Re: [j-nsp] SRX Source NAT internal users to two or more public IPs

2013-07-19 Thread William McLendon 
I think I may have been able to answer my own question.  I stumbled across this 
KB article which I think spells it out pretty well:

http://kb.juniper.net/KB20711



On Jul 18, 2013, at 2:04 PM, William McLendon  wrote:

> hi all,
> 
> We have an issue where we have enough internal users and sessions using the 
> general outbound NAT that we are hitting the session limit for the single 
> public IP due to running out of ports. (really its due to how Source NAT is 
> carved up on an HA pair…see http://kb.juniper.net/KB14958 )
> 
> However I think if just add additional IPs to NAT the users to, it may end up 
> breaking some applications as they establish a new outbound session from 
> clicking a URL or something, but that session gets NAT'd to the other IP that 
> the far side is not expecting to see it from.
> 
> I think ScreenOS had something called Sticky DIP that could help mitigate 
> this where for some NAT Timer, any session initiated by an IP address would 
> always be NAT'd to the same public IP -- does SRX have a similar feature?  If 
> not, I think my only other option then would be to carve up the internal 
> networks, ie 10.10.10/24 NATs to public IP A, and 11.11.11.0/24 NATs to 
> public IP B, etc. which is probably ok, but can get a little cumbersome.
> 
> Or if anyone knows another way please share :)
> 
> Thanks,
> 
> Will

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX Source NAT internal users to two or more public IPs

2013-07-19 Thread huy phuong 
you can using persistent-nat like kb below:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21296

regards,

Phuong


On Fri, Jul 19, 2013 at 1:04 AM, William McLendon wrote:

> hi all,
>
> We have an issue where we have enough internal users and sessions using
> the general outbound NAT that we are hitting the session limit for the
> single public IP due to running out of ports. (really its due to how Source
> NAT is carved up on an HA pair…see http://kb.juniper.net/KB14958 )
>
> However I think if just add additional IPs to NAT the users to, it may end
> up breaking some applications as they establish a new outbound session from
> clicking a URL or something, but that session gets NAT'd to the other IP
> that the far side is not expecting to see it from.
>
> I think ScreenOS had something called Sticky DIP that could help mitigate
> this where for some NAT Timer, any session initiated by an IP address would
> always be NAT'd to the same public IP -- does SRX have a similar feature?
>  If not, I think my only other option then would be to carve up the
> internal networks, ie 10.10.10/24 NATs to public IP A, and 11.11.11.0/24NATs 
> to public IP B, etc. which is probably ok, but can get a little
> cumbersome.
>
> Or if anyone knows another way please share :)
>
> Thanks,
>
> Will
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX Source NAT internal users to two or more public IPs

2013-07-19 Thread Graham Brown 
Hi Will,

You have a couple of options on the SRX platform to do this, however I
think 'Source address NAT + address-persistent' would be the best option
for you - as long as ports are available then a source will always be
translated to the same IP address.

The following KB article sums the types of NAT up nicely:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB20711

HTH,
Graham

On 19 July 2013 06:04, William McLendon  wrote:

> hi all,
>
> We have an issue where we have enough internal users and sessions using
> the general outbound NAT that we are hitting the session limit for the
> single public IP due to running out of ports. (really its due to how Source
> NAT is carved up on an HA pair…see http://kb.juniper.net/KB14958 )
>
> However I think if just add additional IPs to NAT the users to, it may end
> up breaking some applications as they establish a new outbound session from
> clicking a URL or something, but that session gets NAT'd to the other IP
> that the far side is not expecting to see it from.
>
> I think ScreenOS had something called Sticky DIP that could help mitigate
> this where for some NAT Timer, any session initiated by an IP address would
> always be NAT'd to the same public IP -- does SRX have a similar feature?
>  If not, I think my only other option then would be to carve up the
> internal networks, ie 10.10.10/24 NATs to public IP A, and 11.11.11.0/24NATs 
> to public IP B, etc. which is probably ok, but can get a little
> cumbersome.
>
> Or if anyone knows another way please share :)
>
> Thanks,
>
> Will
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 
Graham Brown
Twitter - @mountainrescuer 
LinkedIn 
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX Source NAT internal users to two or more public IPs

2013-07-19 Thread Klaus Groeger 
Hi


you search for persistent nat:
http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfig-security/understand-persistent-nat-section.html


But configuring splitted src-NAT isn't
such a burden. Just go to your src-nat rulset
and insert a second rule, that covers 
the one half of your internal network via
the match statement. It's quite simple. 


If you need explicit help, post your config. 


Klaus
—
Sent from Mailbox for iPhone

On Fri, Jul 19, 2013 at 7:08 AM, William McLendon 
wrote:

> hi all,
> We have an issue where we have enough internal users and sessions using the 
> general outbound NAT that we are hitting the session limit for the single 
> public IP due to running out of ports. (really its due to how Source NAT is 
> carved up on an HA pair…see http://kb.juniper.net/KB14958 )
> However I think if just add additional IPs to NAT the users to, it may end up 
> breaking some applications as they establish a new outbound session from 
> clicking a URL or something, but that session gets NAT'd to the other IP that 
> the far side is not expecting to see it from.
> I think ScreenOS had something called Sticky DIP that could help mitigate 
> this where for some NAT Timer, any session initiated by an IP address would 
> always be NAT'd to the same public IP -- does SRX have a similar feature?  If 
> not, I think my only other option then would be to carve up the internal 
> networks, ie 10.10.10/24 NATs to public IP A, and 11.11.11.0/24 NATs to 
> public IP B, etc. which is probably ok, but can get a little cumbersome.
> Or if anyone knows another way please share :)
> Thanks,
> Will
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX Source NAT internal users to two or more public IPs

