hi all, We have an issue where we have enough internal users and sessions using the general outbound NAT that we are hitting the session limit for the single public IP due to running out of ports. (really its due to how Source NAT is carved up on an HA pair…see http://kb.juniper.net/KB14958 )
However I think if just add additional IPs to NAT the users to, it may end up breaking some applications as they establish a new outbound session from clicking a URL or something, but that session gets NAT'd to the other IP that the far side is not expecting to see it from. I think ScreenOS had something called Sticky DIP that could help mitigate this where for some NAT Timer, any session initiated by an IP address would always be NAT'd to the same public IP -- does SRX have a similar feature? If not, I think my only other option then would be to carve up the internal networks, ie 10.10.10/24 NATs to public IP A, and 11.11.11.0/24 NATs to public IP B, etc. which is probably ok, but can get a little cumbersome. Or if anyone knows another way please share :) Thanks, Will _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
