Re: source nat without port translation

JunOS_Fan · ‎02-13-2012

Hi ,

The key thing here is host-address-base , which ensures that 10.10.10.10 will be always translated to the last(latest) address mentioned in corresponding pool with out port translation .

root@SRX# show security nat source pool NAT-A
address {
172.16.3.58/32;
172.16.3.50/32;
}
host-address-base 10.10.10.10/32; << this is mandatory , if you want 172.16.3.50 to be the new source address

port no-translation; <<< not required if the above statement is present ( because by default in host address shifting based source NAT,PAT is disabled).

Here'e the complete sample config again (in the correct order) -

[edit]
lab@host1-a# show security nat | display set
set security nat source pool p1 address 9.1.1.1/32 
set security nat source pool p1 address 10.1.1.1/32
set security nat source pool p1 host-address-base 10.10.10.10/32
set security nat source pool p2 address 9.1.1.2/32
set security nat source pool p2 address 10.1.1.2/32
set security nat source pool p2 host-address-base 10.10.10.10/32
set security nat source pool p3 address 9.1.1.3/32
set security nat source pool p3 address 10.1.1.3/32
set security nat source pool p3 host-address-base 10.10.10.10/32
set security nat source rule-set 1 from zone trust
set security nat source rule-set 1 to zone extranet
set security nat source rule-set 1 rule l match source-address 10.10.10.10/32
set security nat source rule-set 1 rule l match destination-address 192.168.10.1/32
set security nat source rule-set 1 rule l match destination-port 20200
set security nat source rule-set 1 rule l then source-nat pool p1
set security nat source rule-set 1 rule 2 match source-address 10.10.10.10/32
set security nat source rule-set 1 rule 2 match destination-address 192.168.10.1/32
set security nat source rule-set 1 rule 2 match destination-port 20201
set security nat source rule-set 1 rule 2 then source-nat pool p2
set security nat source rule-set 1 rule 3 match source-address 10.10.10.10/32
set security nat source rule-set 1 rule 3 match destination-address 172.16.10.10/32
set security nat source rule-set 1 rule 3 match destination-port 20220
set security nat source rule-set 1 rule 3 then source-nat pool p3

Hope this answers your question .

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in

jeniferdcosta · ‎07-25-2010

Hello,

I have specified the host based address in the pool i.e the real source10.10.10.10 /32 ,so it will always pick the IP 172.16.3.50/32 from pool leaving the top one which is only dummy. please correct me if i m wrong.

But i want to know what actually the host based address means??? and it is used only in such situation,

Sorry want to be more understandable rather than just instructing.

JunOS_Fan · ‎02-13-2012

Hi,

The following link should help you to understand the host-address-base usage .

http://www.juniper.net/techpubs/en_US/junos10.4/topics/example/nat-security-source-nat-address-shift...

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in

jeniferdcosta · ‎07-25-2010

Thanks Pradeep for ur patients to make me understand the real working of host-address-base.

Conclusion:

If Original source address are 10 Nos then 10 No's of IP address should be there in the source pool, If suppose we specify 20 IP address in Original source address then only 10 will be translated and the 11th will not be translated.
Host-address-base specify that this is the starting host for the network prefix.
Suppose if i want to translate 10 Ip address with 10 No's of iP pool then the host-address-base will be 192.168.10.1 according to the table shown.
And as you specified that from the source pool it will pickup the latest IP address for example from the below table: If address 192.168.10.1 when try to access extranet it will pick up the address 11.11.11.10 from the source pool.and so on the other address 192.168.10.2 --11.11.11.9.

Sr No	Original Source	Source Pool
1	192.168.10.1	11.11.11.1
2	192.168.10.2	11.11.11.2
3	192.168.10.3	11.11.11.3
4	192.168.10.4	11.11.11.4
5	192.168.10.5	11.11.11.5
6	192.168.10.6	11.11.11.6
7	192.168.10.7	11.11.11.7
8	192.168.10.8	11.11.11.8
9	192.168.10.9	11.11.11.9
10	192.168.10.10	11.11.11.10

JunOS_Fan · ‎02-13-2012

Hi ,

One correction in your conclusion -

" And as you specified that from the source pool it will pickup the latest IP address for example from the below table: If address 192.168.10.1 when try to access extranet it will pick up the address 11.11.11.10 from the source pool.and so on the other address 192.168.10.2 --11.11.11.9." - this is not True .

Here's the conclusion ( that I came to from my testing , If any one has tested this and found some thing different , please correct me ) .

Scenario # 1 (standard behaviour of address-shifting source NAT)

[edit]
lab@host1-a# show security nat | display set

set security nat source pool p1 address 11.11.11.1/32 to 11.11.11.10/32
set security nat source pool p1 host-address-base 192.168.10.1/32

set security nat source rule-set 1 from zone trust
set security nat source rule-set 1 to zone extranet
set security nat source rule-set 1 rule l match source-address 192.168.10.0/24
set security nat source rule-set 1 rule l then source-nat pool p1

in this case , 192.168.10.1 will be translated to 11.11.11.1,and 192.168.10.2 will be translated to 11.11.11.2 and so on till 192.168.10.10 translated to 11.11.11.10 . Rest all hosts in 192.168.10.0/24 network will NOT be source translated.

Scenario # 2 ( the only difference between this and previous scenario is that now we have two address ranges in the same pool)

[edit]
lab@host1-a# show security nat | display set

set security nat source pool p1 address 11.11.11.1/32 to 11.11.11.10/32
set security nat source pool p1 address 10.10.10.1/32 to 10.10.10.10/32  << latest entry in the pool 
set security nat source pool p1 host-address-base 192.168.10.1/32

set security nat source rule-set 1 from zone trust
set security nat source rule-set 1 to zone extranet
set security nat source rule-set 1 rule l match source-address 192.168.10.0/24
set security nat source rule-set 1 rule l then source-nat pool p1

in this case ,addresses 11.11.11.1/32 to 11.11.11.10/32 will NOT be used for translation purpose.

192.168.10.1 will be translated to 10.10.10.1,and 192.168.10.2 will be translated to 10.10.10.2 and so on till 192.168.10.10 translated to 10.10.10.10 . Rest all hosts in 192.168.10.0/24 network will NOT be source translated.

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in

jeniferdcosta · ‎07-25-2010

Thanks Pradeep,

Very good explanation, i understood very well,

one more question that is not related to host-address-base. apart from the disussion above.

I have configured One pool with 1 IP and For example i have specified 4 No's of source IP address accessing to 4 No's of Destination IP address to extranet ,, then all 4 host can initiate a connection to destination by the1 IP in the pool or the source IP which comes 1st will only be translated and rest all will be not translated.

Thanks