2013-07-19 Thread Alex Arseniev 

user@srx# help apropos address-persistent
set logical-systems  security nat source address-persistent
   Allow source address to maintain same translation
set security nat source address-persistent
   Allow source address to maintain same translation

HTH
Thanks
Alex

- Original Message - 
From: "William McLendon" 

To: 
Sent: Thursday, July 18, 2013 7:04 PM
Subject: [j-nsp] SRX Source NAT internal users to two or more public IPs


hi all,

We have an issue where we have enough internal users and sessions using the 
general outbound NAT that we are hitting the session limit for the single 
public IP due to running out of ports. (really its due to how Source NAT is 
carved up on an HA pair…see http://kb.juniper.net/KB14958 )


However I think if just add additional IPs to NAT the users to, it may end 
up breaking some applications as they establish a new outbound session from 
clicking a URL or something, but that session gets NAT'd to the other IP 
that the far side is not expecting to see it from.


I think ScreenOS had something called Sticky DIP that could help mitigate 
this where for some NAT Timer, any session initiated by an IP address would 
always be NAT'd to the same public IP -- does SRX have a similar feature? 
If not, I think my only other option then would be to carve up the internal 
networks, ie 10.10.10/24 NATs to public IP A, and 11.11.11.0/24 NATs to 
public IP B, etc. which is probably ok, but can get a little cumbersome.


Or if anyone knows another way please share :)

Thanks,

Will
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX Source NAT internal users to two or more public IPs

2013-07-19 Thread Klaus Groeger 
Sry, wrong link, here's the correct one
http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfig-security/configuring-persistent-address-pool-example.html#configuring-persistent-address-pool-example
—
Sent from Mailbox for iPhone

On Fri, Jul 19, 2013 at 7:08 AM, William McLendon 
wrote:

> hi all,
> We have an issue where we have enough internal users and sessions using the 
> general outbound NAT that we are hitting the session limit for the single 
> public IP due to running out of ports. (really its due to how Source NAT is 
> carved up on an HA pair…see http://kb.juniper.net/KB14958 )
> However I think if just add additional IPs to NAT the users to, it may end up 
> breaking some applications as they establish a new outbound session from 
> clicking a URL or something, but that session gets NAT'd to the other IP that 
> the far side is not expecting to see it from.
> I think ScreenOS had something called Sticky DIP that could help mitigate 
> this where for some NAT Timer, any session initiated by an IP address would 
> always be NAT'd to the same public IP -- does SRX have a similar feature?  If 
> not, I think my only other option then would be to carve up the internal 
> networks, ie 10.10.10/24 NATs to public IP A, and 11.11.11.0/24 NATs to 
> public IP B, etc. which is probably ok, but can get a little cumbersome.
> Or if anyone knows another way please share :)
> Thanks,
> Will
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX Source NAT internal users to two or more public IPs

2013-07-19 Thread Muhammad Atif Jauhar 
Hi William,

Similar to Sticky DIP, there are two terminologies address shifting and
address persistence in SRX.

1. In address persistence. Junos OS will use the same source IP address for
different traffic types associated with the same source host. To ensure the
use of the same address, configure the address-persistent global source NAT

2. (Best option) In address shifting, this type of translation is
one-to-one, static, and without PAT. If the original source address range
is larger than the address range in the user-defined pool, packets might
drop

Regards,
Atif.


On Thu, Jul 18, 2013 at 9:04 PM, William McLendon wrote:

> hi all,
>
> We have an issue where we have enough internal users and sessions using
> the general outbound NAT that we are hitting the session limit for the
> single public IP due to running out of ports. (really its due to how Source
> NAT is carved up on an HA pair…see http://kb.juniper.net/KB14958 )
>
> However I think if just add additional IPs to NAT the users to, it may end
> up breaking some applications as they establish a new outbound session from
> clicking a URL or something, but that session gets NAT'd to the other IP
> that the far side is not expecting to see it from.
>
> I think ScreenOS had something called Sticky DIP that could help mitigate
> this where for some NAT Timer, any session initiated by an IP address would
> always be NAT'd to the same public IP -- does SRX have a similar feature?
>  If not, I think my only other option then would be to carve up the
> internal networks, ie 10.10.10/24 NATs to public IP A, and 11.11.11.0/24NATs 
> to public IP B, etc. which is probably ok, but can get a little
> cumbersome.
>
> Or if anyone knows another way please share :)
>
> Thanks,
>
> Will
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 
Regards,

Muhammad Atif Jauhar
(+966-56-00-04-985)
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] SRX Source NAT internal users to two or more public IPs

2013-07-18 Thread William McLendon 
hi all,

We have an issue where we have enough internal users and sessions using the 
general outbound NAT that we are hitting the session limit for the single 
public IP due to running out of ports. (really its due to how Source NAT is 
carved up on an HA pair…see http://kb.juniper.net/KB14958 )

However I think if just add additional IPs to NAT the users to, it may end up 
breaking some applications as they establish a new outbound session from 
clicking a URL or something, but that session gets NAT'd to the other IP that 
the far side is not expecting to see it from.

I think ScreenOS had something called Sticky DIP that could help mitigate this 
where for some NAT Timer, any session initiated by an IP address would always 
be NAT'd to the same public IP -- does SRX have a similar feature?  If not, I 
think my only other option then would be to carve up the internal networks, ie 
10.10.10/24 NATs to public IP A, and 11.11.11.0/24 NATs to public IP B, etc. 
which is probably ok, but can get a little cumbersome.

Or if anyone knows another way please share :)

Thanks,

Will
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp