SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

source nat without port translation

  • 1.  source nat without port translation

    Posted 03-27-2012 11:38
      |   view attached

    Hello,

     

    i m trying to achieve source nat from 1 server to 1 destiantion with 1 address in the pool but without source port translation

     

     while doing this it give me error attached, the error is strange it is saying me that you have to specify atleast 2 address in the pool if u want to do no source port translation . WHY ???????? such

     

    Please find the attached.

     

     


    #NAT
    #source.nat
    #no.port.translation


  • 2.  RE: source nat without port translation

    Posted 03-27-2012 12:57

    For 1:1 translation you might be better off with static NAT.

     



  • 3.  RE: source nat without port translation

    Posted 03-27-2012 13:13

    Hello Keithr,

     

    I m using server address with many virtual Ip on different destination and port. So static NAT is not possible i think.

     

    For example:

     

    Real Ip: 10.10.10.10

    destination:192.168.10.1

    port :20200

    Pool IP: 10.1.1.1

     

    Real Ip: 10.10.10.10

    destination:192.168.10.1

    port :20201

    Pool IP: 10.1.1.2

     

    Real Ip: 10.10.10.10

    destination:172.16.10.10

    port :20220

    Pool IP: 10.1.1.3

     

     

     

     



  • 4.  RE: source nat without port translation

    Posted 03-27-2012 13:35

    I'm not sure I completely follow what you're describing.

     

    For each section below you have a real IP, a destination, and a pool IP.  How are you classifying the three different IPs?

     



  • 5.  RE: source nat without port translation

    Posted 03-27-2012 22:26

    Hello Keithr,

     

    I have a third party firewall which is doing this job which is classifying traffic on destination port.and it is keeping the source port same as destination port.

     

    Classitying traffic on destination port

     

    I will Explain you what actually the third party firewall is doing.

     

    Real Ip: 10.10.10.10
    destination:192.168.10.1
    port :20200
    Pool IP: 10.1.1.1


    The above configuration says that if 10.10.10.10 when enters from trust interface heading to extranet interface  on destination 192.168.10.1 on port 20200 translate it to 10.1.1.1

    Real Ip: 10.10.10.10
    destination:192.168.10.1
    port :20201
    Pool IP: 10.1.1.2

     

    The above configuration says that if 10.10.10.10 when enters from trust interface heading to extranet interface  on destination 192.168.10.1 on port 20201 translate it to 10.1.1.2

     

    Real Ip: 10.10.10.10
    destination:172.16.10.10
    port :20220
    Pool IP: 10.1.1.3

     

    The above configuration says that if 10.10.10.10 when enters from trust interface heading to extranet interface  on destination 172.16.10.10 on port 20220 translate it to 10.1.1.3

     

    Thanks



  • 6.  RE: source nat without port translation

    Posted 03-29-2012 15:43

    Hello,

     

    Can anybody help me to achieve the above requirement



  • 7.  RE: source nat without port translation

    Posted 04-06-2012 09:05

    Hi ,

     

    I think the following config should help you ( I didn't get a chance to test this ) -

     

    Here I have used pool based source nat with address shifting (By definition, this type of translation is one-to-one, static, and without PAT) and to overcome that commit error (error: Source NAT pool (no port translation) contains too few addresses(at least 2 addresses needed), I have used another dummy address like 9.1.1.1/32 , 9.1.1.2/32 and 9.1.1.3/32 . 

     

    Complete configuration for your requirement is -

     

