SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 92
Registered: ‎07-25-2010
0 Kudos
Accepted Solution

source nat without port translation

Hello,

 

i m trying to achieve source nat from 1 server to 1 destiantion with 1 address in the pool but without source port translation

 

 while doing this it give me error attached, the error is strange it is saying me that you have to specify atleast 2 address in the pool if u want to do no source port translation . WHY ???????? such

 

Please find the attached.

 

 

Distinguished Expert
Posts: 979
Registered: ‎09-10-2009
0 Kudos

Re: source nat without port translation

For 1:1 translation you might be better off with static NAT.

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Contributor
Posts: 92
Registered: ‎07-25-2010
0 Kudos

Re: source nat without port translation

[ Edited ]

Hello Keithr,

 

I m using server address with many virtual Ip on different destination and port. So static NAT is not possible i think.

 

For example:

 

Real Ip: 10.10.10.10

destination:192.168.10.1

port :20200

Pool IP: 10.1.1.1

 

Real Ip: 10.10.10.10

destination:192.168.10.1

port :20201

Pool IP: 10.1.1.2

 

Real Ip: 10.10.10.10

destination:172.16.10.10

port :20220

Pool IP: 10.1.1.3

 

 

 

 

Distinguished Expert
Posts: 979
Registered: ‎09-10-2009
0 Kudos

Re: source nat without port translation

I'm not sure I completely follow what you're describing.

 

For each section below you have a real IP, a destination, and a pool IP.  How are you classifying the three different IPs?

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Contributor
Posts: 92
Registered: ‎07-25-2010
0 Kudos

Re: source nat without port translation

Hello Keithr,

 

I have a third party firewall which is doing this job which is classifying traffic on destination port.and it is keeping the source port same as destination port.

 

Classitying traffic on destination port

 

I will Explain you what actually the third party firewall is doing.

 

Real Ip: 10.10.10.10
destination:192.168.10.1
port :20200
Pool IP: 10.1.1.1


The above configuration says that if 10.10.10.10 when enters from trust interface heading to extranet interface  on destination 192.168.10.1 on port 20200 translate it to 10.1.1.1

Real Ip: 10.10.10.10
destination:192.168.10.1
port :20201
Pool IP: 10.1.1.2

 

The above configuration says that if 10.10.10.10 when enters from trust interface heading to extranet interface  on destination 192.168.10.1 on port 20201 translate it to 10.1.1.2

 

Real Ip: 10.10.10.10
destination:172.16.10.10
port :20220
Pool IP: 10.1.1.3

 

The above configuration says that if 10.10.10.10 when enters from trust interface heading to extranet interface  on destination 172.16.10.10 on port 20220 translate it to 10.1.1.3

 

Thanks

Contributor
Posts: 92
Registered: ‎07-25-2010
0 Kudos

Re: source nat without port translation

Hello,

 

Can anybody help me to achieve the above requirement

Recognized Expert
Posts: 241
Registered: ‎02-13-2012
0 Kudos

Re: source nat without port translation

Hi ,

 

I think the following config should help you ( I didn't get a chance to test this ) -

 

Here I have used pool based source nat with address shifting (By definition, this type of translation is one-to-one, static, and without PAT) and to overcome that commit error (error: Source NAT pool (no port translation) contains too few addresses(at least 2 addresses needed), I have used another dummy address like 9.1.1.1/32 , 9.1.1.2/32 and 9.1.1.3/32 . 

 

Complete configuration for your requirement is -

 

