Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Resolution Guide – SRX - Troubleshoot Static NAT



Article ID: KB21892 KB Last Updated: 25 Nov 2013Version: 5.0

This article will assist you in Static NAT (Network Address Translation) troubleshooting in a step-by-step approach.

For assistance with troubleshooting Source NAT or Destination NAT, refer to KB21922 - Resolution Guides and Articles - SRX - NAT.



  • Internet users cannot access the Web servers hosted behind SRX because there is an issue with Static NAT
  • Static NAT is not working


Perform the following steps:

Note: For the flowchart version of these steps, click the flowchart icon:

Step 1. Confirm the configuration by running the edit mode command:  show security nat static

Refer to KB15758 - SRX Getting Started - Configure NAT (Network Address Translation) for NAT configuration examples.

Does the NAT configuration appear correct?

Yes - Continue to Step 2
No - Correct the configuration. Then run traffic again to retest. If it still fails continue to Step 4.

Step 2. Is the Destination IP (the Static NAT address) in the same subnet as the SRX external interface? 
(For example, if the Static NAT address is, and the SRX external IP address is, then the Static NAT address is on the same subnet as the SRX external IP address.)

Yes - Continue to Step 3
No - Jump to Step 4

Step 3.  Run the configuration command:  show security nat proxy-arp

Is Proxy ARP configured for the Static NAT address?   For more information on Proxy ARP and how to configure it, go to KB21785 - [SRX] When and how to configure Proxy ARP.

Yes - Continue to Step 4
No - Configure Proxy ARP and recheck. If still the traffic does not pass, go to Step 4

Step 4. Check if the NAT rule is being hit, by viewing the Translation Hits for a particular rule. For an example, go to KB21918 - Verify Static NAT Rules are being used.
Run the command show security nat static all/<rulename>

Do you see the Translation hits increase?

Yes - Jump to Step 6
No - Continue to Step 5

Step 5. Using Firewall Filters, check if the traffic from the client to the Static NAT address is reaching the SRX (external interface).
For more info on how to setup firewall filters to count the ingress packets, go to KB21872 - [SRX] Example firewall filter used to count the number of incoming packets.

Do you see the filter packet counters increase?

Yes - Continue to Step 6
No - Troubleshoot with the network administrator or ISP to see if the packet is being dropped and determine why it is not reaching the SRX. If the ISP does not agree that they are dropping the packets, continue with Step 6 to show them that the packet is not reaching the SRX.

Step 6. Setup Traceoptions and configure Packet Filters for the Source IP address (the client) and Destination IP address (the Static NAT address).
For more info on how to setup traceoptions, refer KB16108 - SRX Getting Started -- Configuring Traceoptions for Debugging and Trimming Output .

Did you find where the packet is being dropped? For more on how to analyze the traceoptions for packet drops, refer KB21757 - How to interpret Flow Traceoptions (for NAT troubleshooting).

Yes - Correct the issue and check again
No - Collect the information in KB21781 - SRX Data Collection Checklist - Logs/data to collect for troubleshooting, and open a case with your Technical Support Representative

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search