    [edit]
    lab@host1-a# show security nat | display set
    set security nat source pool p1 address 10.1.1.1/32
    set security nat source pool p1 address 9.1.1.1/32 <--dummy
    set security nat source pool p1 host-address-base 10.10.10.10/32
    set security nat source pool p2 address 10.1.1.2/32
    set security nat source pool p2 address 9.1.1.2/32<--dummy
    set security nat source pool p2 host-address-base 10.10.10.10/32
    set security nat source pool p3 address 10.1.1.3/32
    set security nat source pool p3 address 9.1.1.3/32<--dummy
    set security nat source pool p3 host-address-base 10.10.10.10/32
    set security nat source rule-set 1 from zone trust
    set security nat source rule-set 1 to zone extranet
    set security nat source rule-set 1 rule l match source-address 10.10.10.10/32
    set security nat source rule-set 1 rule l match destination-address 192.168.10.1/32
    set security nat source rule-set 1 rule l match destination-port 20200
    set security nat source rule-set 1 rule l then source-nat pool p1
    set security nat source rule-set 1 rule 2 match source-address 10.10.10.10/32
    set security nat source rule-set 1 rule 2 match destination-address 192.168.10.1/32
    set security nat source rule-set 1 rule 2 match destination-port 20201
    set security nat source rule-set 1 rule 2 then source-nat pool p2
    set security nat source rule-set 1 rule 3 match source-address 10.10.10.10/32
    set security nat source rule-set 1 rule 3 match destination-address 172.16.10.10/32
    set security nat source rule-set 1 rule 3 match destination-port 20220
    set security nat source rule-set 1 rule 3 then source-nat pool p3

     

    Hope this helps .

     



  • 8.  RE: source nat without port translation

    Posted 04-15-2012 13:13

    Hello,

     

    The DUMMY IP address what you have suggested for me ,will act a dummy how can i assure this, that when a host 10.10.10.10 wants to initiate a connection it will always pick 10.1.1.1/32 and not the 9.1.1.1/32.

     

    set security nat source pool p1 address 10.1.1.1/32
    set security nat source pool p1 address 9.1.1.1/32 <--dummy
    set security nat source pool p1 host-address-base 10.10.10.10/32

     

    Thanks



  • 9.  RE: source nat without port translation

    Posted 04-15-2012 19:48

    Hi,

     

    Today i got a chance to test my proposed config on a SRX220 running Junos 11.2R1.10 . Found something interesting .

     

    It was working fine but you need to add the IP address (that you want to be new source address post NAT) at the last. I mean , 

     

    If you define your pool in the following order , it will take 9.1.1.1 only

     

    set security nat source pool p1 address 10.1.1.1/32
    set security nat source pool p1 address 9.1.1.1/32

     

    and if you change the order like below , it will take 10.1.1.1

     

    set security nat source pool p1 address 9.1.1.1/32

    set security nat source pool p1 address 10.1.1.1/32

     

    Note : For  traffic testing purpose , i have changed the destination ports to 80,23 and 80 in rules 1,2,3 respectively

    .

    [edit]
    root@SRX# 
    root@SRX# run show security flow session protocol tcp    
    Session ID: 941, Policy name: default-policy-00/2, Timeout: 14, Valid
      In: 10.10.10.10/49191 --> 192.168.10.1/23;tcp, If: ge-0/0/0.0, Pkts: 2, Bytes: 104
      Out: 192.168.10.1/23 --> 10.1.1.2/49191;tcp, If: ge-0/0/1.0, Pkts: 0, Bytes: 0
    
    Session ID: 942, Policy name: default-policy-00/2, Timeout: 16, Valid
      In: 10.10.10.10/49192 --> 172.16.10.10/80;tcp, If: ge-0/0/0.0, Pkts: 2, Bytes: 104
      Out: 172.16.10.10/80 --> 10.1.1.3/49192;tcp, If: ge-0/0/1.0, Pkts: 0, Bytes: 0
    
    Session ID: 943, Policy name: default-policy-00/2, Timeout: 18, Valid
      In: 10.10.10.10/49193 --> 192.168.10.1/80;tcp, If: ge-0/0/0.0, Pkts: 2, Bytes: 104
      Out: 192.168.10.1/80 --> 10.1.1.1/49193;tcp, If: ge-0/0/1.0, Pkts: 0, Bytes: 0
    Total sessions: 3

     

    and if your pool addresses (10.1.1.1,10.1.1.2 and 10.1.1.3) are in the same network of your outgoing interface, you need to add proxy-arp for those addresses ( here you don't need to add the proxy for the dummy addresses) .

     

    Hope this helps Smiley Happy



  • 10.  RE: source nat without port translation

    Posted 04-16-2012 12:59

    Here is my pool config, so according to ur explanation the source will always pick 172.16.3.50,

     

    Please correct me if i m wrong.

