This is an illustrated guide that shows how to configure the various types of Network Address Translation (NAT) on the Juniper SRX series. Each example lists the configuration on the SRX, as well as what the client and server on either side of the SRX doing the NATing see and experience through working examples.
We'll even up our source port translation so the original source port from the client, is the same as the source port the server sees. This is a simple one-line directive on the SRX on the address pool which you want to disable PAT -- port no-translation.
Address Pool config with no Port Translation
[edit security nat source]
juniper@SRX# show
pool SOURCE-NAT-POOL {
address {
10.80.80.200/30;
}
port no-translation;
}
[edit security nat source]
juniper@SRX# show
We'll repeat our nat-test_overload_multipleIP.sh test on the client and examine the session table on the SRX.
Sessions on SRX with no port translation
[edit security nat source]
juniper@SRX# run show security flow session
Session ID: 5342, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
In: 192.168.200.87/42724 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 141, Bytes: 7471
Out: 10.80.80.80/80 --> 10.80.80.200/42724;tcp, If: ge-0/0/3.0, Pkts: 470, Bytes: 664464
Session ID: 5343, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
In: 192.168.200.88/33172 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 141, Bytes: 7471
Out: 10.80.80.80/80 --> 10.80.80.201/33172;tcp, If: ge-0/0/3.0, Pkts: 470, Bytes: 664464
Session ID: 5344, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
In: 192.168.200.89/52414 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 141, Bytes: 7471
Out: 10.80.80.80/80 --> 10.80.80.202/52414;tcp, If: ge-0/0/3.0, Pkts: 470, Bytes: 664464
Session ID: 5345, Policy name: ACCEPT-LOG/4, Timeout: 300, Valid
In: 192.168.200.86/34579 --> 10.80.80.80/80;tcp, If: ge-0/0/4.0, Pkts: 142, Bytes: 7523
Out: 10.80.80.80/80 --> 10.80.80.203/34579;tcp, If: ge-0/0/3.0, Pkts: 470, Bytes: 664464
Total sessions: 4
[edit security nat source]
Now the SRX has only four sessions open, the same size as our IP address pool. Now the original source port is the same as the reflexive port.
Looking at the client to see what is going on with our other five wget sessions that were started, we see that only four are in the ESTABLISHED state, the rest have sent their initial SYNs but haven't heard anything back.
Sessions on client
juniper@client:~$ netstat -tn Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 1 192.168.200.84:49240 10.80.80.80:80 SYN_SENT tcp 0 1 192.168.200.82:43857 10.80.80.80:80 SYN_SENT tcp 0 1 192.168.200.85:52495 10.80.80.80:80 SYN_SENT tcp 0 1 192.168.200.83:44005 10.80.80.80:80 SYN_SENT tcp 0 1 192.168.200.81:59240 10.80.80.80:80 SYN_SENT tcp 824974 0 192.168.200.89:52414 10.80.80.80:80 ESTABLISHED tcp 840902 0 192.168.200.88:33172 10.80.80.80:80 ESTABLISHED tcp 827622 0 192.168.200.86:34579 10.80.80.80:80 ESTABLISHED tcp 827622 0 192.168.200.87:42724 10.80.80.80:80 ESTABLISHED juniper@client:/~$
And on the server, there are four established sessions -- but no SYNs recieved for the others.
Sessions on server
juniper@server:~$ netstat -tn Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:33186 127.0.0.1:389 ESTABLISHED tcp 0 81336 10.80.80.80:80 10.80.80.202:52414 ESTABLISHED tcp 0 0 127.0.0.1:389 127.0.0.1:33186 ESTABLISHED tcp 0 76744 10.80.80.80:80 10.80.80.201:33172 ESTABLISHED tcp 0 81256 10.80.80.80:80 10.80.80.203:34579 ESTABLISHED tcp 0 60984 10.80.80.80:80 10.80.80.200:42724 ESTABLISHED juniper@server:~$
Hopping back on the client, we take a look at what our STUN client reports now.
stun client without port translation
juniper@client:~$ stun 10.80.80.80 STUN client version 0.96 Primary: Indepndent Mapping, Port Dependent Filter, preserves ports, no hairpin Return value is 0x000017 juniper@client:~$
Two big changes. First, we now have Endpoint-Independent Mapping indicating that the port mapping and IP for flows by the same source IP to the same external IP address are mapped to the same IP and port. The port filter is now listed as Port Dependent meaning that the ports numbers are preserved across the NATed session.
So in summary, now we have 1:1 NAT. However, the problem we have is that now we can only have as many internal hosts as we have in our pools. This can be solved by configuring another IP pool as an overflow, or using the outgoing interface with PAT if we run out of IPs in our pool. The overflow pool can be another set of IP addresses, with different port overloading behavior if desired.