SRX Services Gateway
Reply
Visitor
CL_FAguilar
Posts: 6
Registered: ‎07-11-2011
0

Problem NAT with multiple sources.-

Hello,

 

I need yours helps, i have to configure a cluster of 2 SRX 650. These teams have a Cisco PIX as ancestors, which we are migrating to Juniper. The issue is that they had 2 public IPs which were roups of services to large users of the hospital, through PAT.
The problem is as follows:

 

set security nat source pool Pool_1 address Public_IP1/32

set security nat source pool Pool_2 address Public_IP2/32

 

set security nat source rule-set inside1_to_outside1 rule inside1_nat_1 match source-address 10.0.0.1/32
set security nat source rule-set inside1_to_outside1 rule inside1_nat_1 match source-address 10.0.0.5/32
set security nat source rule-set inside1_to_outside1 rule inside1_nat_1 match source-address 10.0.0.74/32
set security nat source rule-set inside1_to_outside1 rule inside1_nat_1 match source-address 10.0.0.75/32
set security nat source rule-set inside1_to_outside1 rule inside1_nat_1 match source-address 10.0.0.80/32
set security nat source rule-set inside1_to_outside1 rule inside1_nat_1 match source-address 10.0.0.83/32
set security nat source rule-set inside1_to_outside1 rule inside1_nat_1 match source-address 10.0.0.87/32
set security nat source rule-set inside1_to_outside1 rule inside1_nat_1 match source-address 10.0.0.88/32
set security nat source rule-set inside1_to_outside1 rule inside1_nat_1 then source-nat pool Pool_1


set security nat source rule-set inside1_to_outside1 rule inside1_nat_2 match source-address 10.0.0.91/32
set security nat source rule-set inside1_to_outside1 rule inside1_nat_2 match source-address 10.0.0.91/32
set security nat source rule-set inside1_to_outside1 rule inside1_nat_2 match source-address 10.0.0.94/32
set security nat source rule-set inside1_to_outside1 rule inside1_nat_2 match source-address 10.0.0.95/32
set security nat source rule-set inside1_to_outside1 rule inside1_nat_2 match source-address 10.0.0.98/32
set security nat source rule-set inside1_to_outside1 rule inside1_nat_2 match source-address 10.0.0.99/32
set security nat source rule-set inside1_to_outside1 rule inside1_nat_2 match source-address 10.0.0.187/32
set security nat source rule-set inside1_to_outside1 rule inside1_nat_2 match source-address 10.0.0.188/32
set security nat source rule-set inside1_to_outside1 rule inside1_nat_2 then source-nat pool Pool_1

 

If you look at each source-address although of the same segment has no correlation with previous ip, that is not followed, so that when I create the rules, only allows me to add 8 ips for each, which subsequently applied to pool configured, the issue is that I need as a source more than 100 different ips, so try to create different rules such inside1_nat_X, but applying the rule be thrown me inside1_to_outside1 error, since they have the same limitation (ie accepts only 8 sub).

No way you can configure it so that it can be scalable in the sense that it is probably going to add more IPs to this pat.

 

Thanks for yours help.

Regards.

 

 

Distinguished Expert
dfex
Posts: 715
Registered: ‎04-17-2008
0

Re: Problem NAT with multiple sources.-

Hi,

 

Unfortunately not, NAT rulesets on the SRX have limits - they have been lifted a couple of times between releases (certainly destination nat rules per ruleset), so always try with the latest version of code.

 

A much easier way to achieve your goal would be to simply have a single source nat for the entire 10.0.0.0/24 or whatever range(s) your LAN is and then restrict individual host outbound connections via security policies eg:

 

rule-set OUTBOUND-NAT {
    from zone LAN;
    to zone INTERNET;
    rule OUTBOUND-LAN-NAT {
        match {
            source-address 10.0.0.0/24;
            destination-address 0.0.0.0/0;
        }
        then {
            source-nat {
                pool Pool_1;
            }
        }
    }
}

If you need to spread connections out over both public IPs, add them both to Pool_1. 

 

pool Pool_1 {
        address {
            1.1.1.1/32;
            1.1.1.2/32;
        }
    }

 If you need persistent mapping from hosts to one of your public IPs, use:

set security nat source rule-set OUTBOUND-NAT rule OUTBOUND-LAN-NAT then source-nat pool Pool_1 persistent-nat

 

Hope this helps!

Ben Dale
JNCIP-ENT, JNCIS-SP, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Visitor
CL_FAguilar
Posts: 6
Registered: ‎07-11-2011
0

Re: Problem NAT with multiple sources.-

[ Edited ]

Thanks for your answer.

 

I wonder if doing the following fix my problem:

 

set security nat source pool Pool_1 address IP_Public1/32
set security nat source pool Pool_2 address IP_Public2/32

 

set security nat source rule-set inside1_to_outside1 rule inside1_nat_1 match source-address 10.0.0.1/32

set security nat source rule-set inside1_to_outside1 rule inside1_nat_1 match source-address 10.0.0.3/32
set security nat source rule-set inside1_to_outside1 rule inside1_nat_1 match source-address 10.0.0.5/32

....8 sources

set security nat source rule-set inside1_to_outside1 rule inside1_nat_1 then source-nat pool Pool_1

 

set security nat source rule-set inside1_to_outside1 rule inside1_nat_2 match source-address 10.0.0.7/32

set security nat source rule-set inside1_to_outside1 rule inside1_nat_2 match source-address 10.0.0.8/32
set security nat source rule-set inside1_to_outside1 rule inside1_nat_2 match source-address 10.0.0.9/32

....8 sources

set security nat source rule-set inside1_to_outside1 rule inside1_nat_1 then source-nat pool Pool_1



 

.... 8 rules....

 

set security nat source rule-set inside1_to_outside2_8 rule inside1_nat_1 match source-address 10.0.0.15/32

set security nat source rule-set inside1_to_outside2_8 rule inside1_nat_1 match source-address 10.0.0.35/32
set security nat source rule-set inside1_to_outside2_8 rule inside1_nat_1 match source-address 10.0.0.55/32

....

set security nat source rule-set inside1_to_outside2_8 rule inside1_nat_1 then source-nat pool Pool_1



That is creating N different rules within which there are 8 different sources to complete all the ips that need to be NATed boxes.

This causes a problem?

 

Thanks a lot.

 

Edit------------------------------

 

I just tested it and I discuss them throws an error:

[edit security nat source]
  'rule-set inside1_to_outside1_2'
    Source NAT rule-set inside1_to_outside1 and inside1_to_outside1_2 have same context.

 

Is there any way to do something that solves the problem?

 

Unfortunately the solution by creating rules that tell me I do not see very favorable because the ips within a segment are nat / 16 then create rules of limitation would be a chaos

Super Contributor
AdamLin
Posts: 167
Registered: ‎08-02-2010
0

Re: Problem NAT with multiple sources.-

[ Edited ]

That error is thrown because - like the error says - you've created two rule-sets with the same from/to context. Just add the rules in rule-set inside1_to_outside1_2 to the rule-set inside1_to_outside1. That is if you run a semi-current version, 10.2 or later. Else you'd have to go with the good old dummy zones.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=kb14149

 

Although, I'd recommend going with what dfex posted.

Policy rules shouldn't be that tedious to create as you can use address-sets in those :smileyhappy:

Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.