[j-nsp] SRX Source NAT internal users to two or more public IPs

Alex Arseniev alex.arseniev at gmail.com
Fri Jul 19 04:30:42 EDT 2013


user at srx# help apropos address-persistent
set logical-systems <name> security nat source address-persistent
    Allow source address to maintain same translation
set security nat source address-persistent
    Allow source address to maintain same translation

HTH
Thanks
Alex

----- Original Message ----- 
From: "William McLendon" <wimclend at gmail.com>
To: <juniper-nsp at puck.nether.net>
Sent: Thursday, July 18, 2013 7:04 PM
Subject: [j-nsp] SRX Source NAT internal users to two or more public IPs


hi all,

We have an issue where we have enough internal users and sessions using the 
general outbound NAT that we are hitting the session limit for the single 
public IP due to running out of ports. (really its due to how Source NAT is 
carved up on an HA pair…see http://kb.juniper.net/KB14958 )

However I think if just add additional IPs to NAT the users to, it may end 
up breaking some applications as they establish a new outbound session from 
clicking a URL or something, but that session gets NAT'd to the other IP 
that the far side is not expecting to see it from.

I think ScreenOS had something called Sticky DIP that could help mitigate 
this where for some NAT Timer, any session initiated by an IP address would 
always be NAT'd to the same public IP -- does SRX have a similar feature? 
If not, I think my only other option then would be to carve up the internal 
networks, ie 10.10.10/24 NATs to public IP A, and 11.11.11.0/24 NATs to 
public IP B, etc. which is probably ok, but can get a little cumbersome.

Or if anyone knows another way please share :)

Thanks,

Will
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list