SRX

Hi all,

Does anyone know what the Persistant NAT Binding Limits are for the various Branch and High-end SRX devices and whether these are hard limits or configuration defined?

(As shown by show security nat source persistant-nat-table summary : binding total <num>)

We're currently topping out our SRX650 with approx 250 users (low traffic levels though) and would like to know what our options are.

SRX650 gives: 32768 as the total

Thanks

Hello,

The eaiest option is to exclude volume traffic (HTTP/HTTPS/DNS/mail/VPNs such as IPSec/PPTP/OpenVPN etc) from "persisitent-nat"-ing. This traffic does not need incoming connections which is what "persistent-nat" is for. Moreover, it does not even use constant source port which is also a prerequisite for "persistent-nat" to accept incoming connecitons on.

You can do it by configuring a NAT rule which matches on specific dst.ports, and place it above Your "persistent-nat" rule.

HTH

Thx

Alex

Hi Alex,

Thanks, that's a fantastic solution.

Do you think we should still try and collate the Binding Limits so others know what they are? I've googled high and low and nowhere have I been able to find them. I've got some smaller SRX's lying around, so can get them from those, would need people with the high-end ones to chip in.

Hello,

---

@Oli Stockman wrote:

 

Do you think we should still try and collate the Binding Limits so others know what they are? I've googled high and low and nowhere have I been able to find them.

---

The easiest way is to contact Your nearest friendly Juniper SE and ask for per-platform limits.

HTH

Thx

Alex