• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 817
  • Last Modified:

static NAT on Juniper firewall

Can somone tell me what is the best way to verify that my static NAT is working on a Juniper firewall?  SRX 3400 to be exact.
1 Solution
"show security flow session" and then look for the particular session in question that you would expect to see NAT occurring.

For example this session below:

Session ID: 14703, Policy name: trust-to-untrust/4, Timeout: 1784, Valid
  In: --> 198.107.xx.xx/5223;tcp, If: vlan.0, Pkts: 488, Bytes: 29956
  Out: 198.107.xx.xx/5223 --> 88.97.xx.xx/63595;tcp, If: at-1/0/0.0, Pkts: 487, Bytes: 43294

This shows a session from talking to 198.107.xx.xx.  The outbound flow is normal but the reply packet is natted so that 198.107.xx.xx talks back to the external address on the firewall of 88.97.xx.xx

We can narrow down the flow search using some filters like:

xxx@xxx> show security flow session ?
Possible completions:
  <[Enter]>            Execute this command
  application          Application protocol name
  application-firewall  Show application-firewall sessions
  application-firewall-rule-set  Show application-firewall session by rule-set
  brief                Show brief output (default)
  destination-port     Destination port (1..65535)
  destination-prefix   Destination IP prefix or address
  dynamic-application  Dynamic application name
  dynamic-application-group  Dynamic application group name
  extensive            Show detailed output
  family               Protocol family
  idp                  IDP sessions
  interface            Name of incoming or outgoing interface
  nat                  Sessions with network address translation
  protocol             IP protocol number
  resource-manager     Sessions with resource manager
  session-identifier   Show session with specified session identifier
  source-port          Source port (1..65535)
  source-prefix        Source IP prefix or address
  summary              Show output summary
  tunnel               Tunnel sessions

So we can narrow down by source port/prefix, destination port/prefix and protocol number

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now