static NAT on Juniper firewall

Posted on 2012-09-19
Last Modified: 2012-09-23
Can somone tell me what is the best way to verify that my static NAT is working on a Juniper firewall?  SRX 3400 to be exact.
Question by:FREDARCE
    1 Comment
    LVL 18

    Accepted Solution

    "show security flow session" and then look for the particular session in question that you would expect to see NAT occurring.

    For example this session below:

    Session ID: 14703, Policy name: trust-to-untrust/4, Timeout: 1784, Valid
      In: --> 198.107.xx.xx/5223;tcp, If: vlan.0, Pkts: 488, Bytes: 29956
      Out: 198.107.xx.xx/5223 --> 88.97.xx.xx/63595;tcp, If: at-1/0/0.0, Pkts: 487, Bytes: 43294

    This shows a session from talking to 198.107.xx.xx.  The outbound flow is normal but the reply packet is natted so that 198.107.xx.xx talks back to the external address on the firewall of 88.97.xx.xx

    We can narrow down the flow search using some filters like:

    xxx@xxx> show security flow session ?
    Possible completions:
      <[Enter]>            Execute this command
      application          Application protocol name
      application-firewall  Show application-firewall sessions
      application-firewall-rule-set  Show application-firewall session by rule-set
      brief                Show brief output (default)
      destination-port     Destination port (1..65535)
      destination-prefix   Destination IP prefix or address
      dynamic-application  Dynamic application name
      dynamic-application-group  Dynamic application group name
      extensive            Show detailed output
      family               Protocol family
      idp                  IDP sessions
      interface            Name of incoming or outgoing interface
      nat                  Sessions with network address translation
      protocol             IP protocol number
      resource-manager     Sessions with resource manager
      session-identifier   Show session with specified session identifier
      source-port          Source port (1..65535)
      source-prefix        Source IP prefix or address
      summary              Show output summary
      tunnel               Tunnel sessions

    So we can narrow down by source port/prefix, destination port/prefix and protocol number


    Featured Post

    New My Cloud Pro Series - organize everything!

    With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

    Join & Write a Comment

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now