SRX Services Gateway
Reply
Contributor
jeniferdcosta
Posts: 92
Registered: ‎07-25-2010
0
Accepted Solution

source nat without port translation

Hello,

 

i m trying to achieve source nat from 1 server to 1 destiantion with 1 address in the pool but without source port translation

 

 while doing this it give me error attached, the error is strange it is saying me that you have to specify atleast 2 address in the pool if u want to do no source port translation . WHY ???????? such

 

Please find the attached.

 

 

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: source nat without port translation

For 1:1 translation you might be better off with static NAT.

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Contributor
jeniferdcosta
Posts: 92
Registered: ‎07-25-2010
0

Re: source nat without port translation

[ Edited ]

Hello Keithr,

 

I m using server address with many virtual Ip on different destination and port. So static NAT is not possible i think.

 

For example:

 

Real Ip: 10.10.10.10

destination:192.168.10.1

port :20200

Pool IP: 10.1.1.1

 

Real Ip: 10.10.10.10

destination:192.168.10.1

port :20201

Pool IP: 10.1.1.2

 

Real Ip: 10.10.10.10

destination:172.16.10.10

port :20220

Pool IP: 10.1.1.3

 

 

 

 

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: source nat without port translation

I'm not sure I completely follow what you're describing.

 

For each section below you have a real IP, a destination, and a pool IP.  How are you classifying the three different IPs?

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Contributor
jeniferdcosta
Posts: 92
Registered: ‎07-25-2010
0

Re: source nat without port translation

Hello Keithr,

 

I have a third party firewall which is doing this job which is classifying traffic on destination port.and it is keeping the source port same as destination port.

 

Classitying traffic on destination port

 

I will Explain you what actually the third party firewall is doing.

 

Real Ip: 10.10.10.10
destination:192.168.10.1
port :20200
Pool IP: 10.1.1.1


The above configuration says that if 10.10.10.10 when enters from trust interface heading to extranet interface  on destination 192.168.10.1 on port 20200 translate it to 10.1.1.1

Real Ip: 10.10.10.10
destination:192.168.10.1
port :20201
Pool IP: 10.1.1.2

 

The above configuration says that if 10.10.10.10 when enters from trust interface heading to extranet interface  on destination 192.168.10.1 on port 20201 translate it to 10.1.1.2

 

Real Ip: 10.10.10.10
destination:172.16.10.10
port :20220
Pool IP: 10.1.1.3

 

The above configuration says that if 10.10.10.10 when enters from trust interface heading to extranet interface  on destination 172.16.10.10 on port 20220 translate it to 10.1.1.3

 

Thanks

Contributor
jeniferdcosta
Posts: 92
Registered: ‎07-25-2010
0

Re: source nat without port translation

Hello,

 

Can anybody help me to achieve the above requirement

Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012
0

Re: source nat without port translation

Hi ,

 

I think the following config should help you ( I didn't get a chance to test this ) -

 

Here I have used pool based source nat with address shifting (By definition, this type of translation is one-to-one, static, and without PAT) and to overcome that commit error (error: Source NAT pool (no port translation) contains too few addresses(at least 2 addresses needed), I have used another dummy address like 9.1.1.1/32 , 9.1.1.2/32 and 9.1.1.3/32 . 

 

Complete configuration for your requirement is -

 

[edit]
lab@host1-a# show security nat | display set
set security nat source pool p1 address 10.1.1.1/32
set security nat source pool p1 address 9.1.1.1/32 <--dummy
set security nat source pool p1 host-address-base 10.10.10.10/32
set security nat source pool p2 address 10.1.1.2/32
set security nat source pool p2 address 9.1.1.2/32<--dummy
set security nat source pool p2 host-address-base 10.10.10.10/32
set security nat source pool p3 address 10.1.1.3/32
set security nat source pool p3 address 9.1.1.3/32<--dummy
set security nat source pool p3 host-address-base 10.10.10.10/32
set security nat source rule-set 1 from zone trust
set security nat source rule-set 1 to zone extranet
set security nat source rule-set 1 rule l match source-address 10.10.10.10/32
set security nat source rule-set 1 rule l match destination-address 192.168.10.1/32
set security nat source rule-set 1 rule l match destination-port 20200
set security nat source rule-set 1 rule l then source-nat pool p1
set security nat source rule-set 1 rule 2 match source-address 10.10.10.10/32
set security nat source rule-set 1 rule 2 match destination-address 192.168.10.1/32
set security nat source rule-set 1 rule 2 match destination-port 20201
set security nat source rule-set 1 rule 2 then source-nat pool p2
set security nat source rule-set 1 rule 3 match source-address 10.10.10.10/32
set security nat source rule-set 1 rule 3 match destination-address 172.16.10.10/32
set security nat source rule-set 1 rule 3 match destination-port 20220
set security nat source rule-set 1 rule 3 then source-nat pool p3