     

    root# show security nat source pool NAT-A
    address {
        172.16.3.58/32;
        172.16.3.50/32;
    }
    port no-translation;



  • 11.  RE: source nat without port translation

    Posted 04-16-2012 18:11

    Hi ,

     

    The key thing here is host-address-base , which ensures that 10.10.10.10 will be always translated to the last(latest) address mentioned in  corresponding pool with out port translation . 

     


    root@SRX# show security nat source pool NAT-A
    address {
        172.16.3.58/32;
        172.16.3.50/32;
    }
    host-address-base 10.10.10.10/32; << this is mandatory , if you want 172.16.3.50 to be the new source address

    port no-translation; <<< not required if the above statement is present ( because by default in host address shifting based source NAT,PAT is disabled).

     

    Here'e the complete sample config again (in the correct order) -

     

    [edit]
    lab@host1-a# show security nat | display set
    set security nat source pool p1 address 9.1.1.1/32 
    set security nat source pool p1 address 10.1.1.1/32
    set security nat source pool p1 host-address-base 10.10.10.10/32
    set security nat source pool p2 address 9.1.1.2/32
    set security nat source pool p2 address 10.1.1.2/32
    set security nat source pool p2 host-address-base 10.10.10.10/32
    set security nat source pool p3 address 9.1.1.3/32
    set security nat source pool p3 address 10.1.1.3/32
    set security nat source pool p3 host-address-base 10.10.10.10/32
    set security nat source rule-set 1 from zone trust
    set security nat source rule-set 1 to zone extranet
    set security nat source rule-set 1 rule l match source-address 10.10.10.10/32
    set security nat source rule-set 1 rule l match destination-address 192.168.10.1/32
    set security nat source rule-set 1 rule l match destination-port 20200
    set security nat source rule-set 1 rule l then source-nat pool p1
    set security nat source rule-set 1 rule 2 match source-address 10.10.10.10/32
    set security nat source rule-set 1 rule 2 match destination-address 192.168.10.1/32
    set security nat source rule-set 1 rule 2 match destination-port 20201
    set security nat source rule-set 1 rule 2 then source-nat pool p2
    set security nat source rule-set 1 rule 3 match source-address 10.10.10.10/32
    set security nat source rule-set 1 rule 3 match destination-address 172.16.10.10/32
    set security nat source rule-set 1 rule 3 match destination-port 20220
    set security nat source rule-set 1 rule 3 then source-nat pool p3

     

    Hope this answers your question .

     



  • 12.  RE: source nat without port translation

    Posted 04-17-2012 13:40

     

    Hello,

     

    I have specified the host based address in the pool i.e the real source10.10.10.10 /32 ,so it will always pick the IP   172.16.3.50/32 from pool leaving the top one which is only dummy. please correct me if i m wrong.

     

    But i want to know what actually the host based address means??? and it is used only in such situation,

     

    Sorry want to be more understandable rather than just instructing.

     

     



  • 13.  RE: source nat without port translation
    Best Answer

    Posted 04-18-2012 07:56

    Hi,

     

    The following link should help you to understand the host-address-base usage .

     

    http://www.juniper.net/techpubs/en_US/junos10.4/topics/example/nat-security-source-nat-address-shifting-configuring.html



  • 14.  RE: source nat without port translation

    Posted 04-19-2012 14:20

     

    Thanks Pradeep for ur patients to make me understand the real working of host-address-base.

     

    Conclusion:

     

    • If Original source address are 10 Nos then 10 No's of IP address should be there  in the source pool, If suppose we specify 20 IP address in Original source address then only 10 will be translated and the 11th will not be translated.
    • Host-address-base specify that this is the starting host for the network prefix.
    • Suppose if i want to translate 10 Ip address with 10 No's of iP pool then the host-address-base will be 192.168.10.1 according to the table shown.
    • And as you specified that from the source pool it will pickup the latest IP address for example from the below table: If address 192.168.10.1 when try to access extranet  it will pick up the address 11.11.11.10 from the source pool.and so on the other address 192.168.10.2 --11.11.11.9.
    • Sr NoOriginal SourceSource Pool
      1192.168.10.111.11.11.1
      2192.168.10.211.11.11.2
      3192.168.10.311.11.11.3
      4192.168.10.411.11.11.4
      5192.168.10.511.11.11.5
      6192.168.10.611.11.11.6
      7192.168.10.711.11.11.7
      8192.168.10.811.11.11.8
      9192.168.10.911.11.11.9
      10192.168.10.1011.11.11.10

