SRX NAT Illustrated

Source NAT with Address Persistence

Address persistence only makes sense when talking about PAT. When not using PAT, there is more or less a natural pairing between an IP address and it's reflexive counterpart. However, when using PAT, there is no guarantee that an IP initiating traffic will be mapped to the same reflexive IP address for different flows. This can be seen in the following demonstration. The configuration for the SRX is as follows:

SRX Source NAT config without address persistence

[edit security nat]
juniper@SRX# show 
source {
    pool SOURCE-NAT-POOL {
        address {
            10.80.80.200/30;
        }
    }
    rule-set SOURCE-NAT {
        from zone UNTRUST;
        to zone TRUST;
        rule SOURCE-NAT-POOL {
            match {
                source-address 0.0.0.0/0;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    pool {
                        SOURCE-NAT-POOL;
                    }
                }
            }
        }
    }                                   
}
proxy-arp {
    interface ge-0/0/3.0 {
        address {
            10.80.80.200/30;
        }
    }
}

[edit security nat]
juniper@SRX#

After commiting the configlet above, you can inspect the pool properties to verfiy that this pool will perform PAT from the Port overloading line.

IP Pool Properties

juniper@SRX# run show security nat source pool SOURCE-NAT-POOL 
 
Pool name          : SOURCE-NAT-POOL
Pool id            : 4
Routing instance   : default
Host address base  : 0.0.0.0
Port               : [1024, 63487] 
Port overloading   : 1
Address assignment : no-paired
Total addresses    : 4
Translation hits   : 8
Address range                        Single Ports   Twin Ports 
       10.80.80.200 - 10.80.80.203       0              0    

[edit security nat]
juniper@SRX#

Creating some random sessions with nat-test_overload_randomIP.sh on the client confirms that multiple sessions from the same IP address are mapped to different reflexive IPs. For eacmple 192.168.200.86 has a reflexive IP of 10.80.80.200 in session 990, and a reflexive IP of 10.80.80.201 in session 991.

Sessions using different IP pairings

juniper@SRX# run show security flow session    
Session ID: 986, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.89/46409 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 234, Bytes: 12295
  Out: 10.80.80.80/80 --> 10.80.80.200/21554;tcp, If: ge-0/0/3.0, Pkts: 1154, Bytes: 1728112

Session ID: 987, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.83/46986 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 251, Bytes: 13179
  Out: 10.80.80.80/80 --> 10.80.80.201/10459;tcp, If: ge-0/0/3.0, Pkts: 1238, Bytes: 1854112

Session ID: 988, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.84/34020 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 276, Bytes: 14515
  Out: 10.80.80.80/80 --> 10.80.80.202/24714;tcp, If: ge-0/0/3.0, Pkts: 1205, Bytes: 1804612

Session ID: 989, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.88/41041 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 249, Bytes: 13075
  Out: 10.80.80.80/80 --> 10.80.80.203/31484;tcp, If: ge-0/0/3.0, Pkts: 1174, Bytes: 1758112
                                        
Session ID: 990, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.86/39570 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 235, Bytes: 12347
  Out: 10.80.80.80/80 --> 10.80.80.200/10025;tcp, If: ge-0/0/3.0, Pkts: 1231, Bytes: 1843612

Session ID: 991, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.86/49369 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 242, Bytes: 12711
  Out: 10.80.80.80/80 --> 10.80.80.201/7994;tcp, If: ge-0/0/3.0, Pkts: 1181, Bytes: 1768612

Session ID: 992, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.82/41087 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 239, Bytes: 12555
  Out: 10.80.80.80/80 --> 10.80.80.202/22960;tcp, If: ge-0/0/3.0, Pkts: 1219, Bytes: 1825612

Session ID: 993, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.88/59297 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 232, Bytes: 12191
  Out: 10.80.80.80/80 --> 10.80.80.203/16523;tcp, If: ge-0/0/3.0, Pkts: 1137, Bytes: 1702612

Session ID: 994, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.83/33904 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 240, Bytes: 12607
  Out: 10.80.80.80/80 --> 10.80.80.200/24731;tcp, If: ge-0/0/3.0, Pkts: 1195, Bytes: 1789612

Session ID: 995, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.83/43038 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 175, Bytes: 9227
  Out: 10.80.80.80/80 --> 10.80.80.201/5110;tcp, If: ge-0/0/3.0, Pkts: 831, Bytes: 1243612

