Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 276
  • Last Modified:

NS-500 Source translation

Can someone tell me what is happening when you create a policy and specify
SOURCE TRANSLATION on a netscreen?

I had to setup a VPN on the netscreen concentrator to a  PIX515. At first the PIX was able to get to my host but when I looked at the policy I saw traffic received, but none sent. We have overlapping Proxy IDs. I had to EDIT the policy and select "SOURCE TRANSLATION" for it to work.

Is the SOURCE TRANSLATION the same as the PIX's NONAT command?
0
typertec
Asked:
typertec
  • 2
1 Solution
 
ccreamer_22Commented:
I'm not sure what the NONAT command does, since currently I strictly work with Juniper firewalls, but to give you an example, if you turn on logging for the policy and look at the log you will see how the log is different.

You will see that the source address and the translated source address is different. It will either be set to the external interface ip that the firewall is set to or to a DIP that you set up on the external interface. This means that the firewall is translating or performing a nat for the source address.
0
 
typertecAuthor Commented:
Yes I see that. It's translating the source IP address to the EGRESS interface (Untrust interface). Why does it work when I have that checked? So in other words, when the packet comes into the NS-500 it looks like it's coming from the EGRESS interface.
When I'm not doing "SOURCE translation" and the other side does a ping test, I can see the policy logs showing bytes sent, but nothing received.  
When I check SOURCE INTERFACE, then the other side is able to get the replies back.
0
 
ccreamer_22Commented:
Well, that really depends on your spacific scenario. The best answer I can give you is that where the packets are coming from is in a private network ip class range which is not routable accross the internet. The way firewalls in general handle this is to NAT the internal IP's to the EGRESS interface and then route the packets back that have the same ID in the packet header. The way Juniper firewalls handle this is that by default, everything in the trust port is set to NAT as the EGRESS interface when it passes the untrust port. When this is turned off, it can not route outside of your internal network. Computers in your DMZ do not have this turned on by default because alot of users use IP's in their DMZ that are either routable to the internet or they only allow certain ports to be routed to the internet through MIP, VIP, etc.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now