- J-Net
- :
- Forums
- :
- SRX Services Gateway
- :
- Re: source NAT with 1 IP but different port range ...
- Application Acceleration 
- BLOG: Community Talk 
- BLOG: Information Experience (iX) 
- Community Feedback 
- Contrail Platform Developers 
- Ethernet Switching 
- Identity & Policy Control - SBR Carrier & SRC 
- Intrusion Prevention 
- Junos 
- Junos Automation (Scripting) 
- Junos Space Developer 
- Junosphere 
- Management 
- Routing 
- ScreenOS Firewalls (NOT SRX) 
- SRX Services Gateway 
- Training, Certification, and Career Topics 
- vMX 
- vSRX 
- Wireless LAN 
- Juniper Open Learning 
- Day One Books Archive 
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
source NAT with 1 IP but different port range to different destinations
Hello ,
As i tried that 1 IP can be used only in 1 pool it can't be used in another pool by another name of the pool, So how to achieve the below.
real source : 10.10.10.10
destination-1:100.100.100.100
source port: 60000-65000
translated IP: 11.11.11.11
real source : 10.10.10.10
destination: 150.150.150.150
source port: 40000-45000
translated IP: 11.11.11.11
real source : 10.10.10.10
destination: 50.50.50.50
source port: 30000-35000
translated IP: 11.11.11.11
Thanks
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: source NAT with 1 IP but different port range to different destinations
[ Edited ]I would suggest you do something like the following:
First create all the rules required to NAT ALL the other traffic from 10.10.10.10 to all destinations such as FTP, HTTP, SSH. Then just allow all the other ports to go to these 3 locations.
Hopefully it should work for you
pool 11_11_11_11 { address { 11.11.11.11/32; } } pool 172_16_1_1 { address { 172.16.1.1/32; } } rule-set source-test { from zone trust; to zone untrust; rule ftp { match { source-address 10.10.10.10/32; destination-address 11.120.130.140/32; destination-port 21; } then { source-nat { pool { 172_16_1_1; } } } } rule HTTP { match { source-address 10.10.10.10/32; destination-address 120.140.150.160/32; destination-port 80; } then { source-nat { pool { 172_16_1_1; } } } } rule dest1 { match { source-address 10.10.10.10/32; destination-address [100.100.100.100/32 150.150.150.150/32 50.50.50.50/32]; } then { source-nat { pool { 11_11_11_11; } } } }
____________________________________________________
[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: source NAT with 1 IP but different port range to different destinations
Why not create a rule-set with the three desired rules, each using the same IP pool?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: source NAT with 1 IP but different port range to different destinations
Hi,
i didnt understood ur replies my concern is the source Port and not the destination port, as u can see the source port are different for different destination.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: source NAT with 1 IP but different port range to different destinations
Ah, yes, I see your issue now since you can't match on source port. I don't know if maybe a persistent NAT would help but if you are purely relying on source port for differentiation even that may prove problematic. I will try to mock it up in my lab and see if I can get it to work.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: source NAT with 1 IP but different port range to different destinations
The more I think about it the more I think you probably need to use security policies to filter that traffic before it gets to the NAT rules. Since it is a source NAT it gets evaluated after security policy lookups so that may work for you.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: source NAT with 1 IP but different port range to different destinations
Hi,
What about the traffic coming from same source 10.10.10.10 but with a different source port ( other than 60000-65000,40000-45000 and 30000-35000) ? how it should be translated ? is there any specific requirement for this ?
and for the traffic with these sourceport ranges , do you need to maintain the same port ? or PAT is fine for this ?
I think , having an idea of overall requirement should give us a better picture . if possible , could you share your complete NAT requirements ?
Pradeep 2xJNCIE(SEC/ENT)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: source NAT with 1 IP but different port range to different destinations
Hello Pradeep,
As i have written in my 1st mail, one source is going to different destination and port but with different source port.and 1 IP from pool
how it should be translated ? is there any specific requirement for this ?
