SRX Services Gateway
Highlighted
SRX Services Gateway

Source NAT Multiple Times on Same Device

a week ago

Hi All,

 

I would like to source NAT traffic twice on my device. See the scenario below:

 

I have two Routing Instances, A and B. My default route for A is to table B. I want all traffic that will take the default route to be NAT'd to an address before it reaches routing instance B. I want routing instance B to only have a route for the source nat pool back to Routing Instance A rather than having to share all of my routes from RI A to routing instance B. 

 

Is this possible without configuring another Routing Instance that acts as a 'staging instance' or another physical interface interface that acts as the same? 

 

 

7 REPLIES 7
SRX Services Gateway

Re: Source NAT Multiple Times on Same Device

a week ago

If you use the SRX flow based then you do not need any route for the reverse traffic.

Only the initiating packet needs to have a route lookup, the backwards response traffic will have an automatic session table entrance which is the inverse of the initiating packet and any packet will be automatically forwarded without any policy or route lookup.

 

So IMHO you do not need any routes in B or a double NAT

 

regards

 

Alexander

SRX Services Gateway

Re: Source NAT Multiple Times on Same Device

[ Edited ]
a week ago

If I'm understanding you correctly, traffic from my routing instance A will never hit routing instance B if I have shared the default route from B to A. 

 

Meaning as long as I do not have any route sharing outside of the default route, Routing Instance B will never be able to route to A? 

 

Tested this in my lab:

 

Just updated my routing table to ensure that RI B does not have routes for A, initiated traffic from A that will hit B. Traffic goes back out default route's interface in RI B due to lack of route for return traffic. 

SRX Services Gateway

Re: Source NAT Multiple Times on Same Device

a week ago

Try something like this:

 

A & B NAT.png

you will need to create the lt interface, place is a security zone, and maybe configure a security policy. 

 

[edit interfaces lt-0/0/0]

lab@vSRX-1# show | display set relative

set unit 1 encapsulation ethernet

set unit 1 peer-unit 2

set unit 1 family inet address 10.10.40.1/24  ### add this unit to routing instance A

set unit 2 encapsulation ethernet

set unit 2 peer-unit 1

set unit 2 family inet address 10.10.40.2/24 ### add this unit to routing instance B

Yasmin Lara
Sunset Learning Institute (SLI)
Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIA-CLOUD, JNCDS-DC
SRX Services Gateway

Re: Source NAT Multiple Times on Same Device

[ Edited ]
a week ago

Hi Yasmin,

 

That was my next thought, but logical tunnels are not supported in cluster mode. 

 

 

AT least according https://forums.juniper.net/t5/SRX-Services-Gateway/lt-0-0-0-interface-on-SRX345-cluster/td-p/294838, I haven't been able to find docs that explicitly state that it is unsupported. 

 

SRX Services Gateway

Re: Source NAT Multiple Times on Same Device

a week ago

oh man! Well, you could configure a firewall filter for the return traffic to be directed to A OR share routes with rib-groups. Seems like you don't want to use the second option.  

I need to understand your topology a little better to be able to give you a more detailed answer. Let me re-read your original message but if you can post more details that would help. 

Yasmin Lara
Sunset Learning Institute (SLI)
Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIA-CLOUD, JNCDS-DC
SRX Services Gateway

Re: Source NAT Multiple Times on Same Device

a week ago

I think we've decided that any config we'd install would add unnecessary complication without enough benefit. I appreciate you guys for taking the time to look into this.

SRX Services Gateway

Re: Source NAT Multiple Times on Same Device

a week ago

Maybe something like this would work:

 

A & B NAT2.png

 

 

Yasmin Lara
Sunset Learning Institute (SLI)
Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIA-CLOUD, JNCDS-DC