SRX

Hello,

I have configured One pool with 1 IP and For example i have specified 4 No's of source IP address accessing  to 4 No's of Destination IP address to extranet  ,, then all 4 host can initiate a connection to destination by the1 IP in the pool  or the source IP which comes 1st will only be translated and rest all will be not translated.

Want  to confirmed i hope all  4 source will be translated.

Thanks

Hi ,

Yes, all 4 will be translated to the same source address (the single address in the pool) but with a different source-port .

For example,

root@R1# show security nat
source {
    pool p1 {
        address {
            100.1.1.1/32;
        }
    }
    rule-set 1 {
        from zone inside;
        to zone outside;
        rule 1 {
            match {
                source-address 192.168.1.0/24;
            }
            then {
                source-nat {
                    pool {
                        p1;
                    }
                }
            }
        }
    }
}

 two internal host 192.168.1.2 and 192.168.1.4 are going out and can see their source address translated to 100.1.1.1 and a different source-port (PAT).

root@R1# run show security flow session destination-prefix 192.168.3.2

Session ID: 83, Policy name: default-policy/2, Timeout: 48, Valid
  In: 192.168.1.2/46 --> 192.168.3.2/1;icmp, If: vlan.3, Pkts: 1, Bytes: 60
  Out: 192.168.3.2/1 --> 100.1.1.1/11759;icmp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0

Session ID: 84, Policy name: default-policy/2, Timeout: 50, Valid
  In: 192.168.1.4/5 --> 192.168.3.2/1;icmp, If: vlan.3, Pkts: 1, Bytes: 60
  Out: 192.168.3.2/1 --> 100.1.1.1/10628;icmp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0

Session ID: 85, Policy name: default-policy/2, Timeout: 52, Valid
  In: 192.168.1.2/47 --> 192.168.3.2/1;icmp, If: vlan.3, Pkts: 1, Bytes: 60
  Out: 192.168.3.2/1 --> 100.1.1.1/21082;icmp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0

Session ID: 86, Policy name: default-policy/2, Timeout: 54, Valid
  In: 192.168.1.4/6 --> 192.168.3.2/1;icmp, If: vlan.3, Pkts: 1, Bytes: 60
  Out: 192.168.3.2/1 --> 100.1.1.1/12666;icmp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0

Session ID: 88, Policy name: default-policy/2, Timeout: 58, Valid
  In: 192.168.1.2/48 --> 192.168.3.2/1;icmp, If: vlan.3, Pkts: 1, Bytes: 60
  Out: 192.168.3.2/1 --> 100.1.1.1/14165;icmp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0

Session ID: 90, Policy name: default-policy/2, Timeout: 60, Valid
  In: 192.168.1.4/7 --> 192.168.3.2/1;icmp, If: vlan.3, Pkts: 1, Bytes: 60
  Out: 192.168.3.2/1 --> 100.1.1.1/7172;icmp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0

Hello

That look good well,

• If suppose instead of 1 Ip if i put 2 IP in the pool, then also all 4 sources will be translated or only 2 source will be translated.

If ur answer is all 4 sources then please answer

when the rule apply that when 2 IP in the pool 2 sources will only be translated and other 2 source will not be translated

Hi,

With 2 ip addresses in the pool also, all 4 sources will be translated.

If you have host-address-base setting like this , base-address as 192.168.1.1 and two addresses in the pool, in this case only two internal hosts ( 192.168.1.1 and 192.168.1.2 ) will be source translated, others will NOT.

[edit]
root@R1# show security nat | display set
set security nat source pool p1 address 100.1.1.1/32
set security nat source pool p1 address 100.1.1.2/32
set security nat source pool p1 host-address-base 192.168.1.1/32
set security nat source rule-set 1 from zone inside
set security nat source rule-set 1 to zone outside
set security nat source rule-set 1 rule 1 match source-address 192.168.1.0/24
set security nat source rule-set 1 rule 1 then source-nat pool p1

 For example, if 192.168.1.4 is trying to go out, that packet will be dropped - with reason "dip allocation failed "