SRX Services Gateway
Reply
Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012

Re: source nat without port translation

Hi ,

 

The key thing here is host-address-base , which ensures that 10.10.10.10 will be always translated to the last(latest) address mentioned in  corresponding pool with out port translation . 

 


root@SRX# show security nat source pool NAT-A
address {
    172.16.3.58/32;
    172.16.3.50/32;
}
host-address-base 10.10.10.10/32; << this is mandatory , if you want 172.16.3.50 to be the new source address

port no-translation; <<< not required if the above statement is present ( because by default in host address shifting based source NAT,PAT is disabled).

 

Here'e the complete sample config again (in the correct order) -

 

[edit]
lab@host1-a# show security nat | display set
set security nat source pool p1 address 9.1.1.1/32 
set security nat source pool p1 address 10.1.1.1/32
set security nat source pool p1 host-address-base 10.10.10.10/32
set security nat source pool p2 address 9.1.1.2/32
set security nat source pool p2 address 10.1.1.2/32
set security nat source pool p2 host-address-base 10.10.10.10/32
set security nat source pool p3 address 9.1.1.3/32
set security nat source pool p3 address 10.1.1.3/32
set security nat source pool p3 host-address-base 10.10.10.10/32
set security nat source rule-set 1 from zone trust
set security nat source rule-set 1 to zone extranet
set security nat source rule-set 1 rule l match source-address 10.10.10.10/32
set security nat source rule-set 1 rule l match destination-address 192.168.10.1/32
set security nat source rule-set 1 rule l match destination-port 20200
set security nat source rule-set 1 rule l then source-nat pool p1
set security nat source rule-set 1 rule 2 match source-address 10.10.10.10/32
set security nat source rule-set 1 rule 2 match destination-address 192.168.10.1/32
set security nat source rule-set 1 rule 2 match destination-port 20201
set security nat source rule-set 1 rule 2 then source-nat pool p2
set security nat source rule-set 1 rule 3 match source-address 10.10.10.10/32
set security nat source rule-set 1 rule 3 match destination-address 172.16.10.10/32
set security nat source rule-set 1 rule 3 match destination-port 20220
set security nat source rule-set 1 rule 3 then source-nat pool p3

 

Hope this answers your question .

 

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Contributor
jeniferdcosta
Posts: 92
Registered: ‎07-25-2010
0

Re: source nat without port translation

 

Hello,

 

I have specified the host based address in the pool i.e the real source10.10.10.10 /32 ,so it will always pick the IP   172.16.3.50/32 from pool leaving the top one which is only dummy. please correct me if i m wrong.

 

But i want to know what actually the host based address means??? and it is used only in such situation,

 

Sorry want to be more understandable rather than just instructing.

 

 

Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012

Re: source nat without port translation

Hi,

 

The following link should help you to understand the host-address-base usage .

 

http://www.juniper.net/techpubs/en_US/junos10.4/topics/example/nat-security-source-nat-address-shift...

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Contributor
jeniferdcosta
Posts: 92
Registered: ‎07-25-2010
0

Re: source nat without port translation

 

Thanks Pradeep for ur patients to make me understand the real working of host-address-base.

 

Conclusion:

 

  • If Original source address are 10 Nos then 10 No's of IP address should be there  in the source pool, If suppose we specify 20 IP address in Original source address then only 10 will be translated and the 11th will not be translated.
  • Host-address-base specify that this is the starting host for the network prefix.
  • Suppose if i want to translate 10 Ip address with 10 No's of iP pool then the host-address-base will be 192.168.10.1 according to the table shown.
  • And as you specified that from the source pool it will pickup the latest IP address for example from the below table: If address 192.168.10.1 when try to access extranet  it will pick up the address 11.11.11.10 from the source pool.and so on the other address 192.168.10.2 --11.11.11.9.
  • Sr NoOriginal SourceSource Pool
    1192.168.10.111.11.11.1
    2192.168.10.211.11.11.2
    3192.168.10.311.11.11.3
    4192.168.10.411.11.11.4
    5192.168.10.511.11.11.5
    6192.168.10.611.11.11.6
    7192.168.10.711.11.11.7
    8192.168.10.811.11.11.8
    9192.168.10.911.11.11.9
    10192.168.10.1011.11.11.10

 

Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012
0

Re: source nat without port translation

Hi ,


One correction in your conclusion -

 

" And as you specified that from the source pool it will pickup the latest IP address for example from the below table: If address 192.168.10.1 when try to access extranet  it will pick up the address 11.11.11.10 from the source pool.and so on the other address 192.168.10.2 --11.11.11.9."  - this is not True .

