Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to verify Source NAT Rules are in order and working correctly

0

0

Article ID: KB21709 KB Last Updated: 12 Jun 2020Version: 3.0
Summary:

This article helps you verify the Source NAT Rule order using two important operational commands:

user@srx> show security nat source rule all/<rulename>
user@srx> show security nat source pool all/<poolname>

The Resolution Guides for SRX NAT refer to this article.

Symptoms:

A common Source NAT configuration error is the configuration order of the Security NAT Rules. The configuration order is important.

  • How do you know if you have a problem with the configuration order?
  • How do you verify a Source NAT rule is getting hit?

Let us assume a sample Source NAT configuration as follows:

  • Rule 1:  Matches 2 source subnets, and does not perfom NAT
  • Rule 2:  Matches any source IP, and performs interface NAT
  • Rule 3:  Matches a single IP, and performs NAT with a IP pool

Below is the corresponding configuration commands:

# show security nat source

pool POOL-A { ##one pool defined with one address
    address {
        25.46.250.37/32;
    }
}

rule-set RULE-SET1 { ##one ruleset defined with 3 rules in it
    from zone trust;
    to zone untrust;
    rule 1 { ##first rules matches 2 source subnets
        match {
            source-address [ 192.168.1.0/24 10.16.2.0/24 ]; 
        }
        then {
            source-nat {
                off; ##action of the NAT rule is to NOT do a NAT
            }
        }
    }
    rule 2 { ##second rule matches any source IP and does an interface source NAT
        match {
            source-address 0.0.0.0/0;
        }
        then {
            source-nat {
                interface;
            }
        }
    }
    rule 3 { ##third rule matches a single host and uses pool to do source NAT
        match {
            source-address 192.168.5.6/32;
        }
        then {
            source-nat {                
                pool {
                    POOL-A;
                }
            }
        }
    }
}
Solution:

In order to determine if the Security NAT Rules are in the correct order, the following two operational commands are used:

user@srx> show security nat source rule all/<rulename>
user@srx> show security nat source pool all/<poolname>

The output of these commands and how to interpret the running state of the Security NAT Rules are explained below:

  • NAT Source Rule output
    (Explanation of the command:  show security nat source rule all)

  • Source NAT Pool output
    (Explanation of the command:  show security nat source pool all)

  • Results after swapping order of the NAT Source Rules


NAT Source Rule output

The section below shows the running state of Source NAT rules for the configuration in the 'Problem' section.

Rule 1 is working correctly and Rule 3 is not working correctly in the output below. That is because Rules 2 and 3 are not in correct order.

user@srx> show security nat source rule all ##This command will list all the source NAT rules with all details possible

Total rules: 3
 
source NAT rule: 1           Rule-set: RULE-SET1 ##The rule set to which the rule belongs
  Rule-Id                    : 5
  Rule position              : 1 ##This is the relative order of rule among other rules
  From zone                  : trust ##Calculated on basis of the ingress interface
  To zone                    : untrust ##Calculated on basis of the route lookup
  Match
    Source addresses         : 192.168.1.0 - 192.168.1.255 ##Complete IP ranges matched
                               10.16.2.0   - 10.16.2.255 ##Complete IP ranges matched
    Destination port         : 0           - 0 ##Matching all destination ports
  Action                        : off ##Action is to NOT do Source NAT
    Persistent NAT type         : N/A
    Persistent NAT mapping type : address-port-mapping 
    Inactivity timeout          : 0
    Max session number          : 0 
  Translation hits           : 100 ##This should increase if the NAT rule is being hit
 
source NAT rule: 2           Rule-set: RULE-SET1 
  Rule-Id                    : 6  
  Rule position              : 2
  From zone                  : trust
  To zone                    : untrust
  Match
    Source addresses         : Any             - 255.255.255.255 ##Matching any IP
    Destination port         : 0               - 0
  Action                     : interface ##Action is to NAT with the Interface IP
    Persistent NAT type      : N/A              
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout          : 0
    Max session number          : 0 
    Translation hits            : 11 

