Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] "address-persistent" vs "persistent-nat" options

1

0

Article ID: KB20711 KB Last Updated: 24 Oct 2014Version: 3.0
Summary:

This article addresses the difference between “address-persistent” and “persistent-nat” options.

Symptoms:

The “address-persistent” option allows the mapping of multiple sessions from the same host to be translated with the same address.

With the “persistent-nat” option, address translations are maintained in the database for a configurable amount of time after the session ends.

These two knobs perform completely different functions. They should be used for different purposes.

The two knobs can be used at the same time or individually. The case scenarios below provide more information on the options.

Cause:

Solution:

Test topology

[Work station] (.2) --- 192.168.1.0/24 --- (.1) [SRX100] (.1) --- 11.1.1.0/24 ---- (.2) [SRX240]


Test detail

Source IP address – 192.168.1.2 (Work station)
Destination IP address – 11.1.1.2  (SRX240)
SRX100 performs source address NAT – source address range of 192.168.1.0/24 is translated using the pool of address from 12.1.1.0/24
Traffic type – Telnet, FTP, HTTP


Scenario 1 – Source address NAT

Source address of each session from the same host is translated into a different address from the NAT pool.

lab@100A> show security flow session

Session ID: 1272, Policy name: trust_to_untrust/5, Timeout: 1728, Valid
In: 192.168.1.2/1116 --> 11.1.1.2/23;tcp, If: fe-0/0/4.0, Pkts: 32, Bytes: 1369
Out: 11.1.1.2/23 --> 12.1.1.242/29979;tcp, If: fe-0/0/3.0, Pkts: 27, Bytes: 1277

Session ID: 1273, Policy name: trust_to_untrust/5, Timeout: 1740, Valid
In: 192.168.1.2/1117 --> 11.1.1.2/21;tcp, If: fe-0/0/4.0, Pkts: 15, Bytes: 684
Out: 11.1.1.2/21 --> 12.1.1.241/11952;tcp, If: fe-0/0/3.0, Pkts: 17, Bytes: 957

Session ID: 1283, Policy name: trust_to_untrust/5, Timeout: 1776, Valid
In: 192.168.1.2/1125 --> 11.1.1.2/80;tcp, If: fe-0/0/4.0, Pkts: 4, Bytes: 1506
Out: 11.1.1.2/80 --> 12.1.1.237/5703;tcp, If: fe-0/0/3.0, Pkts: 4, Bytes: 544

Session ID: 1304, Policy name: trust_to_untrust/5, Timeout: 1798, Valid
In: 192.168.1.2/1128 --> 11.1.1.2/80;tcp, If: fe-0/0/4.0, Pkts: 5, Bytes: 2078
Out: 11.1.1.2/80 --> 12.1.1.236/16453;tcp, If: fe-0/0/3.0, Pkts: 4, Bytes: 180

As the sessions are torn down, the translated addresses are released back into the NAT pool (that is, NAT translation ends with session termination).


Scenario 2 – Source address NAT + address-persistent

Source address of each session from the same host is translated into the same address from the NAT pool.

lab@100A> show security flow session

Session ID: 1353, Policy name: trust_to_untrust/5, Timeout: 1696, Valid
In: 192.168.1.2/1139 --> 11.1.1.2/23;tcp, If: fe-0/0/4.0, Pkts: 28, Bytes: 1205
Out: 11.1.1.2/23 --> 12.1.1.2/13712;tcp, If: fe-0/0/3.0, Pkts: 24, Bytes: 1129

Session ID: 1354, Policy name: trust_to_untrust/5, Timeout: 1706, Valid
In: 192.168.1.2/1140 --> 11.1.1.2/21;tcp, If: fe-0/0/4.0, Pkts: 15, Bytes: 685
Out: 11.1.1.2/21 --> 12.1.1.2/10332;tcp, If: fe-0/0/3.0, Pkts: 17, Bytes: 957

Session ID: 1363, Policy name: trust_to_untrust/5, Timeout: 1790, Valid
In: 192.168.1.2/1148 --> 11.1.1.2/80;tcp, If: fe-0/0/4.0, Pkts: 6, Bytes: 2931
Out: 11.1.1.2/80 --> 12.1.1.2/12082;tcp, If: fe-0/0/3.0, Pkts: 7, Bytes: 1714

