[j-nsp] SRX Source NAT internal users to two or more public IPs

[Graham Brown]

Hi Will,

You have a couple of options on the SRX platform to do this, however I
think 'Source address NAT + address-persistent' would be the best option
for you - as long as ports are available then a source will always be
translated to the same IP address.

The following KB article sums the types of NAT up nicely:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB20711

HTH,
Graham

On 19 July 2013 06:04, William McLendon <wimclend at gmail.com> wrote:

> hi all,
>
> We have an issue where we have enough internal users and sessions using
> the general outbound NAT that we are hitting the session limit for the
> single public IP due to running out of ports. (really its due to how Source
> NAT is carved up on an HA pair…see http://kb.juniper.net/KB14958 )
>
> However I think if just add additional IPs to NAT the users to, it may end
> up breaking some applications as they establish a new outbound session from
> clicking a URL or something, but that session gets NAT'd to the other IP
> that the far side is not expecting to see it from.
>
> I think ScreenOS had something called Sticky DIP that could help mitigate
> this where for some NAT Timer, any session initiated by an IP address would
> always be NAT'd to the same public IP -- does SRX have a similar feature?
>  If not, I think my only other option then would be to carve up the
> internal networks, ie 10.10.10/24 NATs to public IP A, and 11.11.11.0/24NATs to public IP B, etc. which is probably ok, but can get a little
> cumbersome.
>
> Or if anyone knows another way please share :)
>
> Thanks,
>
> Will
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 
Graham Brown
Twitter - @mountainrescuer <https://twitter.com/#!/mountainrescuer>
LinkedIn <http://www.linkedin.com/in/grahamcbrown>