Solved

NS-500 Source translation

Posted on 2009-04-13
3
266 Views
Last Modified: 2012-05-06
Can someone tell me what is happening when you create a policy and specify
SOURCE TRANSLATION on a netscreen?

I had to setup a VPN on the netscreen concentrator to a  PIX515. At first the PIX was able to get to my host but when I looked at the policy I saw traffic received, but none sent. We have overlapping Proxy IDs. I had to EDIT the policy and select "SOURCE TRANSLATION" for it to work.

Is the SOURCE TRANSLATION the same as the PIX's NONAT command?
0
Comment
Question by:typertec
  • 2
3 Comments
 
LVL 5

Expert Comment

by:ccreamer_22
ID: 24132626
I'm not sure what the NONAT command does, since currently I strictly work with Juniper firewalls, but to give you an example, if you turn on logging for the policy and look at the log you will see how the log is different.

You will see that the source address and the translated source address is different. It will either be set to the external interface ip that the firewall is set to or to a DIP that you set up on the external interface. This means that the firewall is translating or performing a nat for the source address.
0
 

Author Comment

by:typertec
ID: 24134286
Yes I see that. It's translating the source IP address to the EGRESS interface (Untrust interface). Why does it work when I have that checked? So in other words, when the packet comes into the NS-500 it looks like it's coming from the EGRESS interface.
When I'm not doing "SOURCE translation" and the other side does a ping test, I can see the policy logs showing bytes sent, but nothing received.  
When I check SOURCE INTERFACE, then the other side is able to get the replies back.
0
 
LVL 5

Accepted Solution

by:
ccreamer_22 earned 400 total points
ID: 24139081
Well, that really depends on your spacific scenario. The best answer I can give you is that where the packets are coming from is in a private network ip class range which is not routable accross the internet. The way firewalls in general handle this is to NAT the internal IP's to the EGRESS interface and then route the packets back that have the same ID in the packet header. The way Juniper firewalls handle this is that by default, everything in the trust port is set to NAT as the EGRESS interface when it passes the untrust port. When this is turned off, it can not route outside of your internal network. Computers in your DMZ do not have this turned on by default because alot of users use IP's in their DMZ that are either routable to the internet or they only allow certain ports to be routed to the internet through MIP, VIP, etc.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Routers 17 82
Website through the inside interface. 6 67
SonicWall losing internet when Cradlepoint resets. 18 91
Sonicwall Scheduling 4 35
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now