). And both NAT and mpls are working. Since we've just reached to that we're going to have some more tests to see if there are any drawbacks of this. =)

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.