SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  NAT on packet-based configuration

    Posted 11-10-2010 03:14

    Hi there! 

     

    Is it possible to use SRX-series device(primarily branch devices(SRX100,SRX210(220/240))) as completely stateless(packet-based) router? 

    The question above is stated upon our configuration needs: 

    Our branch device should use mpls. So it is to be packet-based. But at the same time it should use NAT (static, one-to-one static NAT) . As far as I know, mpls cannot be enabled in flow-based mode. Thus NAT is a statefull process. So there is kind of dilemma of using a device in either of modes. 

     

     

     

     

     


    #packet-based
    #NAT
    #selective.packetmode


  • 2.  RE: NAT on packet-based configuration

    Posted 11-10-2010 08:13
    another thread gives the config to setup mpls in packet-based mode. http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-Branch-Series-MPLS-Query/m-p/40680 security { forwarding-options { family { mpls { mode packet-based; } } } }


  • 3.  RE: NAT on packet-based configuration

    Posted 11-11-2010 00:22

    Yes, you're right. We've alreadey done so and we have mpls working .

    Meanwhile we configured static nat as follows: 

     

    nat {                                                                           
    static {                                                                    
        rule-set rs1 {                                                          
            from interface fe-0/0/0.0;                                          
            rule r1 {                                                           
                match {                                                         
                    destination-address 10.0.1.250/32;                          
                }                                                               
                then {                                                          
                    static-nat prefix 192.168.1.2/32;                           
                }                                                               
            }                                                                   
        }                                                                       
    }                                                                           
    proxy-arp {                                                                 
        interface fe-0/0/0.0 {                                                  
            address {                                                           
                10.0.1.250/32;                                                  
            }                                                                   
        }                                                                       
    }

    That doesn't work. We assume that it requires configuration of some inter-zonal security policies. But since we have mpls packet-based option enabled, junos is unable to commit configuration with both packet mode and security policies in it.  So the question is of ability to use NAT in statelss (packet-based) mode/ 

     



  • 4.  RE: NAT on packet-based configuration

    Posted 11-11-2010 07:52

    I am thinking you are right, and NAT requires flow mode. To be sure, I'd raise a case w/ JTAC to ask the question.



  • 5.  RE: NAT on packet-based configuration
    Best Answer

    Posted 11-12-2010 14:51

    Hi Jadmin,

     

    SRX Branch end devices also support selective packet based forwarding.Please refer to the following app note for more information . http://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf



  • 6.  RE: NAT on packet-based configuration

    Posted 11-15-2010 23:35

    Thanks for note. The solution noted is quite interesting, but is not applicable to our case. It seems that with selective packet based forwarding applied only interface-based source NAT works. Other type of NATs  - not (I tested this on lab with different configs). 

     



  • 7.  RE: NAT on packet-based configuration

    Posted 11-16-2010 03:53

    Take a look at  http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf . It has an accurate flow diagram on page 2. NAT is part of flowd. It's interesting that interface-based source NAT would still work. I wonder where in the flow selective packet-based processing fits, or what it is about interface-based source NAT that makes it work.

     

     

    I haven't tried this, but see whether the old packet-based "services nat" still works on SRX. http://www.juniper.net/techpubs/en_US/junos10.2/topics/usage-guidelines/services-configuring-nat-rules.html?searchid=1289906606957 has a writeup on it. This is what you'd use on M-Series and T-Series to do NAT (provided you have an AS-PIC), and it's how "packet-based" J-Series did NAT.

     

     



  • 8.  RE: NAT on packet-based configuration

    Posted 11-16-2010 07:32

    Well, I guess i might have some misconfiguration. I realised  that upon answers of juniper employees on tech-cafe event and reading app-notes. I'm going to have some more tests on lab equipment to see if your advices about selective packet-based mode are appliable.  



  • 9.  RE: NAT on packet-based configuration

    Posted 12-25-2010 09:25

    Hi,

     

    Do you have update for this case?

     

    Thanks,



  • 10.  RE: NAT on packet-based configuration

    Posted 03-24-2011 02:38

    Well, yes, kind of.  The task is little bit challenging. We are using selective packet services (see the link by Visitor above). And both NAT and mpls are working. Since we've just reached to that we're going to have some more tests to see if there are any drawbacks of this. 😃

     



  • 11.  RE: NAT on packet-based configuration

    Posted 04-11-2012 21:25

    How about IPSEC in Packet mode. Does that work?