Session ID: 996, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.85/53767 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 169, Bytes: 8915
  Out: 10.80.80.80/80 --> 10.80.80.202/3224;tcp, If: ge-0/0/3.0, Pkts: 845, Bytes: 1264612

Session ID: 997, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.83/36362 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 176, Bytes: 9279
  Out: 10.80.80.80/80 --> 10.80.80.203/28800;tcp, If: ge-0/0/3.0, Pkts: 833, Bytes: 1246612

Session ID: 998, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.81/41187 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 165, Bytes: 8707
  Out: 10.80.80.80/80 --> 10.80.80.200/31125;tcp, If: ge-0/0/3.0, Pkts: 803, Bytes: 1201612

Session ID: 999, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.86/50999 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 171, Bytes: 9019
  Out: 10.80.80.80/80 --> 10.80.80.201/8333;tcp, If: ge-0/0/3.0, Pkts: 833, Bytes: 1246612

Session ID: 1000, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.83/36907 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 168, Bytes: 8863
  Out: 10.80.80.80/80 --> 10.80.80.202/1978;tcp, If: ge-0/0/3.0, Pkts: 847, Bytes: 1267612

Session ID: 1001, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.84/35006 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 172, Bytes: 9071
  Out: 10.80.80.80/80 --> 10.80.80.203/21829;tcp, If: ge-0/0/3.0, Pkts: 833, Bytes: 1246612

Session ID: 1002, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.83/57412 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 179, Bytes: 9435
  Out: 10.80.80.80/80 --> 10.80.80.200/23833;tcp, If: ge-0/0/3.0, Pkts: 847, Bytes: 1267612

Session ID: 1003, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.85/44530 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 149, Bytes: 7875
  Out: 10.80.80.80/80 --> 10.80.80.201/25685;tcp, If: ge-0/0/3.0, Pkts: 749, Bytes: 1120612
Total sessions: 18

[edit security nat]
juniper@SRX#

To ensure that a source IP will be translated to the same reflexive IP address we can configure address persistence with the address-persistent flag for the address pool. We modify our NAT config to look like the following:

Configuration with Address Persistence

[edit security nat]
juniper@SRX# show 
source {
    pool SOURCE-NAT-POOL {
        address {
            10.80.80.200/30;
        }
    }
    address-persistent;
    rule-set SOURCE-NAT {
        from zone UNTRUST;
        to zone TRUST;
        rule SOURCE-NAT-POOL {
            match {
                source-address 0.0.0.0/0;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    pool {
                        SOURCE-NAT-POOL;
                    }
                }
            }
        }
    }                                   
}
proxy-arp {
    interface ge-0/0/3.0 {
        address {
            10.80.80.200/30;
        }
    }
}

[edit security nat]
juniper@SRX#

Again, after commiting our changes, we kick off more sessions with nat-test_overload_randomIP.sh from the client. This time there appears to be a 1:1 mapping beteen the original souce IP and the reflexive IP it was assigned.

Sessions with Address Persistence

juniper@SRX# run show security flow session    
Session ID: 1028, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.84/56321 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 148, Bytes: 7823
  Out: 10.80.80.80/80 --> 10.80.80.200/7277;tcp, If: ge-0/0/3.0, Pkts: 734, Bytes: 1098112

Session ID: 1029, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.86/52959 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 143, Bytes: 7563
  Out: 10.80.80.80/80 --> 10.80.80.202/11227;tcp, If: ge-0/0/3.0, Pkts: 691, Bytes: 1033612

Session ID: 1030, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.87/50296 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 144, Bytes: 7615
  Out: 10.80.80.80/80 --> 10.80.80.203/25501;tcp, If: ge-0/0/3.0, Pkts: 710, Bytes: 1062112

Session ID: 1031, Policy name: ACCEPT-LOG/4, Timeout: 298, Valid
  In: 192.168.200.87/57381 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 150, Bytes: 7927
  Out: 10.80.80.80/80 --> 10.80.80.203/24039;tcp, If: ge-0/0/3.0, Pkts: 727, Bytes: 1086398
                                        
