Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Resolution Guide - SRX - Troubleshoot Source NAT

0

0

Article ID: KB21611 KB Last Updated: 04 Mar 2017Version: 4.0
Summary:

This article will assist you in Source NAT (Network Address Translation) troubleshooting in a step-by-step approach.

For assistance with troubleshooting Destination NAT or Static NAT, refer to KB21922 - Resolution Guides and Articles - SRX - NAT.

Symptoms:
Symptoms:
  • Clients on private network cannot get to Internet because there is an issue with Source NAT
  • Source NAT is not working

Cause:

Solution:

Perform the following steps:

Note: For the flowchart version of these steps, click the flowchart icon:

Step 1. Confirm the configuration by running the edit mode command:  show security nat source
Refer to KB15758 - SRX Getting Started - Configure NAT (Network Address Translation). for NAT configuration examples.

Does the NAT configuration appear correct?

  • Yes - Continue to Step 2
  • No - Correct the configuration. Then run traffic again to retest. If it still fails continue to Step 5.

Step 2.  Is the Source NAT configuration using interface NAT (Egress Interface Translation) or a Source NAT Pool?

  • Interface NAT - Jump to Step 5
  • Source NAT Pool - Continue to Step 3



Step 3.  Is the NAT pool from the same subnet as the SRX external interface? 
(For example, if the NAT pool is 1.1.1.2 thru 1.1.1.4, and the SRX external IP address is 1.1.1.1/24, then the NAT pool is on the same subnet as the SRX external IP address.)

  • Yes - Continue with Step 4
  • No - Continue with Step 5



Step 4.  Run the configuration command: 
show security nat proxy-arp

Is Proxy ARP configured for the NAT pool IP addresses?  For more information on Proxy ARP and how to configure it; go to KB21785 - [SRX] When and how to configure Proxy ARP.

  • Yes - Continue with Step 5
  • No - Configure Proxy ARP, and run the traffic to retest. If it still fails, continue to Step 5.



Step 5.  Run the command: 
show security nat source rule <name>   or   show security nat source rule all

Is the Security Source Rule getting 'Translation Hits'?  To check,   For more information on these commands, refer to KB21709 - Verify Source NAT rules are in order and working correctly.

  • Yes - Translation Hits are there, but the traffic does not seem to flow correctly - Continue with Step 6
  • No - Jump to Step 8



Step 6.  Is there a flow session for the particular Source IP and Destination IP in question? 
For information on how to check the sessions go to KB21719 - How to check and interpret the Flow Sessions installed in the SRX when troubleshooting NAT.

  • Yes - The sessions are there, but the traffic is not working correctly - Continue with Step 7
  • No - Continue with Traceoptions Step 9



Step 7.  Do the session wings show the correct NAT'd IPs?
  For examples of how to tell, refer to KB21719 - How to check and interpret the Flow Sessions installed in the SRX when troubleshooting NAT.



Step 8.  A common source NAT configuration error is the configuration order of the Security NAT rules.
The configuration order is important.
For more information on how to confirm the order, refer to KB21709 - Verify Source NAT rules are in order and working correctly.

Is the order correct per the requirement?

  • Yes - The order is found to be correct but still the traffic is not working. Continue with Traceoptions Step 9
  • No - Correct order of Security NAT rules (see KB21783 - SRX Example - Checking and reordering NAT rules for a reorder example), and re-run the traffic. If traffic is still failing, continue with Step 9



Step 9.  Setup Traceoptions and configure packet filters for the source IP and destination IP
.  For more info on how to setup traceoptions, refer KB16108 - SRX Getting Started -- Configuring Traceoptions for Debugging and Trimming Output.

Did you find where the packet is being dropped? For more on how to analyze the traceoptions for packet drops, refer KB21757 - [SRX] How to interpret Flow TraceOptions output for NAT troubleshooting.



Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search