I have inherited a network using a mix of SSG140s, 350M and 550M. Each of them is configured with a Trust, Untrust and VPN VR with multiple custom zones on each (we don't use the default zones).
[Zone: ISP Link]--(Untrust-VR)--(Trust-VR)--[Zone: Routed: Internal A]
\
-[Zone: NAT: Internal B]
I am struggling to understand the difference functional difference between how some of the zone are configured. We have two flavours:
- Zones with Interface Type Route and policy based NAT applied.
- The policy is configured to use the egress IP (no DIP)
- Zones with Interface Type NAT, which just standard policies applied.
With an Interface in a Zone attached to the Trust-VR set to NAT, I can see from the logs that, NAT is not applied on traffic going to other Zones attached to the same Trust-VR.
As background I specifically ask because we had an issue with RTMP (TCP media streaming) over a zone configured with Policy based nat. It looked like it should work, the traffic logs shows the NAT being translated correctly but the TCP handshake never completed and no packets came back. I moved the source of the stream to a Zone with is configured with a NAT interface and it worked, the translation looked the same from the logs. This issue was specifically seen on an ssg140.
To sum up:
- What is the difference between Policy NAT with no DIP and Interface based NAT?
- Can I configure all Zones/Interfaces connected to the Trust-VR as NAT and not lose any functionality?
Best Answer
Interface-based NAT only works from the Trust zone to the Untrust zone (as in the default zones). Traffic between other zones will always be routed. The exception to all this (as you have discovered) is when the destination zone is in the Untrust VR, in which case, all traffic will be source NATted.
This is a hang-over from back in the Netscreen days, where there were no custom zones and most boxes had <=3 usable interfaces. They were automatically placed into Zones (these were actually silk-screened above the ports).
Policy-based source-NAT on the other hand will be applied whenever traffic matches the policy, regardless of zone/VR.
If you configure both (e.g. set the interface to NAT mode, and then configure a policy-based NAT) then the policy NAT will override the Interface NAT for that traffic.
Yes, this should work fine - as above, all this traffic will be routed unless use a Trust or Untrust zone. If there are any NAT requirements, you can configure policy-based to override specific cases.
References: Juniper KB6725 - [ScreenOS] Configuration example using interface-based NAT:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB6725&pmv=print&actp=search&searchid=1236690693051&type=currentpaging