Session ID: 1032, Policy name: ACCEPT-LOG/4, Timeout: 298, Valid
  In: 192.168.200.88/55616 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 147, Bytes: 7771
  Out: 10.80.80.80/80 --> 10.80.80.200/18466;tcp, If: ge-0/0/3.0, Pkts: 707, Bytes: 1057612

Session ID: 1033, Policy name: ACCEPT-LOG/4, Timeout: 298, Valid
  In: 192.168.200.86/32819 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 146, Bytes: 7719
  Out: 10.80.80.80/80 --> 10.80.80.202/13296;tcp, If: ge-0/0/3.0, Pkts: 689, Bytes: 1030612

Session ID: 1034, Policy name: ACCEPT-LOG/4, Timeout: 298, Valid
  In: 192.168.200.86/35201 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 147, Bytes: 7771
  Out: 10.80.80.80/80 --> 10.80.80.202/10093;tcp, If: ge-0/0/3.0, Pkts: 707, Bytes: 1057612

Session ID: 1035, Policy name: ACCEPT-LOG/4, Timeout: 298, Valid
  In: 192.168.200.83/49307 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 148, Bytes: 7823
  Out: 10.80.80.80/80 --> 10.80.80.203/18904;tcp, If: ge-0/0/3.0, Pkts: 693, Bytes: 1036612

Session ID: 1036, Policy name: ACCEPT-LOG/4, Timeout: 298, Valid
  In: 192.168.200.87/51007 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 147, Bytes: 7771
  Out: 10.80.80.80/80 --> 10.80.80.203/21729;tcp, If: ge-0/0/3.0, Pkts: 707, Bytes: 1057612

Session ID: 1037, Policy name: ACCEPT-LOG/4, Timeout: 298, Valid
  In: 192.168.200.84/51710 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 128, Bytes: 6783
  Out: 10.80.80.80/80 --> 10.80.80.200/8424;tcp, If: ge-0/0/3.0, Pkts: 630, Bytes: 942112

Session ID: 1038, Policy name: ACCEPT-LOG/4, Timeout: 298, Valid
  In: 192.168.200.83/37997 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 118, Bytes: 6263
  Out: 10.80.80.80/80 --> 10.80.80.203/10090;tcp, If: ge-0/0/3.0, Pkts: 573, Bytes: 856612

Session ID: 1039, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.86/60056 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 116, Bytes: 6159
  Out: 10.80.80.80/80 --> 10.80.80.202/18308;tcp, If: ge-0/0/3.0, Pkts: 536, Bytes: 801112

Session ID: 1040, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.85/34780 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 121, Bytes: 6419
  Out: 10.80.80.80/80 --> 10.80.80.201/9647;tcp, If: ge-0/0/3.0, Pkts: 584, Bytes: 873112

Session ID: 1041, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.86/58925 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 96, Bytes: 5119
  Out: 10.80.80.80/80 --> 10.80.80.202/2265;tcp, If: ge-0/0/3.0, Pkts: 435, Bytes: 649612

Session ID: 1042, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.88/40398 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 98, Bytes: 5223
  Out: 10.80.80.80/80 --> 10.80.80.200/5502;tcp, If: ge-0/0/3.0, Pkts: 450, Bytes: 672112

Session ID: 1043, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.82/36712 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 91, Bytes: 4859
  Out: 10.80.80.80/80 --> 10.80.80.202/8326;tcp, If: ge-0/0/3.0, Pkts: 446, Bytes: 666112

Session ID: 1044, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.85/41127 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 89, Bytes: 4755
  Out: 10.80.80.80/80 --> 10.80.80.201/16250;tcp, If: ge-0/0/3.0, Pkts: 427, Bytes: 637612

Session ID: 1045, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
  In: 192.168.200.83/60223 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 65, Bytes: 3507
  Out: 10.80.80.80/80 --> 10.80.80.203/25513;tcp, If: ge-0/0/3.0, Pkts: 266, Bytes: 396112
Total sessions: 18

[edit security nat]
juniper@SRX#

This doen't mean that this is an exclusive mapping, as different source IPs can still share the same reflexive IP, but any new sessions will keep using the same post-translation address pairing as long as an active session still exists. If the sessions are closed, and we start up a new set, the source IPs may get mapped to different IPs than they had previously. I tried several times over the period of several hours and couldn't get the pairings to come out differently -- but according to the documentation, there is no guarantee.

SRX NAT with Illustrated Examples

Source NAT with Address Persistence