[edit]
lab@host1-a# show security nat | display set
set security nat source pool p1 address 10.1.1.1/32
set security nat source pool p1 address 9.1.1.1/32 <--dummy
set security nat source pool p1 host-address-base 10.10.10.10/32
set security nat source pool p2 address 10.1.1.2/32
set security nat source pool p2 address 9.1.1.2/32<--dummy
set security nat source pool p2 host-address-base 10.10.10.10/32
set security nat source pool p3 address 10.1.1.3/32
set security nat source pool p3 address 9.1.1.3/32<--dummy
set security nat source pool p3 host-address-base 10.10.10.10/32
set security nat source rule-set 1 from zone trust
set security nat source rule-set 1 to zone extranet
set security nat source rule-set 1 rule l match source-address 10.10.10.10/32
set security nat source rule-set 1 rule l match destination-address 192.168.10.1/32
set security nat source rule-set 1 rule l match destination-port 20200
set security nat source rule-set 1 rule l then source-nat pool p1
set security nat source rule-set 1 rule 2 match source-address 10.10.10.10/32
set security nat source rule-set 1 rule 2 match destination-address 192.168.10.1/32
set security nat source rule-set 1 rule 2 match destination-port 20201
set security nat source rule-set 1 rule 2 then source-nat pool p2
set security nat source rule-set 1 rule 3 match source-address 10.10.10.10/32
set security nat source rule-set 1 rule 3 match destination-address 172.16.10.10/32
set security nat source rule-set 1 rule 3 match destination-port 20220
set security nat source rule-set 1 rule 3 then source-nat pool p3

 

Hope this helps .

 

Regards,
Pradeep
Contributor
Posts: 92
Registered: ‎07-25-2010
0 Kudos

Re: source nat without port translation

Hello,

 

The DUMMY IP address what you have suggested for me ,will act a dummy how can i assure this, that when a host 10.10.10.10 wants to initiate a connection it will always pick 10.1.1.1/32 and not the 9.1.1.1/32.

 

set security nat source pool p1 address 10.1.1.1/32
set security nat source pool p1 address 9.1.1.1/32 <--dummy
set security nat source pool p1 host-address-base 10.10.10.10/32

 

Thanks

Recognized Expert
Posts: 241
Registered: ‎02-13-2012

Re: source nat without port translation

Hi,

 

Today i got a chance to test my proposed config on a SRX220 running Junos 11.2R1.10 . Found something interesting .

 

It was working fine but you need to add the IP address (that you want to be new source address post NAT) at the last. I mean , 

 

If you define your pool in the following order , it will take 9.1.1.1 only

 

set security nat source pool p1 address 10.1.1.1/32
set security nat source pool p1 address 9.1.1.1/32

 

and if you change the order like below , it will take 10.1.1.1

 

set security nat source pool p1 address 9.1.1.1/32

set security nat source pool p1 address 10.1.1.1/32

 

Note : For  traffic testing purpose , i have changed the destination ports to 80,23 and 80 in rules 1,2,3 respectively

.

[edit]
root@SRX# 
root@SRX# run show security flow session protocol tcp    
Session ID: 941, Policy name: default-policy-00/2, Timeout: 14, Valid
  In: 10.10.10.10/49191 --> 192.168.10.1/23;tcp, If: ge-0/0/0.0, Pkts: 2, Bytes: 104
  Out: 192.168.10.1/23 --> 10.1.1.2/49191;tcp, If: ge-0/0/1.0, Pkts: 0, Bytes: 0

Session ID: 942, Policy name: default-policy-00/2, Timeout: 16, Valid
  In: 10.10.10.10/49192 --> 172.16.10.10/80;tcp, If: ge-0/0/0.0, Pkts: 2, Bytes: 104
  Out: 172.16.10.10/80 --> 10.1.1.3/49192;tcp, If: ge-0/0/1.0, Pkts: 0, Bytes: 0

Session ID: 943, Policy name: default-policy-00/2, Timeout: 18, Valid
  In: 10.10.10.10/49193 --> 192.168.10.1/80;tcp, If: ge-0/0/0.0, Pkts: 2, Bytes: 104
  Out: 192.168.10.1/80 --> 10.1.1.1/49193;tcp, If: ge-0/0/1.0, Pkts: 0, Bytes: 0
Total sessions: 3

 

and if your pool addresses (10.1.1.1,10.1.1.2 and 10.1.1.3) are in the same network of your outgoing interface, you need to add proxy-arp for those addresses ( here you don't need to add the proxy for the dummy addresses) .

 

Hope this helps Smiley Happy

Regards,
Pradeep
Contributor
Posts: 92
Registered: ‎07-25-2010
0 Kudos

Re: source nat without port translation

Here is my pool config, so according to ur explanation the source will always pick 172.16.3.50,

 

Please correct me if i m wrong.