Session ID: 1385, Policy name: trust_to_untrust/5, Timeout: 1790, Valid
In: 192.168.1.2/1151 --> 11.1.1.2/80;tcp, If: fe-0/0/4.0, Pkts: 8, Bytes: 2198
Out: 11.1.1.2/80 --> 12.1.1.2/9573;tcp, If: fe-0/0/3.0, Pkts: 9, Bytes: 6955

Session ID: 1386, Policy name: trust_to_untrust/5, Timeout: 1796, Valid
In: 192.168.1.2/1152 --> 11.1.1.2/23;tcp, If: fe-0/0/4.0, Pkts: 28, Bytes: 1205
Out: 11.1.1.2/23 --> 12.1.1.2/11790;tcp, If: fe-0/0/3.0, Pkts: 24, Bytes: 1129


Scenario 3 – Source address NAT + persistent-nat

The behavior of the “persistent-nat” option is the same as a normal NAT (Scenario 1), except that the NAT mappings are maintained for 300 seconds after the session ends. The timer starts running after the session ends and is configurable.

You can check current active mapping by executing this command: show security nat source persistent-nat-table all. Note that each session from the same host is translated into different addresses from the pool. This behavior is different from the behavior of the “address-persistent” knob.

lab@100A> show security flow session

Session ID: 1443, Policy name: trust_to_untrust/5, Timeout: 1454, Valid
In: 192.168.1.2/1169 --> 11.1.1.2/23;tcp, If: fe-0/0/4.0, Pkts: 28, Bytes: 1205
Out: 11.1.1.2/23 --> 12.1.1.235/10831;tcp, If: fe-0/0/3.0, Pkts: 23, Bytes: 1089

Session ID: 1444, Policy name: trust_to_untrust/5, Timeout: 1462, Valid
In: 192.168.1.2/1170 --> 11.1.1.2/21;tcp, If: fe-0/0/4.0, Pkts: 15, Bytes: 685
Out: 11.1.1.2/21 --> 12.1.1.234/3528;tcp, If: fe-0/0/3.0, Pkts: 17, Bytes: 961

Session ID: 1453, Policy name: trust_to_untrust/5, Timeout: 1788, Valid
In: 192.168.1.2/1178 --> 11.1.1.2/80;tcp, If: fe-0/0/4.0, Pkts: 24, Bytes: 10081
Out: 11.1.1.2/80 --> 12.1.1.230/31146;tcp, If: fe-0/0/3.0, Pkts: 30, Bytes: 17922

Session ID: 1457, Policy name: trust_to_untrust/5, Timeout: 1494, Valid
In: 192.168.1.2/1179 --> 11.1.1.2/23;tcp, If: fe-0/0/4.0, Pkts: 33, Bytes: 1413
Out: 11.1.1.2/23 --> 12.1.1.229/20449;tcp, If: fe-0/0/3.0, Pkts: 28, Bytes: 1345

Session ID: 1476, Policy name: trust_to_untrust/5, Timeout: 1788, Valid
In: 192.168.1.2/1182 --> 11.1.1.2/80;tcp, If: fe-0/0/4.0, Pkts: 27, Bytes: 9388
Out: 11.1.1.2/80 --> 12.1.1.228/28004;tcp, If: fe-0/0/3.0, Pkts: 31, Bytes: 23112

lab@100A> show security nat source persistent-nat-table all
Internal Reflective Source Type Left_time/ Curr_Sess_Num/ Source
In_IP In_Port Ref_IP Ref_Port NAT Pool Conf_time Max_Sess_Num NAT Rule
192.168.1.2 1169 12.1.1.235 10831 src_nat_pool any-remote-host -/300 1/30 1
192.168.1.2 1170 12.1.1.234 3528 src_nat_pool any-remote-host -/300 1/30 1
192.168.1.2 1178 12.1.1.230 31146 src_nat_pool any-remote-host -/300 1/30 1
192.168.1.2 1179 12.1.1.229 20449 src_nat_pool any-remote-host -/300 1/30 1
192.168.1.2 1182 12.1.1.228 28004 src_nat_pool any-remote-host -/300 1/30 1