 

Here's the conclusion ( that I came to from my testing , If any one has tested this and found some thing different , please correct me ) .

 

Scenario # 1 (standard behaviour of address-shifting source NAT)

[edit]
lab@host1-a# show security nat | display set

set security nat source pool p1 address 11.11.11.1/32 to 11.11.11.10/32
set security nat source pool p1 host-address-base 192.168.10.1/32

set security nat source rule-set 1 from zone trust
set security nat source rule-set 1 to zone extranet
set security nat source rule-set 1 rule l match source-address 192.168.10.0/24
set security nat source rule-set 1 rule l then source-nat pool p1


in this case , 192.168.10.1 will be translated to 11.11.11.1,and 192.168.10.2 will be translated to 11.11.11.2 and so on till 192.168.10.10 translated to 11.11.11.10 . Rest all hosts in 192.168.10.0/24 network will NOT be source translated. 

 

Scenario # 2 ( the only difference between this and previous scenario is that now we have two address ranges in the same pool)

 

[edit]
lab@host1-a# show security nat | display set

set security nat source pool p1 address 11.11.11.1/32 to 11.11.11.10/32
set security nat source pool p1 address 10.10.10.1/32 to 10.10.10.10/32  << latest entry in the pool 
set security nat source pool p1 host-address-base 192.168.10.1/32

set security nat source rule-set 1 from zone trust
set security nat source rule-set 1 to zone extranet
set security nat source rule-set 1 rule l match source-address 192.168.10.0/24
set security nat source rule-set 1 rule l then source-nat pool p1

 

in this case ,addresses 11.11.11.1/32 to 11.11.11.10/32 will NOT be used for translation purpose. 

192.168.10.1 will be translated to 10.10.10.1,and 192.168.10.2 will be translated to 10.10.10.2 and so on till 192.168.10.10 translated to 10.10.10.10 . Rest all hosts in 192.168.10.0/24 network will NOT be source translated.

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Contributor
jeniferdcosta
Posts: 92
Registered: ‎07-25-2010
0

Re: source nat without port translation

Thanks Pradeep,

 

Very good explanation, i understood very well,

 

one more question that is not related to host-address-base. apart from the disussion above.

 

I have configured One pool with 1 IP and For example i have specified 4 No's of source IP address accessing  to 4 No's of Destination IP address to extranet  ,, then all 4 host can initiate a connection to destination by the1 IP in the pool  or the source IP which comes 1st will only be translated and rest all will be not translated.

 

Thanks

New User
fulvio
Posts: 1
Registered: ‎02-18-2014
0

Re: source nat without port translation

I have a slightly different requirement, I would like to keep the source port but use the same external ip.

 

192.168.0.1:5012 -> any:any NATTED to 1.1.1.1:5012 -> any:any

192.168.0.2:5013 -> any:any NATTED to 1.1.1.1:5013 -> any:any

 

etc.

 

Any ideas?

Thanks

Fulvio

New User
luffy-kun
Posts: 1
Registered: ‎10-01-2014
0

Re: source nat without port translation

We have the same requirement as well.

basically i want to have the behavior as below

NAT rule 1

1.1.1.1 Port 1234 --> Destination ===AFTER NAT=== 10.1.1.1 Port 1234 --> Destination

NAT rule 2

2.2.2.2 Port 3456 --> Destination ===AFTER NAT=== 10.1.1.1 Port 3456 --> Destination

We dont need to do it in 2 different rules, but I assume it will never work with using only one rule
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.