 

root# show security nat source pool NAT-A
address {
    172.16.3.58/32;
    172.16.3.50/32;
}
port no-translation;

Recognized Expert
Posts: 241
Registered: ‎02-13-2012

Re: source nat without port translation

Hi ,

 

The key thing here is host-address-base , which ensures that 10.10.10.10 will be always translated to the last(latest) address mentioned in  corresponding pool with out port translation . 

 


root@SRX# show security nat source pool NAT-A
address {
    172.16.3.58/32;
    172.16.3.50/32;
}
host-address-base 10.10.10.10/32; << this is mandatory , if you want 172.16.3.50 to be the new source address

port no-translation; <<< not required if the above statement is present ( because by default in host address shifting based source NAT,PAT is disabled).

 

Here'e the complete sample config again (in the correct order) -

 

[edit]
lab@host1-a# show security nat | display set
set security nat source pool p1 address 9.1.1.1/32 
set security nat source pool p1 address 10.1.1.1/32
set security nat source pool p1 host-address-base 10.10.10.10/32
set security nat source pool p2 address 9.1.1.2/32
set security nat source pool p2 address 10.1.1.2/32
set security nat source pool p2 host-address-base 10.10.10.10/32
set security nat source pool p3 address 9.1.1.3/32
set security nat source pool p3 address 10.1.1.3/32
set security nat source pool p3 host-address-base 10.10.10.10/32
set security nat source rule-set 1 from zone trust
set security nat source rule-set 1 to zone extranet
set security nat source rule-set 1 rule l match source-address 10.10.10.10/32
set security nat source rule-set 1 rule l match destination-address 192.168.10.1/32
set security nat source rule-set 1 rule l match destination-port 20200
set security nat source rule-set 1 rule l then source-nat pool p1
set security nat source rule-set 1 rule 2 match source-address 10.10.10.10/32
set security nat source rule-set 1 rule 2 match destination-address 192.168.10.1/32
set security nat source rule-set 1 rule 2 match destination-port 20201
set security nat source rule-set 1 rule 2 then source-nat pool p2
set security nat source rule-set 1 rule 3 match source-address 10.10.10.10/32
set security nat source rule-set 1 rule 3 match destination-address 172.16.10.10/32
set security nat source rule-set 1 rule 3 match destination-port 20220
set security nat source rule-set 1 rule 3 then source-nat pool p3

 

Hope this answers your question .

 

Regards,
Pradeep
Contributor
Posts: 92
Registered: ‎07-25-2010
0 Kudos

Re: source nat without port translation

 

Hello,

 

I have specified the host based address in the pool i.e the real source10.10.10.10 /32 ,so it will always pick the IP   172.16.3.50/32 from pool leaving the top one which is only dummy. please correct me if i m wrong.

 

But i want to know what actually the host based address means??? and it is used only in such situation,

 

Sorry want to be more understandable rather than just instructing.

 

 

Recognized Expert
Posts: 241
Registered: ‎02-13-2012

Re: source nat without port translation

Hi,

 

The following link should help you to understand the host-address-base usage .

 

http://www.juniper.net/techpubs/en_US/junos10.4/topics/example/nat-security-source-nat-address-shift...

Regards,
Pradeep
Contributor
Posts: 92
Registered: ‎07-25-2010
0 Kudos

Re: source nat without port translation

 

Thanks Pradeep for ur patients to make me understand the real working of host-address-base.

 

Conclusion:

 

  • If Original source address are 10 Nos then 10 No's of IP address should be there  in the source pool, If suppose we specify 20 IP address in Original source address then only 10 will be translated and the 11th will not be translated.
  • Host-address-base specify that this is the starting host for the network prefix.
  • Suppose if i want to translate 10 Ip address with 10 No's of iP pool then the host-address-base will be 192.168.10.1 according to the table shown.
  • And as you specified that from the source pool it will pickup the latest IP address for example from the below table: If address 192.168.10.1 when try to access extranet  it will pick up the address 11.11.11.10 from the source pool.and so on the other address 192.168.10.2 --11.11.11.9.
  • Sr NoOriginal SourceSource Pool
    1192.168.10.111.11.11.1
    2192.168.10.211.11.11.2
    3192.168.10.311.11.11.3
    4192.168.10.411.11.11.4
    5192.168.10.511.11.11.5
    6192.168.10.611.11.11.6
    7192.168.10.711.11.11.7
    8192.168.10.811.11.11.8
    9192.168.10.911.11.11.9
    10192.168.10.1011.11.11.10

