SRX

Using destination NAT or static NAT there is a perfectly valid reason for having a routing-instance in the pool, it allows you to "jump" into another routing instance when needed. This also works very well, I have used it on numerous occasions.

However, there is also an attribute for a routing-instance in the pool when using source NAT. (I don't have an SRX online at the moment, the syntax is from memory).

What is the use of this attribute?

I cannot understand it. With destination and static NAT, you only have the source defined at rule-set level, and can use the routing-instance to direct to the proper destination instance.

With source NAT, both target and destination interfaces/zones/instances are already defined, and interfaces/zones can only live in one routing-instance.

Please enlighten me, what is the use case for a source NAT pool with a routing-instance attached?

i dont think, we should link routing-instance to static, destination or source. 

Since, a duplicate destination can reside in different routing instances so you need to explicitly define the routing instance in destination and static nat.

Similarly, in source nat we can have a scenario where we want to shift from a source routing instance to another routing instance + we want to change the source ip address as per the ip scheme followed in the destination instance, like

set security nat source pool srcpool routing-instance dest-instance

set security nat source pool srcpool address 192.168.1.1/32

set secuirty nat source rule-set change-RE from destination-address 192.168.0.0/16

set secuirty nat source rule-set change-RE from source-address 10.0.0.0/8

set secuirty nat source rule-set change-RE from routing-instance src-instance

set secuirty nat source rule-set change-RE then source-nat pool srcpool

in above example, src-instance have 192.168.0.0/16 user base and dest-instance has 10.0.0.0/8 user base ...

hope it helps

regards

see the example too

http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-swconfig-security/srce-nat_srx_ex.html

rasmus:

Thanks for your input, but I am afraid it does not make much sense to me.

The example you propose does not have correct syntax. I have now made it acceptable to an SRX system running 10.4R7.5. It turned out this way:

set security nat source pool srcpool routing-instance xxx-instance
set security nat source pool srcpool address 192.168.1.1/32
set security nat source rule-set change-RE from interface ge-0/0/0.0
set security nat source rule-set change-RE to zone distribution
set security nat source rule-set change-RE rule hide match source-address 0.0.0.0/0
set security nat source rule-set change-RE rule hide then source-nat pool srcpool

 My original question is still not answered. Looking at this example, the source routing instance is matched by the statement

set security nat source rule-set change-RE from interface ge-0/0/0.0

 since an interface can only exist in one routing instance. Likewise, the destination routing instance is matched by this statement

set security nat source rule-set change-RE to zone distribution

 since a zone cannot span several routing instances.

What can the statement

set security nat source pool srcpool routing-instance xxx-instance

 influence in this example, or any other legal example at all?

Hi

Interesting question. I tried it in my lab with the following setup: the
traffic is going from zone "hr" (routing-instance "hr") to zone "untrust"
(routing-instance "untrust"). I'm using a pool for S-NAT having 1 address
3.3.3.3/32. My config for NAT is

lab@srxA-1# show security nat
source {
    pool spool1 {
        address {
            3.3.3.3/32;
        }
    }
    pool spool2 {
        routing-instance {
            untrust;
        }
        address {
            3.3.3.3/32;
        }
    }
    rule-set rs1 {
        from routing-instance hr;
        to routing-instance untrust;
        rule 10 {
            match {
                source-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    pool {              
                        spool2;
                    }
                }
            }
        }
    }
}

 
whether I am using spool1 or spool2 in the above config, it works fine, even though
spool1 is in "default" routing instance (and the traffic does not even pass it):

lab@srxA-1# run show security nat source pool all
Total pools: 2
 
Pool name          : spool1
Pool id            : 4
Routing instance   : default
Host address base  : 0.0.0.0
Port               : [1024, 63487]
Total addresses    : 1
Translation hits   : 220
Address range                        Single Ports   Twin Ports
            3.3.3.3 - 3.3.3.3            0              0    
 
Pool name          : spool2
Pool id            : 5
Routing instance   : untrust
Host address base  : 0.0.0.0
Port               : [1024, 63487]
Total addresses    : 1
Translation hits   : 94
Address range                        Single Ports   Twin Ports
            3.3.3.3 - 3.3.3.3            4              0    

 
In both cases, translations work fine

lab@srxA-1# run show security flow session

Session ID: 1908, Policy name: default-policy/2, Timeout: 2, Valid
  In: 172.20.101.10/848 --> 172.31.15.1/48900;icmp, If: ge-0/0/4.101, Pkts: 1, Bytes: 84
  Out: 172.31.15.1/48900 --> 3.3.3.3/7996;icmp, If: ge-0/0/3.0, Pkts: 1, Bytes: 84

 

Seems to me that the only reason for having routing-instance in S-NAT pool is
to allow for use of overlapping ip addresses in pools. In the above example,
if I omit routing-instance in spool2 definition, I have error

lab@srxA-1# commit
[edit security nat source pool spool2]
  'address'
    The address of Source NAT pool(spool2) overlaps with another range [3.3.3.3, 3.3.3.3]
error: configuration check-out failed

So if you have a (rare) situation when you need overlapping ip addressing in S-NAT pools,
you can distinguish the pools by routing-instance. However, it turns out that it does not matter
which routing instance you specify in pool definition (it does not have to coincide
with traffic source and/or destination instance).

