[j-nsp] SRX Source NAT internal users to two or more public IPs
Alex Arseniev
alex.arseniev at gmail.com
Fri Jul 19 04:30:42 EDT 2013
user at srx# help apropos address-persistent
set logical-systems <name> security nat source address-persistent
Allow source address to maintain same translation
set security nat source address-persistent
Allow source address to maintain same translation
HTH
Thanks
Alex
----- Original Message -----
From: "William McLendon" <wimclend at gmail.com>
To: <juniper-nsp at puck.nether.net>
Sent: Thursday, July 18, 2013 7:04 PM
Subject: [j-nsp] SRX Source NAT internal users to two or more public IPs
hi all,
We have an issue where we have enough internal users and sessions using the
general outbound NAT that we are hitting the session limit for the single
public IP due to running out of ports. (really its due to how Source NAT is
carved up on an HA pair…see http://kb.juniper.net/KB14958 )
However I think if just add additional IPs to NAT the users to, it may end
up breaking some applications as they establish a new outbound session from
clicking a URL or something, but that session gets NAT'd to the other IP
that the far side is not expecting to see it from.
I think ScreenOS had something called Sticky DIP that could help mitigate
this where for some NAT Timer, any session initiated by an IP address would
always be NAT'd to the same public IP -- does SRX have a similar feature?
If not, I think my only other option then would be to carve up the internal
networks, ie 10.10.10/24 NATs to public IP A, and 11.11.11.0/24 NATs to
public IP B, etc. which is probably ok, but can get a little cumbersome.
Or if anyone knows another way please share :)
Thanks,
Will
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list