Solved

NS-500 Source translation

Posted on 2009-04-13
3
265 Views
Last Modified: 2012-05-06
Can someone tell me what is happening when you create a policy and specify
SOURCE TRANSLATION on a netscreen?

I had to setup a VPN on the netscreen concentrator to a  PIX515. At first the PIX was able to get to my host but when I looked at the policy I saw traffic received, but none sent. We have overlapping Proxy IDs. I had to EDIT the policy and select "SOURCE TRANSLATION" for it to work.

Is the SOURCE TRANSLATION the same as the PIX's NONAT command?
0
Comment
Question by:typertec
  • 2
3 Comments
 
LVL 5

Expert Comment

by:ccreamer_22
Comment Utility
I'm not sure what the NONAT command does, since currently I strictly work with Juniper firewalls, but to give you an example, if you turn on logging for the policy and look at the log you will see how the log is different.

You will see that the source address and the translated source address is different. It will either be set to the external interface ip that the firewall is set to or to a DIP that you set up on the external interface. This means that the firewall is translating or performing a nat for the source address.
0
 

Author Comment

by:typertec
Comment Utility
Yes I see that. It's translating the source IP address to the EGRESS interface (Untrust interface). Why does it work when I have that checked? So in other words, when the packet comes into the NS-500 it looks like it's coming from the EGRESS interface.
When I'm not doing "SOURCE translation" and the other side does a ping test, I can see the policy logs showing bytes sent, but nothing received.  
When I check SOURCE INTERFACE, then the other side is able to get the replies back.
0
 
LVL 5

Accepted Solution

by:
ccreamer_22 earned 400 total points
Comment Utility
Well, that really depends on your spacific scenario. The best answer I can give you is that where the packets are coming from is in a private network ip class range which is not routable accross the internet. The way firewalls in general handle this is to NAT the internal IP's to the EGRESS interface and then route the packets back that have the same ID in the packet header. The way Juniper firewalls handle this is that by default, everything in the trust port is set to NAT as the EGRESS interface when it passes the untrust port. When this is turned off, it can not route outside of your internal network. Computers in your DMZ do not have this turned on by default because alot of users use IP's in their DMZ that are either routable to the internet or they only allow certain ports to be routed to the internet through MIP, VIP, etc.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now