SRX Services Gateway
Highlighted
SRX Services Gateway

Multiple static NAT to same prefix

[ Edited ]
‎03-20-2018 03:20 AM

Hello

 

I have a need to have 2 static NAT's going to the same server in the same subnet for a few different servers. A example 192.168.5.10 needs to have static NAT of 172.2.2.10 & 172.2.2.100. See config below.

 

There are 3 subnets involved in total: 

172.2.2.0/24
10.8.9.0/24
192.168.5.0/24

 

I there are 6 servers in 10.8.9.0/24 which I need to communicate with but in a particualr way. Se below the bi directional way that should be allowed. In the 192.168.5.X subnet there are about 4 servers I need to have this setup with I have given 2 examples below and the others will be similar. 

 

Server A

172.2.2.10 <-> 10.8.9.10

172.2.2.10 <-> 10.8.9.11

172.2.2.10 <-> 10.8.9.13

172.2.2.10 <-> 10.8.9.14

172.2.2.100 <-> 10.8.9.100

172.2.2.100 <-> 10.8.9.101

 

Server B

172.2.2.11 <-> 10.8.9.10

172.2.2.11 <-> 10.8.9.11

172.2.2.11 <-> 10.8.9.13

172.2.2.11 <-> 10.8.9.14

 

172.2.2.101 <-> 10.8.9.100

172.2.2.101 <-> 10.8.9.101

 

How can I get it to behave this way as from my understanding in the current setup below when 192.168.5.10 goes to communicate with 10.8.9.10 or 10.8.9.100 it will not know which static NAT is should present itself as?

 

 

static {
            rule-set outside_inter {
                from zone outside_inter;
                rule inter1 {
                    description Server1_alpha;
                    match {
                        destination-address 172.2.2.10/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.5.10/32;
                            }
                        }
                    }
                }
                rule inter2 {
                    description Server1_beta;
                    match {
                        destination-address 172.2.2.100/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.5.10/32;
                            }
                        }
                    }
                }

 

28 REPLIES 28
SRX Services Gateway

Re: Multiple static NAT to same prefix

‎03-20-2018 12:47 PM

static nat is a one to one relationship so this will not work.

 

You could configuration four destination nat rules that all point to the same pool address and then the outside traffic to those four addresses will be translated to the single server.  The replies will then keep the same association.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Multiple static NAT to same prefix

[ Edited ]
‎03-21-2018 04:12 AM

I don't think thats what I want.

 

For example I have 4 servers on a different interface in the 192.168.5.0/24 subnet. Currently I have a static nat for each server:

 

192.168.5.10      static nat = 172.2.2.10

192.168.5.11      static nat =172.2.2.11

192.168.5.12      static nat = 172.2.2.12

192.168.5.13      static nat =172.2.2.13

 

This works and the servers access 10.8.9.10, 10.8.9.11, 10.8.9.12, 10.8.9.13 via a static route 10.8.9.0/24 next-hop 172.2.2.1;

 

I now need in addition: 

 

192.168.5.10      nat = 172.2.2.100

192.168.5.11      nat =172.2.2.101

192.168.5.12      nat = 172.2.2.102

192.168.5.13      nat =172.2.2.103

 

With these servers / setup communicating to 10.8.9.100, 10.8.9.101, 10.8.9.102, 10.8.9.103.

 

An exmaple of comms would be:

If 192.168.5.10 needs to talk to 10.8.9.10 it should present itself as 172.2.2.10

If 192.168.5.10 needs to talk to 10.8.9.100 it should present itself as 172.2.2.100

 

With the reverse of:

 

If 10.8.9.10 needs to talk to 172.2.2.10 it should end up at  192.168.5.10

If 10.8.9.100 needs to talk to 172.2.2.100 it should end up at  192.168.5.10

 

I have attached an image which may help.

 

 

Attachments

SRX Services Gateway

Re: Multiple static NAT to same prefix

‎03-22-2018 03:28 AM

You cannot use static nat for this function.  Static nat is limited to a single ip address to a single ip address mapping. 1-to-1.

 

You will need to configure source and destination nat for each ip address and add to the rule the desired other side ip address.  example for one source.

 

root@none# show security nat source
pool 5-10 {
    address {
        172.2.2.10/32;
    }
}
rule-set servers {
    from zone AAA;

    to zone BBB
    rule 1 {
        match {
            source-address 192.168.5.10/32;
            destination-address 192.168.5.0/24;
        }
        then {
            source-nat {
                pool {
                    5-10;
                }
            }
        }
    }
}

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Multiple static NAT to same prefix

‎03-22-2018 03:37 AM

OK but the example you have given how can I have 172.2.2.100 going to 192.168.5.10 as well? 192.168.5.10 needs to have 2 ips in the same subnet.

