Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Resolution Guide – SRX - Troubleshoot Destination NAT

0

0

Article ID: KB21839 KB Last Updated: 14 Aug 2020Version: 3.0
Summary:

This article will assist you in Destination NAT (Network Address Translation) troubleshooting in a step-by-step approach.

For assistance with troubleshooting Source NAT or Static NAT, refer to KB21922 - Resolution Guides and Articles - SRX - NAT.

Symptoms:

Symptoms:

  • Users in the Internet cannot access the Web servers hosted behind the SRX because there is an issue with Destination NAT
  • Destination NAT is not working
Solution:

Perform the following steps:

Note: For the flowchart version of these steps, click the flowchart icon:

 

  1. Confirm the configuration by running the edit mode command:  show security nat destination

    Refer to KB15758 - SRX Getting Started - Configure NAT (Network Address Translation) for NAT configuration examples.

    Does the NAT configuration appear correct?

    • Yes - Continue to Step 2
    • No - Correct the configuration. Then run traffic again to retest. If it still fails continue to Step 5.
  2. Is the Destination NAT configuration using the external interface IP address?

    • Yes - Jump to Step 5
    • No - Continue to Step 3
  3. Is the destination IP address (configured for Destination NAT) in the same subnet as the external interface IP address?  (For example, if the Destination NAT address is 1.1.1.2, and the SRX external IP address is 1.1.1.1/24, then the Destination NAT IP adddress is on the same subnet ast the SRX external IP address.)

    • Yes - Continue to Step 4
    • No - Jump to Step 5
  4. Run the configuration command:  show security nat proxy-arp

    Is Proxy ARP configured for the Destination NAT IP address?  For more information on Proxy ARP and how to configure it, go to KB21785 - [SRX] When and how to configure Proxy ARP.

    • Yes - Continue to Step 5
    • No - Configure Proxy ARP, and run the traffic to retest. If still the traffic does not pass, continue to Step 5
  5. Check if the NAT rule is being hit by viewing the Translation Hits for a particular rule. 
    Run the command: 
    show security nat destination rule <rulename>/all     (For more information, refer to KB21886 - Verify Destination NAT rules are in order and working correctly.)

    Does the Translation hits increase?

    • Yes - Jump to Step 7
    • No - Continue to Step 6
  6. Using Firewall Filters, check if the traffic from the client to the Destination NAT IP address is reaching the SRX (external interface).  For an example of how to setup Firewall Filters to count the ingress packets, go to KB21872 - [SRX] Example Firewall Filter used to count the number of incoming packets.

    Do you see the filter packet counters increase?

    • Yes - Continue to Step 7
    • No - Troubleshoot with the network administrator or ISP to see if the packet is being dropped and determine why it is not reaching the SRX. If the ISP does not agree that they are dropping the packets, continue with Step 7 to show them that the packet is not reaching the SRX.
  7. Setup Traceoptions and configure Packet Filters for the Source IP address (the client) and Destination IP address (the Destination NAT IP address).  For more information on how to setup traceoptions, refer KB16108 - SRX Getting Started -- Configuring Traceoptions for Debugging and Trimming Output.

    Did you find where the packet is being dropped? For more on how to analyze the traceoptions for packet drops, refer KB21757 - How to interpret Flow Traceoptions (For NAT troubleshooting).
Modification History:
2020-08-14: Fixed broken link.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search