So, to reformulate your excellent detective work (I never tried two identical pools that only differed in the routing-instance property), you are saying:

Overlapping source nat pool address ranges are normally an error, but is allowed if they are tagged with different routing instances.

The recommendation is of course to always tag a pool with the routing instance of the egress interface.

/Per

---

per.westerlund@proact.se wrote:

The recommendation is of course to always tag a pool with the routing instance of the egress interface.

 

/Per

---

I think that you want want to tag the pool with routing-instance of the source interface, but I have not personally tried it.  There is an error in the documentation, though, as you pointed out.  More in the next post.

Joel

Hello,

Quick Disclaimer:  the following is based only on my personal, professional experience, and is not official from Juniper. 

As some of this is stuff I have figured it, I will attempt to label it appropriately with "I think" vs "I know".

In no particular order:

I believe that there is a routing-instance option for source-nat pools for several reasons:

• Source nat pools are configured and implemented identically to destination NAT pools, and documented as such: several examples of destination nat refer you to examples of source-nat pools.
• Specifying the routing-instance makes a lot more sense for destination-nat pools, to allow the nat and policy to cross routing-instances without explicitly adding routes (a la ScreenOS)
• I know that the documentation is incorrect with the statement that "If a routing-instance is not specified, the pool exists in the default (master) routing instance.)  I updated PR 709072 with this, although it looks like the PR is not publicly visible yet. 
• I know that the real behavior is as already mentioned:  if a routing-instance is not specified with the pool (either source or destination), it defaults to the instance of the ingress interface.
• I think that as a not-yet-documented feature, you could configure the same pool to exist (sorta) in multiple routing-instances.  I think (and I haven't tested) that it may keep the routing seperate, but consume addresses out of it as one pool, so i don't see a real benefit to it... as if you configured two pools with the same address space, each specifying the correct routing-instance, you could get full NAT sessions out of each pool.  (Note that this is heavy on the "I think"... this is educated speculation.)
• I think it's an undocumented feature that allows you to configure a source-nat pool and have it work in any routing-instance.  I think the intent was to have it specified, but as the default behavior is that of the ingress interface, it just works for source-nat pools

As the documentation is not-yet-correct that not specifying the routing-instance defaults to routing-instance of the ingress zone, the side-effect of all this is that you cannot put a destination nat pool in the default routing-instance and reach it from any other routing-instance.  (Try it  🙂   There is a workaround, though).  This is what I noticed in December while testing the 11.1 feature of putting DHCP and IKE in a vrf.  (Great for bringing up branch offices with IPSec tunnel redundancy via CX111/4G).

PR709072 will allow to specify "routing-instance default" (maybe routing-instance master; I don't recall) for nat pools and correct the documentation.

Systest reported this a month before I did, but I did volunteer to draft the external documentation for it. 

Hope this helps,

Joel

Won't the source nat pool be associated with the VR of the egress interface after all?

If it were to be associated with the VR of the ingress interface, you have the chance of having two session setups (TCP syn) from different VRs after source nat having the identical src/dst IP, src/dst port etc, and not be able to successfully install both forward and  reverse sessions in the session tables.

If the source nat pool sits in the VR of the egress interface, the second session will always get another source port than the first, since it is a common pool.

(I have limited knowledge of these matters, don't have any certifications yet, please excuse big mistakes).

/Per

---

per.westerlund@proact.se wrote:

Won't the source nat pool be associated with the VR of the egress interface after all?

(I have limited knowledge of these matters, don't have any certifications yet, please excuse big mistakes).

 

/Per

---

As i think about it with a cup of coffee, I do believe you are right.  The source-nat pool probably would be associated with the egress interface.   A hide-nat behind the interface definitely would be, as would natting behind the subnet with proxy-arp, so any source pool probably has to be too.

You don't need certifications when you have knowledge and experience 🙂 Certifications are good for resumes, and as a milestone from professional development / self-study.

As I think about the nat combinations I've configured in the past, I can only remember setting the routing-instance for the destination nat pools.  Source nat pools "just worked", so I never thought about the details.

Good catch.

Joel

Is there any role in routing instance in Source pool utilization, we are running Junos 11.4r5 on SRX 5800 cluster.

The issue is that the NAT pool is only used 50% when it already starts to use the overflow pool and that is not correct behavior. It should first exhaust the NAT pool 100% and only after that go to overflow PAT. 

any view on this. issue.

Hi

This is an expected behavior, see

http://kb.juniper.net/InfoCenter/index?page=content&id=KB14958

("However, if the SRX system is in chassis cluster configuration, the number of ports in the pool are equally divided between the two nodes.")