SRX Services Gateway

Re: Multiple static NAT to same prefix

[ Edited ]
‎03-22-2018 03:52 AM

Would I not need something like the below per 192.168.5.x address?:

 

pool 5-10A {
    address {
        172.2.2.10/32;
    }
}
rule-set servers {
    from zone AAA;

    to zone BBB
    rule 1 {
        match {
            source-address 192.168.5.10/32;
            destination-address {
				10.8.9.10;
				10.8.9.11;
				10.8.9.12;
				10.8.9.13;

				}
        }
        then {
            source-nat {
                pool {
                    5-10A;
                }
            }
        }
    }
}
pool 5-10B {
    address {
        172.2.2.100/32;
    }
}
rule-set servers {
    from zone AAA;

    to zone BBB
    rule 2 {
        match {
            source-address 192.168.5.10/32;
            destination-address {
				10.8.9.100;
				10.8.9.101;
				10.8.9.102;
				10.8.9.103;

				}
        }
        then {
            source-nat {
                pool {
                    5-10B;
                }
            }
        }
    }
}
SRX Services Gateway

Re: Multiple static NAT to same prefix

‎03-22-2018 09:46 AM

Or would this be a simpler way of doing it?

 

source {
	pool src-nat-pool-1 {
		address {
			172.2.2.10/32 to 172.2.2.13/32;
		}
		host-address-base 192.168.5.10/32;
	}
	pool src-nat-pool-2 {
		address {
			172.2.2.100/32 to 172.2.2.103/32;
		}
		host-address-base 192.168.5.10/32;
	}
	rule-set rs1 {
		from zone trust;
		to zone untrust;
		rule r1 {
			match {
				source-address 192.168.5.0/24;
				destination-address {
								10.8.9.10;
								10.8.9.11;
								10.8.9.12;
								10.8.9.13;
								}
			}
			then {
				source-nat {
					pool {
						src-nat-pool-1;
					}
				}
			}
		}
		rule r2 {
			match {
				source-address 192.168.5.0/24;
				destination-address {
								10.8.9.100;
								10.8.9.101;
								10.8.9.102;
								10.8.9.103;
								}
			}
			then {
				source-nat {
					pool {
						src-nat-pool-2;
					}
				}
			}
		}
	}
}
		proxy-arp {
			interface reth1.0 {
				address {
					172.2.2.10/32 to 172.2.2.13/32;
					172.2.2.100/32 to 172.2.2.103/32;
				}
			}
		}
 
SRX Services Gateway

Re: Multiple static NAT to same prefix

‎03-23-2018 02:29 AM

Sorry, I'm getting confused on what the rules are that you want to enforce.

 

If all four address are in the pool, your rule will round robin through the addresses as additional sessions hit the rule.

 

So you would build your rule set around those parameters.  If you need to specifically control which of the four server addresses are involved then the pool would be 1 address.  If they can rotate then they can be combined.

 

the match addresses act as an OR within the same list of source or destination.

Any match addresses destination AND with any source address in the list.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Multiple static NAT to same prefix

‎03-23-2018 02:50 AM

Oh, well thats not what I need. So the below is what I need to impliment per server in the 192.168.5.0/24 range?

On interface reth0.0 I have the 192.168.5.0/24 network here I have 4 servers that need to speak to another subnet 10.8.9.0/24 thats connected to reth1.0 on 172.2.2.0/24 viaa static route. In reth1.0 I need these 4 servers to have 2 IPs each. One 2 one NAT is in place and works for 1 IP per server but as I now need 2 IP's this is why I need to change solution. IP's can not rotate as this traffic is SIP.

 

Thanks 

 

pool 5-10A {
    address {
        172.2.2.10/32;
    }
}
rule-set servers {
    from zone AAA;

    to zone BBB
    rule 1 {
        match {
            source-address 192.168.5.10/32;
            destination-address {
				10.8.9.10;
				10.8.9.11;
				10.8.9.12;
				10.8.9.13;

				}
        }
        then {
            source-nat {
                pool {
                    5-10A;
                }
            }
        }
    }
}
pool 5-10B {
    address {
        172.2.2.100/32;
    }
}
rule-set servers {
    from zone AAA;

    to zone BBB
    rule 2 {
        match {
            source-address 192.168.5.10/32;
            destination-address {
				10.8.9.100;
				10.8.9.101;
				10.8.9.102;
				10.8.9.103;

				}
        }
        then {
            source-nat {
                pool {
                    5-10B;
                }
            }
        }
    }
}
SRX Services Gateway

Re: Multiple static NAT to same prefix

‎03-23-2018 03:13 AM

Still not positive I follow but this looks valid to me where address one talks to the first 4 addresses for nat and address 2 will talk to the second four addresses for nat.