They will go by one IP from the pool.
and for the traffic with these sourceport ranges , do you need to maintain the same port ?
yes i need to maintain different source port ranges to different destination
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: source NAT with 1 IP but different port range to different destinations
Dear's,
Anybody can help me to solve the above issues.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: source NAT with 1 IP but different port range to different destinations
Hi , can you confirm whether the source-port range that you had mentioned is actual source-port or the translated source- port after N(P)AT.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: source NAT with 1 IP but different port range to different destinations
Hello,
They should be the translated source port that means when they go out of the SRX they should have the source port specified above with different ranges to different destination.
Anybody If the question is not clear please reply back .
Thanks
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: source NAT with 1 IP but different port range to different destinations
Hi,
As we can not match on source-port in the source nat match conditions, we need to control that using security policies. and for maintaining the same source-port (i,e PAT disabled) and to a single source address , you can use a dummy address and host-address-base .
here's the overall sample config to meet your requirement -
1. Create custom applications with the required source-ports (here i have used tcp only , if you need to allow both tcp and udp in this port range , you need to create multiple terms) set applications application myapp1 protocol tcp set applications application myapp1 source-port 60000-65000 set applications application myapp2 protocol tcp set applications application myapp2 source-port 40000-45000 set applications application myapp3 protocol tcp set applications application myapp-3 source-port 30000-35000 2. Create address-book entries in the respective zones corresponding to source and destination addresses set security zones security-zone inside address-book address 10_10_10_10 10.10.10.10/32 set security zones security-zone external address-book address 100_100_100_100 100.100.100.100/32 set security zones security-zone external address-book address 50_50_50_50 50.50.50.50/32 set security zones security-zone external address-book address 150_150_150_150 150.150.150.150/32 3. Create security policies to allow these 3 specific applications traffic and deny other traffic between these source and destinations set security policies from-zone inside to-zone external policy allow-myapp1 match source-address 10_10_10_10 set security policies from-zone inside to-zone external policy allow-myapp1 match destination-address 100_100_100_100 set security policies from-zone inside to-zone external policy allow-myapp1 match application myapp1 set security policies from-zone inside to-zone external policy allow-myapp1 then permit set security policies from-zone inside to-zone external policy allow-myapp2 match source-address 10_10_10_10 set security policies from-zone inside to-zone external policy allow-myapp2 match destination-address 150_150_150_150 set security policies from-zone inside to-zone external policy allow-myapp2 match application myapp2 set security policies from-zone inside to-zone external policy allow-myapp2 then permit set security policies from-zone inside to-zone external policy allow-myapp3 match source-address 10_10_10_10 set security policies from-zone inside to-zone external policy allow-myapp3 match destination-address 50_50_50_50 set security policies from-zone inside to-zone external policy allow-myapp3 match application myapp3 set security policies from-zone inside to-zone external policy allow-myapp3 then permit set security policies from-zone inside to-zone external policy other-apps match source-address 10_10_10_10 set security policies from-zone inside to-zone external policy other-apps match destination-address 100_100_100_100 set security policies from-zone inside to-zone external policy other-apps match destination-address 50_50_50_50 set security policies from-zone inside to-zone external policy other-apps match destination-address 150_150_150_150 set security policies from-zone inside to-zone external policy other-apps match application any set security policies from-zone inside to-zone external policy other-apps then reject 4. Create source nat pool with a single address ( and another dummy address) with host-address-base setting set security nat source pool mysourcenatpool address 9.9.9.9/32 >>>dummy address set security nat source pool mysourcenatpool address 11.11.11.11/32 >>> required source address post NAT set security nat source pool mysourcenatpool host-address-base 10.10.10.10/32 >> ensures PAT is disabled set security nat source rule-set 1 from zone inside set security nat source rule-set 1 to zone external set security nat source rule-set 1 rule mynatrule match source-address 10.10.10.10/32 set security nat source rule-set 1 rule mynatrule match destination-address 50.50.50.50/32 set security nat source rule-set 1 rule mynatrule match destination-address 100.100.100.100/32 set security nat source rule-set 1 rule mynatrule match destination-address 150.150.150.150/32 set security nat source rule-set 1 rule mynatrule then source-nat pool mysourcenatpool
Hope this helps
Pradeep 2xJNCIE(SEC/ENT)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: source NAT with 1 IP but different port range to different destinations
Pradeep did not get why we added dummy addresses in there?
Can u elaborate on that