 

Recognized Expert
Posts: 241
Registered: ‎02-13-2012
0 Kudos

Re: source nat without port translation

Hi ,


One correction in your conclusion -

 

" And as you specified that from the source pool it will pickup the latest IP address for example from the below table: If address 192.168.10.1 when try to access extranet  it will pick up the address 11.11.11.10 from the source pool.and so on the other address 192.168.10.2 --11.11.11.9."  - this is not True .

 

Here's the conclusion ( that I came to from my testing , If any one has tested this and found some thing different , please correct me ) .

 

Scenario # 1 (standard behaviour of address-shifting source NAT)

[edit]
lab@host1-a# show security nat | display set

set security nat source pool p1 address 11.11.11.1/32 to 11.11.11.10/32
set security nat source pool p1 host-address-base 192.168.10.1/32

set security nat source rule-set 1 from zone trust
set security nat source rule-set 1 to zone extranet
set security nat source rule-set 1 rule l match source-address 192.168.10.0/24
set security nat source rule-set 1 rule l then source-nat pool p1


in this case , 192.168.10.1 will be translated to 11.11.11.1,and 192.168.10.2 will be translated to 11.11.11.2 and so on till 192.168.10.10 translated to 11.11.11.10 . Rest all hosts in 192.168.10.0/24 network will NOT be source translated. 

 

Scenario # 2 ( the only difference between this and previous scenario is that now we have two address ranges in the same pool)

 

[edit]
lab@host1-a# show security nat | display set

set security nat source pool p1 address 11.11.11.1/32 to 11.11.11.10/32
set security nat source pool p1 address 10.10.10.1/32 to 10.10.10.10/32  << latest entry in the pool 
set security nat source pool p1 host-address-base 192.168.10.1/32

set security nat source rule-set 1 from zone trust
set security nat source rule-set 1 to zone extranet
set security nat source rule-set 1 rule l match source-address 192.168.10.0/24
set security nat source rule-set 1 rule l then source-nat pool p1

 

in this case ,addresses 11.11.11.1/32 to 11.11.11.10/32 will NOT be used for translation purpose. 

192.168.10.1 will be translated to 10.10.10.1,and 192.168.10.2 will be translated to 10.10.10.2 and so on till 192.168.10.10 translated to 10.10.10.10 . Rest all hosts in 192.168.10.0/24 network will NOT be source translated.

Regards,
Pradeep
Contributor
Posts: 92
Registered: ‎07-25-2010
0 Kudos

Re: source nat without port translation

Thanks Pradeep,

 

Very good explanation, i understood very well,

 

one more question that is not related to host-address-base. apart from the disussion above.

 

I have configured One pool with 1 IP and For example i have specified 4 No's of source IP address accessing  to 4 No's of Destination IP address to extranet  ,, then all 4 host can initiate a connection to destination by the1 IP in the pool  or the source IP which comes 1st will only be translated and rest all will be not translated.

 

Thanks

New User
Posts: 1
Registered: ‎02-18-2014
0 Kudos

Re: source nat without port translation

I have a slightly different requirement, I would like to keep the source port but use the same external ip.

 

192.168.0.1:5012 -> any:any NATTED to 1.1.1.1:5012 -> any:any

192.168.0.2:5013 -> any:any NATTED to 1.1.1.1:5013 -> any:any

 

etc.

 

Any ideas?

Thanks

Fulvio

New User
Posts: 1
Registered: ‎10-01-2014
0 Kudos

Re: source nat without port translation

We have the same requirement as well.

basically i want to have the behavior as below

NAT rule 1

1.1.1.1 Port 1234 --> Destination ===AFTER NAT=== 10.1.1.1 Port 1234 --> Destination

NAT rule 2

2.2.2.2 Port 3456 --> Destination ===AFTER NAT=== 10.1.1.1 Port 3456 --> Destination

We dont need to do it in 2 different rules, but I assume it will never work with using only one rule