>>>>>>>>>>>>> all sessions terminated <<<<<<<<<<<<

lab@100A> show security flow session

lab@100A> show security nat source persistent-nat-table all
Internal Reflective Source Type Left_time/ Curr_Sess_Num/ Source
In_IP In_Port Ref_IP Ref_Port NAT Pool Conf_time Max_Sess_Num NAT Rule
192.168.1.2 1169 12.1.1.235 10831 src_nat_pool any-remote-host 288/300 0/30 1
192.168.1.2 1170 12.1.1.234 3528 src_nat_pool any-remote-host 290/300 0/30 1
192.168.1.2 1178 12.1.1.230 31146 src_nat_pool any-remote-host 286/300 0/30 1
192.168.1.2 1179 12.1.1.229 20449 src_nat_pool any-remote-host 282/300 0/30 1
192.168.1.2 1182 12.1.1.228 28004 src_nat_pool any-remote-host 286/300 0/30 1


Scenario 4 – Source address NAT + address-persistent + persistent-nat

This scenario combines the behavior of “address-persistent” and “persistent-nat”.

All sessions from the same host are translated using the same address, and the translation mappings are kept in the “persistent-nat-table” for 300 seconds after the sessions end.

lab@100A> show security flow session

Session ID: 1640, Policy name: trust_to_untrust/5, Timeout: 1726, Valid
In: 192.168.1.2/1234 --> 11.1.1.2/23;tcp, If: fe-0/0/4.0, Pkts: 27, Bytes: 1165
Out: 11.1.1.2/23 --> 12.1.1.2/19812;tcp, If: fe-0/0/3.0, Pkts: 23, Bytes: 1089

Session ID: 1642, Policy name: trust_to_untrust/5, Timeout: 1732, Valid
In: 192.168.1.2/1235 --> 11.1.1.2/21;tcp, If: fe-0/0/4.0, Pkts: 7, Bytes: 311
Out: 11.1.1.2/21 --> 12.1.1.2/22609;tcp, If: fe-0/0/3.0, Pkts: 6, Bytes: 346

Session ID: 1644, Policy name: trust_to_untrust/5, Timeout: 1752, Valid
In: 192.168.1.2/1239 --> 11.1.1.2/23;tcp, If: fe-0/0/4.0, Pkts: 27, Bytes: 1165
Out: 11.1.1.2/23 --> 12.1.1.2/15024;tcp, If: fe-0/0/3.0, Pkts: 23, Bytes: 1089

Session ID: 1649, Policy name: trust_to_untrust/5, Timeout: 1760, Valid
In: 192.168.1.2/1242 --> 11.1.1.2/80;tcp, If: fe-0/0/4.0, Pkts: 4, Bytes: 1506
Out: 11.1.1.2/80 --> 12.1.1.2/26587;tcp, If: fe-0/0/3.0, Pkts: 4, Bytes: 544

lab@100A> show security nat source persistent-nat-table all
Internal Reflective Source Type Left_time/ Curr_Sess_Num/ Source
In_IP In_Port Ref_IP Ref_Port NAT Pool Conf_time Max_Sess_Num NAT Rule
192.168.1.2 1234 12.1.1.2 19812 src_nat_pool any-remote-host -/300 1/30 1
192.168.1.2 1235 12.1.1.2 22609 src_nat_pool any-remote-host -/300 1/30 1
192.168.1.2 1239 12.1.1.2 15024 src_nat_pool any-remote-host -/300 1/30 1
192.168.1.2 1242 12.1.1.2 26587 src_nat_pool any-remote-host -/300 1/30 1

>>>>>>>>>>>>> all sessions terminated <<<<<<<<<<<<

lab@100A> show security flow session

lab@100A> show security nat source persistent-nat-table all
Internal Reflective Source Type Left_time/ Curr_Sess_Num/ Source
In_IP In_Port Ref_IP Ref_Port NAT Pool Conf_time Max_Sess_Num NAT Rule
192.168.1.2 1234 12.1.1.2 19812 src_nat_pool any-remote-host 288/300 0/30 1
192.168.1.2 1235 12.1.1.2 22609 src_nat_pool any-remote-host 290/300 0/30 1
192.168.1.2 1239 12.1.1.2 15024 src_nat_pool any-remote-host 286/300 0/30 1
192.168.1.2 1242 12.1.1.2 26587 src_nat_pool any-remote-host 284/300 0/30 1

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search