Hi Will, You have a couple of options on the SRX platform to do this, however I think 'Source address NAT + address-persistent' would be the best option for you - as long as ports are available then a source will always be translated to the same IP address.
The following KB article sums the types of NAT up nicely: http://kb.juniper.net/InfoCenter/index?page=content&id=KB20711 HTH, Graham On 19 July 2013 06:04, William McLendon <[email protected]> wrote: > hi all, > > We have an issue where we have enough internal users and sessions using > the general outbound NAT that we are hitting the session limit for the > single public IP due to running out of ports. (really its due to how Source > NAT is carved up on an HA pair…see http://kb.juniper.net/KB14958 ) > > However I think if just add additional IPs to NAT the users to, it may end > up breaking some applications as they establish a new outbound session from > clicking a URL or something, but that session gets NAT'd to the other IP > that the far side is not expecting to see it from. > > I think ScreenOS had something called Sticky DIP that could help mitigate > this where for some NAT Timer, any session initiated by an IP address would > always be NAT'd to the same public IP -- does SRX have a similar feature? > If not, I think my only other option then would be to carve up the > internal networks, ie 10.10.10/24 NATs to public IP A, and 11.11.11.0/24NATs > to public IP B, etc. which is probably ok, but can get a little > cumbersome. > > Or if anyone knows another way please share :) > > Thanks, > > Will > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Graham Brown Twitter - @mountainrescuer <https://twitter.com/#!/mountainrescuer> LinkedIn <http://www.linkedin.com/in/grahamcbrown> _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
