Solved

NS-500 Source translation

Posted on 2009-04-13
3
270 Views
Last Modified: 2012-05-06
Can someone tell me what is happening when you create a policy and specify
SOURCE TRANSLATION on a netscreen?

I had to setup a VPN on the netscreen concentrator to a  PIX515. At first the PIX was able to get to my host but when I looked at the policy I saw traffic received, but none sent. We have overlapping Proxy IDs. I had to EDIT the policy and select "SOURCE TRANSLATION" for it to work.

Is the SOURCE TRANSLATION the same as the PIX's NONAT command?
0
Comment
Question by:typertec
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 5

Expert Comment

by:ccreamer_22
ID: 24132626
I'm not sure what the NONAT command does, since currently I strictly work with Juniper firewalls, but to give you an example, if you turn on logging for the policy and look at the log you will see how the log is different.

You will see that the source address and the translated source address is different. It will either be set to the external interface ip that the firewall is set to or to a DIP that you set up on the external interface. This means that the firewall is translating or performing a nat for the source address.
0
 

Author Comment

by:typertec
ID: 24134286
Yes I see that. It's translating the source IP address to the EGRESS interface (Untrust interface). Why does it work when I have that checked? So in other words, when the packet comes into the NS-500 it looks like it's coming from the EGRESS interface.
When I'm not doing "SOURCE translation" and the other side does a ping test, I can see the policy logs showing bytes sent, but nothing received.  
When I check SOURCE INTERFACE, then the other side is able to get the replies back.
0
 
LVL 5

Accepted Solution

by:
ccreamer_22 earned 400 total points
ID: 24139081
Well, that really depends on your spacific scenario. The best answer I can give you is that where the packets are coming from is in a private network ip class range which is not routable accross the internet. The way firewalls in general handle this is to NAT the internal IP's to the EGRESS interface and then route the packets back that have the same ID in the packet header. The way Juniper firewalls handle this is that by default, everything in the trust port is set to NAT as the EGRESS interface when it passes the untrust port. When this is turned off, it can not route outside of your internal network. Computers in your DMZ do not have this turned on by default because alot of users use IP's in their DMZ that are either routable to the internet or they only allow certain ports to be routed to the internet through MIP, VIP, etc.
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SonicWALL SIP Transformation Problem 4 166
Swapping port on a  Cisco 5510 firewall 1 71
Cisco ASA 5510 Question 3 47
Cisco ASA 5510 Question 2 33
In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question