Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

NS-500 Source translation

Posted on 2009-04-13
3
Medium Priority
?
272 Views
Last Modified: 2012-05-06
Can someone tell me what is happening when you create a policy and specify
SOURCE TRANSLATION on a netscreen?

I had to setup a VPN on the netscreen concentrator to a  PIX515. At first the PIX was able to get to my host but when I looked at the policy I saw traffic received, but none sent. We have overlapping Proxy IDs. I had to EDIT the policy and select "SOURCE TRANSLATION" for it to work.

Is the SOURCE TRANSLATION the same as the PIX's NONAT command?
0
Comment
Question by:typertec
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 5

Expert Comment

by:ccreamer_22
ID: 24132626
I'm not sure what the NONAT command does, since currently I strictly work with Juniper firewalls, but to give you an example, if you turn on logging for the policy and look at the log you will see how the log is different.

You will see that the source address and the translated source address is different. It will either be set to the external interface ip that the firewall is set to or to a DIP that you set up on the external interface. This means that the firewall is translating or performing a nat for the source address.
0
 

Author Comment

by:typertec
ID: 24134286
Yes I see that. It's translating the source IP address to the EGRESS interface (Untrust interface). Why does it work when I have that checked? So in other words, when the packet comes into the NS-500 it looks like it's coming from the EGRESS interface.
When I'm not doing "SOURCE translation" and the other side does a ping test, I can see the policy logs showing bytes sent, but nothing received.  
When I check SOURCE INTERFACE, then the other side is able to get the replies back.
0
 
LVL 5

Accepted Solution

by:
ccreamer_22 earned 1600 total points
ID: 24139081
Well, that really depends on your spacific scenario. The best answer I can give you is that where the packets are coming from is in a private network ip class range which is not routable accross the internet. The way firewalls in general handle this is to NAT the internal IP's to the EGRESS interface and then route the packets back that have the same ID in the packet header. The way Juniper firewalls handle this is that by default, everything in the trust port is set to NAT as the EGRESS interface when it passes the untrust port. When this is turned off, it can not route outside of your internal network. Computers in your DMZ do not have this turned on by default because alot of users use IP's in their DMZ that are either routable to the internet or they only allow certain ports to be routed to the internet through MIP, VIP, etc.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question