source NAT with 1 IP but different port range to different destinations

I would suggest you do something like the following:

First create all the rules required to NAT ALL the other traffic from 10.10.10.10 to all destinations such as FTP, HTTP, SSH.  Then just allow all the other ports to go to these 3 locations. 

Hopefully it should work for you

pool 11_11_11_11 {
    address {
        11.11.11.11/32;
    }
}
pool 172_16_1_1 {
    address {
        172.16.1.1/32;
    }
}
rule-set source-test {
    from zone trust;
    to zone untrust;
    rule ftp {
        match {
            source-address 10.10.10.10/32;
            destination-address 11.120.130.140/32;
        destination-port 21;
        }
        then {
            source-nat {
                pool {
                    172_16_1_1;
                }
            }
        }
    }
    rule HTTP {
        match {
            source-address 10.10.10.10/32;
            destination-address 120.140.150.160/32;
        destination-port 80;
        }
        then {
            source-nat {
                pool {
                    172_16_1_1;
                }
            }
        }
    }
    rule dest1 {
        match {
            source-address 10.10.10.10/32;
            destination-address [100.100.100.100/32 150.150.150.150/32 50.50.50.50/32];
        }
        then {
            source-nat {
                pool {
                    11_11_11_11;
                }
            }
        }
    }

Why not create a rule-set with the three desired rules, each using the same IP pool?

Hi,

i didnt understood ur replies my concern is the source Port  and not the destination port, as u can see the source port are different for different destination.

Thanks

Ah, yes, I see your issue now since you can't match on source port. I don't know if maybe a persistent NAT would help but if you are purely relying on source port for differentiation even that may prove problematic. I will try to mock it up in my lab and see if I can get it to work.

The more I think about it the more I think you probably need to use security policies to filter that traffic before it gets to the NAT rules. Since it is a source NAT it gets evaluated after security policy lookups so that may work for you.

Hi,

What about the traffic coming from same source 10.10.10.10 but with a different source port ( other than 60000-65000,40000-45000 and 30000-35000) ?  how it should be translated ? is there any specific requirement for this ?

and for the traffic with these sourceport ranges , do you need to maintain the same port ? or  PAT is fine for this ?

I think , having an idea of overall requirement should give us a better picture . if possible , could you share your complete NAT requirements ?

Hello Pradeep,

As i have written in my 1st mail, one source is going to different destination and port but with different source port.and 1 IP from pool

how it should be translated ? is there any specific requirement for this ?

They will go by one IP from the pool.

and for the traffic with these sourceport ranges , do you need to maintain the same port ?

yes i need to maintain different source port ranges to different destination

Dear's,

Anybody can help me to solve the above issues.

Thanks

Hi , can you confirm whether the source-port range that you had mentioned is actual source-port or the translated source- port after N(P)AT.

Hello,

They should be the translated source port that means when they go out of the SRX they should have the source port specified above with different ranges to different destination.

Anybody If the question is not clear please reply back .

Thanks

Hi,

As we can not match on source-port in the source nat match conditions, we need to control that using security policies. and for maintaining the same source-port (i,e PAT disabled) and to a single source address , you can use a dummy address and host-address-base .

here's the overall sample config to meet your requirement -

1. Create custom applications with the required source-ports (here i have used tcp only , if you need to allow both tcp and udp in this port range , you need to create multiple terms)


set applications application myapp1 protocol tcp
set applications application myapp1 source-port 60000-65000
set applications application myapp2 protocol tcp
set applications application myapp2 source-port 40000-45000
set applications application myapp3 protocol tcp
set applications application myapp-3 source-port 30000-35000

2. Create address-book entries in the respective zones corresponding to source and destination addresses

set security zones security-zone inside address-book address 10_10_10_10 10.10.10.10/32
set security zones security-zone external address-book address 100_100_100_100 100.100.100.100/32
set security zones security-zone external address-book address 50_50_50_50 50.50.50.50/32
set security zones security-zone external address-book address 150_150_150_150 150.150.150.150/32

3. Create security policies to allow these 3 specific applications traffic and deny other traffic between these source and destinations 

set security policies from-zone inside to-zone external policy allow-myapp1 match source-address 10_10_10_10
set security policies from-zone inside to-zone external policy allow-myapp1 match destination-address 100_100_100_100
set security policies from-zone inside to-zone external policy allow-myapp1 match application myapp1
set security policies from-zone inside to-zone external policy allow-myapp1 then permit
set security policies from-zone inside to-zone external policy allow-myapp2 match source-address 10_10_10_10
set security policies from-zone inside to-zone external policy allow-myapp2 match destination-address 150_150_150_150
set security policies from-zone inside to-zone external policy allow-myapp2 match application myapp2
set security policies from-zone inside to-zone external policy allow-myapp2 then permit
set security policies from-zone inside to-zone external policy allow-myapp3 match source-address 10_10_10_10
set security policies from-zone inside to-zone external policy allow-myapp3 match destination-address 50_50_50_50
set security policies from-zone inside to-zone external policy allow-myapp3 match application myapp3
set security policies from-zone inside to-zone external policy allow-myapp3 then permit
set security policies from-zone inside to-zone external policy other-apps match source-address 10_10_10_10
set security policies from-zone inside to-zone external policy other-apps match destination-address 100_100_100_100
set security policies from-zone inside to-zone external policy other-apps match destination-address 50_50_50_50
set security policies from-zone inside to-zone external policy other-apps match destination-address 150_150_150_150
set security policies from-zone inside to-zone external policy other-apps match application any
set security policies from-zone inside to-zone external policy other-apps then reject

4. Create source nat pool with a single address ( and another dummy address) with host-address-base setting

set security nat source pool mysourcenatpool address 9.9.9.9/32 >>>dummy address
set security nat source pool mysourcenatpool address 11.11.11.11/32  >>> required source address post NAT
set security nat source pool mysourcenatpool host-address-base 10.10.10.10/32  >> ensures PAT is disabled 
set security nat source rule-set 1 from zone inside
set security nat source rule-set 1 to zone external
set security nat source rule-set 1 rule mynatrule match source-address 10.10.10.10/32
set security nat source rule-set 1 rule mynatrule match destination-address 50.50.50.50/32
set security nat source rule-set 1 rule mynatrule match destination-address 100.100.100.100/32
set security nat source rule-set 1 rule mynatrule match destination-address 150.150.150.150/32
set security nat source rule-set 1 rule mynatrule then source-nat pool mysourcenatpool

 Hope this helps

Pradeep did not get why we added dummy addresses in there?

Can u elaborate on that