source NAT rule: 3           Rule-set: RULE-SET1 ##The Rule is deliberately misplaced to make it fail, so the number of hits = 0
  Rule-Id                    : 7
  Rule position              : 3
  From zone                  : trust
  To zone                    : untrust
  Match                                 
    Source addresses         : 192.168.5.6     - 192.168.5.6 ##Just one host is matched here
    Destination port         : 0               - 0
  Action                        : POOL-A ##Action is: to do a source NAT to the host in POOL-A
    Persistent NAT type         : N/A 
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout          : 0
    Max session number          : 0 
  Translation hits              : 0


NAT Source Pools output

The section shows the running state of the Source NAT pools for the configuration specified in the 'Problem' section.

user@srx> show security nat source pool all ##This command will list all the source NAT pools with all details possible

Total pools: 1

Pool name          : POOL-A
Pool id            : 4
Routing instance   : default ##Routing instance to which pool is bound
Host address base  : 0.0.0.0
Port               : [1024, 63487] ##The range of ports that can be PAT’d
Total addresses    : 1 ##Number of configured addresses
Translation hits   : 0 ##How many times the pool is used. If it is 0, the Rule for this Pool has not been hit
Address range                        Single Ports   Twin Ports ##Content of Pool
       25.46.250.37 - 25.46.250.37       0              0    
 

Results after swapping order of NAT Source Rules

In the outputs given above, it is determined that Rule 2 and Rule 3 are in the incorrect order by the virtue of which the Rule 3 is not getting hit at all.
So to correct this, Rules 2 and 3 need to be swapped.  For an example on how to do this, refer to KB21783 - Checking and reordering NAT Rules

After swapping the rules, re-run the following command.  Notice that the Translation Hits for Rule 3 is not 0.

user@srx> show security nat source rule all

Total rules: 3
 
source NAT rule: 1           Rule-set: RULE-SET1
  Rule-Id                    : 5
  Rule position              : 1
  From zone                  : trust
  To zone                    : untrust
  Match
    Source addresses         : 192.168.1.0 - 192.168.1.255
                               10.16.2.0   - 10.16.2.255
    Destination port         : 0           - 0
    Persistent NAT type         : N/A
    Persistent NAT mapping type : address-port-mapping 
    Inactivity timeout          : 0
    Max session number          : 0 
  Translation hits           : 100
 
source NAT rule: 3           Rule-set: RULE-SET1 ##The Rule is now corrected and the number of hits = 1
  Rule-Id                    : 7
  Rule position              : 2
  From zone                  : trust
  To zone                    : untrust
  Match                                 
    Source addresses         : 192.168.5.6     - 192.168.5.6
    Destination port         : 0               - 0
  Action                        : POOL-A
    Persistent NAT type         : N/A 
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout          : 0
    Max session number          : 0 
  Translation hits              : 1

source NAT rule: 2           Rule-set: RULE-SET1 
  Rule-Id                    : 6  
  Rule position              : 3
  From zone                  : trust
  To zone                    : untrust
  Match
    Source addresses         : Any             - 255.255.255.255
    Destination port         : 0               - 0
  Action                     : interface
    Persistent NAT type      : N/A              
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout          : 0
    Max session number          : 0 
    Translation hits            : 10


user@srx> show security nat source pool all
Total pools: 1

Pool name          : POOL-A
Pool id            : 4
Routing instance   : default 
Host address base  : 0.0.0.0
Port               : [1024, 63487] 
Total addresses    : 1 
Translation hits   : 1 ##Pool usage is now 1 because the Rule for this Pool is hit once
Address range                        Single Ports   Twin Ports 
       25.46.250.37 - 25.46.250.37       0              0    
Modification History:
2020-06-12: Article reviewed for accuracy; no changes required
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search