     



  • 15.  RE: source nat without port translation

    Posted 04-21-2012 00:01

    Hi ,


    One correction in your conclusion -

     

    " And as you specified that from the source pool it will pickup the latest IP address for example from the below table: If address 192.168.10.1 when try to access extranet  it will pick up the address 11.11.11.10 from the source pool.and so on the other address 192.168.10.2 --11.11.11.9."  - this is not True .

     

    Here's the conclusion ( that I came to from my testing , If any one has tested this and found some thing different , please correct me ) .

     

    Scenario # 1 (standard behaviour of address-shifting source NAT)

    [edit]
    lab@host1-a# show security nat | display set
    
    set security nat source pool p1 address 11.11.11.1/32 to 11.11.11.10/32
    set security nat source pool p1 host-address-base 192.168.10.1/32
    
    set security nat source rule-set 1 from zone trust
    set security nat source rule-set 1 to zone extranet
    set security nat source rule-set 1 rule l match source-address 192.168.10.0/24
    set security nat source rule-set 1 rule l then source-nat pool p1


    in this case , 192.168.10.1 will be translated to 11.11.11.1,and 192.168.10.2 will be translated to 11.11.11.2 and so on till 192.168.10.10 translated to 11.11.11.10 . Rest all hosts in 192.168.10.0/24 network will NOT be source translated. 

     

    Scenario # 2 ( the only difference between this and previous scenario is that now we have two address ranges in the same pool)

     

    [edit]
    lab@host1-a# show security nat | display set
    
    set security nat source pool p1 address 11.11.11.1/32 to 11.11.11.10/32
    set security nat source pool p1 address 10.10.10.1/32 to 10.10.10.10/32  << latest entry in the pool 
    set security nat source pool p1 host-address-base 192.168.10.1/32
    
    set security nat source rule-set 1 from zone trust
    set security nat source rule-set 1 to zone extranet
    set security nat source rule-set 1 rule l match source-address 192.168.10.0/24
    set security nat source rule-set 1 rule l then source-nat pool p1

     

    in this case ,addresses 11.11.11.1/32 to 11.11.11.10/32 will NOT be used for translation purpose. 

    192.168.10.1 will be translated to 10.10.10.1,and 192.168.10.2 will be translated to 10.10.10.2 and so on till 192.168.10.10 translated to 10.10.10.10 . Rest all hosts in 192.168.10.0/24 network will NOT be source translated.



  • 16.  RE: source nat without port translation

    Posted 04-21-2012 00:58

    Thanks Pradeep,

     

    Very good explanation, i understood very well,

     

    one more question that is not related to host-address-base. apart from the disussion above.

     

    I have configured One pool with 1 IP and For example i have specified 4 No's of source IP address accessing  to 4 No's of Destination IP address to extranet  ,, then all 4 host can initiate a connection to destination by the1 IP in the pool  or the source IP which comes 1st will only be translated and rest all will be not translated.

     

    Thanks



  • 17.  RE: source nat without port translation

    Posted 02-18-2014 06:17

    I have a slightly different requirement, I would like to keep the source port but use the same external ip.

     

    192.168.0.1:5012 -> any:any NATTED to 1.1.1.1:5012 -> any:any

    192.168.0.2:5013 -> any:any NATTED to 1.1.1.1:5013 -> any:any

     

    etc.

     

    Any ideas?

    Thanks

    Fulvio



  • 18.  RE: source nat without port translation

    Posted 10-01-2014 23:34
    We have the same requirement as well.

    basically i want to have the behavior as below

    NAT rule 1

    1.1.1.1 Port 1234 --> Destination ===AFTER NAT=== 10.1.1.1 Port 1234 --> Destination

    NAT rule 2

    2.2.2.2 Port 3456 --> Destination ===AFTER NAT=== 10.1.1.1 Port 3456 --> Destination

    We dont need to do it in 2 different rules, but I assume it will never work with using only one rule