SRX Services Gateway
Highlighted
SRX Services Gateway

Persistent NAT ,

‎06-26-2017 11:05 PM

how does this LAB is going to work and port overloading is off ???? 

* it is suppose that if it is off the SRX will not be able to differntiate between 2 hosts using the same source port Untitled.png

6 REPLIES 6
Highlighted
SRX Services Gateway

Re: Persistent NAT ,

‎06-26-2017 11:58 PM

Hi !

I hope that this info also answers some of your other questions Smiley Wink

 

you need to differentiate between packet based NAT (what a router is typically doing) and flow-base NAT (what a firewall does)

In packet based NAT typically the router looks only at the field he needs to translate and thus they need to be unique and therefore without PAT only a single translation is possible.

 

In flow based NAT the firewall looks at a bunch of flow information (incoming Interface, SA,DA,protocol,SP,DP) and as long as at least one of them is different he can differentiate the flow.

so for example 2 sessions from 2  host with the same SA and packet to the same destination and port will suceed when at least the Sourceport (SP) is different.

In the unlikely case of also the same sourceport, one session will not conclude and a reopening will use the next sourceport-number and then suceed

 

That means that you can have many,many translations without needing PAT when using a firewall

 

regards

alexander

 

 

Highlighted
SRX Services Gateway

Re: Persistent NAT ,

‎06-27-2017 12:08 AM

so in the above LAB, If 2 users connect to facebook, one of them will be denied ,correct ?

Highlighted
SRX Services Gateway

Re: Persistent NAT ,

[ Edited ]
‎06-27-2017 05:52 AM

No, both will be allowed. Without port overloading there is 64k possible source NAT translations on single interface. With port overloading you can have up to 32x64k translations as long as there are different destination addresses.

 

Source NAT doesn't only change SRC IP but also (by default) SRC PORT.  So when two local hosts want to connect to the same DST IP & PORT firewall will translete them to different SRC PORT and this way will be able to differentiate them.

For example:

before nat

1.1.1.1:9999 -> 5.5.5.5:80

1.1.1.2:8888 -> 5.5.5.5:80

after nat

2.2.2.2:6666 -> 5.5.5.5:80

2.2.2.2:7777 -> 5.5.5.5:80

 

With port overloading you can have multiple (up to 32) translations from same SRC PORT when sessions are destined to different DSC IP.

 

Highlighted
SRX Services Gateway

Re: Persistent NAT ,

‎06-27-2017 06:39 AM

To expand on what wuddy and alex said, this is a special scenario that you turn off port-overloading. 

By default, a single IP address can allow 65,535 ports with about 64K unassigned ports available for use.

Port-overloading is enabled by default on the SRX which will increase this number based on the following: This feature can potentially allow the same IP/port combination to be used by the same host when opening multiple sessions concurrently but to different addresses. For e.g:

session 1 = 10.10.10.10:4444 -> 20.20.20.20:80
session 2 = 10.10.10.10:4444 -> 30.30.30.30:80

session 2 = 10.10.10.10:4444 -> 40.40.40.40:80 <===This is theorectically possible!

 

 In order to allow external SIP clients to connect to Internal SIP phones, the STUN client/server communication requires that the IP/Port be the same and consistent. This could break the end to end communication with STUN clients. When configuring the any-remote-host persistent NAT type with Interface NAT, you have to explicitly disable port overloading.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway
Solution
Accepted by topic author AhmedMohamed
‎06-27-2017 10:45 PM

Re: Persistent NAT ,

‎06-27-2017 08:14 AM

Hi 

 

Good explanations. I guess the initial confusion comes from the assumption that "PAT" is the same as "port overloading", which is NOT the case. There is a more extensive discussion in this old thread:

https://forums.juniper.net/t5/SRX-Services-Gateway/interface-nat-port-overloading-off-what-does-it-m...

Best Regards,
PK

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
Twitter: @JuniperTrain
GitHub: https://github.com/pklimai
[Juniper Authorized Education & Support in Russia]
Highlighted
SRX Services Gateway

Re: Persistent NAT ,

‎06-27-2017 10:46 PM

ENG/ Pulkit 

please check your private messages

Feedback