 

Hope this helps .

 

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Contributor
jeniferdcosta
Posts: 92
Registered: ‎07-25-2010
0

Re: source nat without port translation

Hello,

 

The DUMMY IP address what you have suggested for me ,will act a dummy how can i assure this, that when a host 10.10.10.10 wants to initiate a connection it will always pick 10.1.1.1/32 and not the 9.1.1.1/32.

 

set security nat source pool p1 address 10.1.1.1/32
set security nat source pool p1 address 9.1.1.1/32 <--dummy
set security nat source pool p1 host-address-base 10.10.10.10/32

 

Thanks

Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012

Re: source nat without port translation

Hi,

 

Today i got a chance to test my proposed config on a SRX220 running Junos 11.2R1.10 . Found something interesting .

 

It was working fine but you need to add the IP address (that you want to be new source address post NAT) at the last. I mean , 

 

If you define your pool in the following order , it will take 9.1.1.1 only

 

set security nat source pool p1 address 10.1.1.1/32
set security nat source pool p1 address 9.1.1.1/32

 

and if you change the order like below , it will take 10.1.1.1

 

set security nat source pool p1 address 9.1.1.1/32

set security nat source pool p1 address 10.1.1.1/32

 

Note : For  traffic testing purpose , i have changed the destination ports to 80,23 and 80 in rules 1,2,3 respectively

.

[edit]
root@SRX# 
root@SRX# run show security flow session protocol tcp    
Session ID: 941, Policy name: default-policy-00/2, Timeout: 14, Valid
  In: 10.10.10.10/49191 --> 192.168.10.1/23;tcp, If: ge-0/0/0.0, Pkts: 2, Bytes: 104
  Out: 192.168.10.1/23 --> 10.1.1.2/49191;tcp, If: ge-0/0/1.0, Pkts: 0, Bytes: 0

Session ID: 942, Policy name: default-policy-00/2, Timeout: 16, Valid
  In: 10.10.10.10/49192 --> 172.16.10.10/80;tcp, If: ge-0/0/0.0, Pkts: 2, Bytes: 104
  Out: 172.16.10.10/80 --> 10.1.1.3/49192;tcp, If: ge-0/0/1.0, Pkts: 0, Bytes: 0

Session ID: 943, Policy name: default-policy-00/2, Timeout: 18, Valid
  In: 10.10.10.10/49193 --> 192.168.10.1/80;tcp, If: ge-0/0/0.0, Pkts: 2, Bytes: 104
  Out: 192.168.10.1/80 --> 10.1.1.1/49193;tcp, If: ge-0/0/1.0, Pkts: 0, Bytes: 0
Total sessions: 3

 

and if your pool addresses (10.1.1.1,10.1.1.2 and 10.1.1.3) are in the same network of your outgoing interface, you need to add proxy-arp for those addresses ( here you don't need to add the proxy for the dummy addresses) .

 

Hope this helps :smileyhappy:

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Contributor
jeniferdcosta
Posts: 92
Registered: ‎07-25-2010
0

Re: source nat without port translation

Here is my pool config, so according to ur explanation the source will always pick 172.16.3.50,

 

Please correct me if i m wrong.

 

root# show security nat source pool NAT-A
address {
    172.16.3.58/32;
    172.16.3.50/32;
}
port no-translation;

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.