 

Naturally, these rules kick in on the first packet that initiates the connection.  So if the servers initiate traffic from those 4 addresses back to the first nat address a rule set also needs to be in place from zone BBB to zone AAA as well.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Multiple static NAT to same prefix

[ Edited ]
‎03-23-2018 03:28 AM

The 172.2.2.0/24 & 10.8.9.0/24 subnets are on my supplier CISCO router I simply on reth1.0 setup one of those IP's. How would I apply this rule going back would proxy-arp not work here?

SRX Services Gateway

Re: Multiple static NAT to same prefix

‎03-23-2018 03:57 AM

Do you mean something like this?

 

destination {
		pool dst-nat-pool-1 {
			address 192.168.5.10/32;
		}
		rule-set rs1 {
			from zone BBB;
			rule r1 {
				match {
					destination-address 172.2.2.10/32;
				}
				then {
					destination-nat pool dst-nat-pool-1;
				}
			}
		}
	}
SRX Services Gateway

Re: Multiple static NAT to same prefix

‎03-24-2018 03:46 AM

Sorry for all the confusion.

 

What I mean is that nat and security policy rules apply in the direction zone to zone of the first packet in the session. Reply traffic is covered by this policy for that session.  Proxy-arp is needed if the nat ip address is in the same subnet as the interface ip address on the SRX.

 

So the nat and security rules need to be in place from zone AAA to zone BBB if the server in zone AAA sends the first syn packet. 

 

Or the reverse if the conversation starts with the server in BBB. 

 

Or both if either can be the first speaker.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Multiple static NAT to same prefix

‎03-24-2018 03:49 AM
Both can be the initial speaker. So what I need in this case? I'm getting confused what config to use.
SRX Services Gateway

Re: Multiple static NAT to same prefix

‎03-24-2018 03:54 AM

So you will need nat and security policies in both directions.

 

What is the ip address mapping you want to see on the conversations at the end of the process?

This is where I am confused, I am not sure now what transformations you actually want to see happen.

 

table 1:  AAA to BBB

source address(s) > destination address(s)  > which one uses which nat address

 

Table 2: BBB to AAA

source address(s) > destination address(s)  > which one uses which nat address

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Multiple static NAT to same prefix

‎03-26-2018 01:50 AM

Please see attached image. On my SRX I have 4 servers on reth0 their local interfaces on the server itself are 192.168.5.0/24. On reth1 is where I have the other subnet 172.2.2.0/24 and where all this NAT translation is taking place. There is a static route there to 10.8.9.0/24.

 

Basically any traffic in black font will only speak to servers with black font in the remote section. Also traffic in blue font will only speak to to servers with blue font in the remote section. NAT translation should be done based on this.

 

I hope this makes sense.

Attachments

SRX Services Gateway

Re: Multiple static NAT to same prefix

‎03-26-2018 03:10 AM

Ok that is more clear to me now.  You will need eight pairs of policy to allow for initiating communicatios in both directions.  This is a sample pair for the first server black color.  Source nat from the left to right and destination nat from the right to the left.

 

root@none# show security nat source
pool 5-10 {
    address {
        172.2.2.10/32;
    }
}
rule-set servers {
    from zone AAA;
    to zone BBB
    rule 1 {
        match {
            source-address 192.168.5.10/32;
             destination-address 10.8.9.10/32;
            destination-address 10.8.9.11/32;
            destination-address 10.8.9.12/32;
            destination-address 10.8.9.13/32;
        }
        then {
            source-nat {
                pool {
                    5-10;
                }
            }
        }
    }
}

[edit security nat destination]
root@none# show
pool 5-10 {
    address 192.168.5.10/32;
}
rule-set servers {
    from zone BBB;
    rule 1 {
        match {
            source-address [ 10.8.9.10/32 10.8.9.11/32 10.8.9.12/32 10.8.9.13/32 ];
            destination-address 172.2.2.10/32;
        }
        then {
            destination-nat {
                pool {
                    5-10;
                }
            }
        }
    }
}

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Multiple static NAT to same prefix

‎03-26-2018 03:30 AM

OK thank I will give it a go and report back. Do I still need to use proxy-arp?

SRX Services Gateway

Re: Multiple static NAT to same prefix

‎03-27-2018 02:45 AM

Proxy arp is required if your nat addresses are in the same subnet as an SRX interface.

 

If the nat addresses are routed to the SRX and NOT on the interface configuration then proxy arp is not required.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Multiple static NAT to same prefix

[ Edited ]
‎05-02-2018 05:18 AM

I have made my config live but am seeing some strange behaviour. My system is clustered so I have node 0 and node 1 with node 0 being the primary (I have checked). For someon reason node 0 and node 1 are being used here.

 

Also as in this exampe for some reason the port have increminted by 1. On my equipment ports being used for example are 10102 & 30824 but the Juniper seems to be translating 10103 & 30825.

Attachments