[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 798
  • Last Modified:

static NAT on Juniper firewall

Can somone tell me what is the best way to verify that my static NAT is working on a Juniper firewall?  SRX 3400 to be exact.
0
FREDARCE
Asked:
FREDARCE
1 Solution
 
deimarkCommented:
"show security flow session" and then look for the particular session in question that you would expect to see NAT occurring.

For example this session below:

Session ID: 14703, Policy name: trust-to-untrust/4, Timeout: 1784, Valid
  In: 10.1.1.24/63595 --> 198.107.xx.xx/5223;tcp, If: vlan.0, Pkts: 488, Bytes: 29956
  Out: 198.107.xx.xx/5223 --> 88.97.xx.xx/63595;tcp, If: at-1/0/0.0, Pkts: 487, Bytes: 43294

This shows a session from 10.1.1.24 talking to 198.107.xx.xx.  The outbound flow is normal but the reply packet is natted so that 198.107.xx.xx talks back to the external address on the firewall of 88.97.xx.xx

We can narrow down the flow search using some filters like:

xxx@xxx> show security flow session ?
Possible completions:
  <[Enter]>            Execute this command
  application          Application protocol name
  application-firewall  Show application-firewall sessions
  application-firewall-rule-set  Show application-firewall session by rule-set
  brief                Show brief output (default)
  destination-port     Destination port (1..65535)
  destination-prefix   Destination IP prefix or address
  dynamic-application  Dynamic application name
  dynamic-application-group  Dynamic application group name
  extensive            Show detailed output
  family               Protocol family
  idp                  IDP sessions
  interface            Name of incoming or outgoing interface
  nat                  Sessions with network address translation
  protocol             IP protocol number
  resource-manager     Sessions with resource manager
  session-identifier   Show session with specified session identifier
  source-port          Source port (1..65535)
  source-prefix        Source IP prefix or address
  summary              Show output summary
  tunnel               Tunnel sessions

So we can narrow down by source port/prefix, destination port/prefix and protocol number

HTH
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now