[j-nsp] SRX Source NAT internal users to two or more public IPs
Muhammad Atif Jauhar
atif.jauhar at gmail.com
Fri Jul 19 06:16:41 EDT 2013
Hi William,
Similar to Sticky DIP, there are two terminologies address shifting and
address persistence in SRX.
1. In address persistence. Junos OS will use the same source IP address for
different traffic types associated with the same source host. To ensure the
use of the same address, configure the address-persistent global source NAT
2. (Best option) In address shifting, this type of translation is
one-to-one, static, and without PAT. If the original source address range
is larger than the address range in the user-defined pool, packets might
drop
Regards,
Atif.
On Thu, Jul 18, 2013 at 9:04 PM, William McLendon <wimclend at gmail.com>wrote:
> hi all,
>
> We have an issue where we have enough internal users and sessions using
> the general outbound NAT that we are hitting the session limit for the
> single public IP due to running out of ports. (really its due to how Source
> NAT is carved up on an HA pair…see http://kb.juniper.net/KB14958 )
>
> However I think if just add additional IPs to NAT the users to, it may end
> up breaking some applications as they establish a new outbound session from
> clicking a URL or something, but that session gets NAT'd to the other IP
> that the far side is not expecting to see it from.
>
> I think ScreenOS had something called Sticky DIP that could help mitigate
> this where for some NAT Timer, any session initiated by an IP address would
> always be NAT'd to the same public IP -- does SRX have a similar feature?
> If not, I think my only other option then would be to carve up the
> internal networks, ie 10.10.10/24 NATs to public IP A, and 11.11.11.0/24NATs to public IP B, etc. which is probably ok, but can get a little
> cumbersome.
>
> Or if anyone knows another way please share :)
>
> Thanks,
>
> Will
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
Regards,
Muhammad Atif Jauhar
(+966-56-00-04-985)
More information about the juniper-nsp
mailing list