Resolution Guide - SRX - Troubleshoot Source NAT

Perform the following steps:

Note: For the flowchart version of these steps, click the flowchart icon:

Confirm the configuration by running the edit mode command: show security nat source
Refer to KB15758 - SRX Getting Started - Configure NAT (Network Address Translation). for NAT configuration examples.

Does the NAT configuration appear correct?

Yes - Continue to Step 2
No - Correct the configuration. Then run traffic again to retest. If it still fails continue to Step 5.

Is the Source NAT configuration using interface NAT (Egress Interface Translation) or a Source NAT Pool?

Interface NAT - Jump to Step 5
Source NAT Pool - Continue to Step 3

Is the NAT pool from the same subnet as the SRX external interface? (For example, if the NAT pool is 1.1.1.2 thru 1.1.1.4, and the SRX external IP address is 1.1.1.1/24, then the NAT pool is on the same subnet as the SRX external IP address.)

Yes - Continue with Step 4
No - Continue with Step 5

Run the configuration command: show security nat proxy-arp

Is Proxy ARP configured for the NAT pool IP addresses? For more information on Proxy ARP and how to configure it; go to KB21785 - [SRX] When and how to configure Proxy ARP.

Yes - Continue with Step 5
No - Configure Proxy ARP, and run the traffic to retest. If it still fails, continue to Step 5.

Run the command: show security nat source rule <name> or show security nat source rule all

Is the Security Source Rule getting 'Translation Hits'? To check, For more information on these commands, refer to KB21709 - Verify Source NAT rules are in order and working correctly.

Yes - Translation Hits are there, but the traffic does not seem to flow correctly - Continue with Step 6
No - Jump to Step 8

Is there a flow session for the particular Source IP and Destination IP in question? For information on how to check the sessions go to KB21719 - How to check and interpret the Flow Sessions installed in the SRX when troubleshooting NAT.

Yes - The sessions are there, but the traffic is not working correctly - Continue with Step 7
No - Continue with Traceoptions Step 9

Do the session wings show the correct NAT'd IPs? For examples of how to tell, refer to KB21719 - How to check and interpret the Flow Sessions installed in the SRX when troubleshooting NAT.

Yes - This means the NAT should be working fine. Check if there is something else that may be dropping the packet, such as a firewall filter on egress interface. Pursue other area to troubleshoot.
No - Collect the information in KB21781 - [SRX] Data Collection Checklist - Logs/data to collect for troubleshooting, and open a case with your Technical Support Representative.

A common source NAT configuration error is the configuration order of the Security NAT rules.
The configuration order is important. For more information on how to confirm the order, refer to KB21709 - Verify Source NAT rules are in order and working correctly.

Is the order correct per the requirement?

Yes - The order is found to be correct but still the traffic is not working. Continue with Traceoptions Step 9
No - Correct order of Security NAT rules (see KB21783 - SRX Example - Checking and reordering NAT rules for a reorder example), and re-run the traffic. If traffic is still failing, continue with Step 9

Setup Traceoptions and configure packet filters for the source IP and destination IP. For more info on how to setup traceoptions, refer KB16108 - SRX Getting Started -- Configuring Traceoptions for Debugging and Trimming Output.

Did you find where the packet is being dropped? For more on how to analyze the traceoptions for packet drops, refer KB21757 - [SRX] How to interpret Flow TraceOptions output for NAT troubleshooting.

Yes - Correct the issue.
No - Collect the information in KB21781 - [SRX] Data Collection Checklist - Logs/data to collect for troubleshooting, and open a case with your Technical Support Representative.

Knowledge Base