This article will assist you in Static NAT (Network Address Translation) troubleshooting in a step-by-step approach.

For assistance with troubleshooting Source NAT or Destination NAT, refer to KB21922 - Resolution Guides and Articles - SRX - NAT.

Symptoms:

• Internet users cannot access the Web servers hosted behind SRX because there is an issue with Static NAT
• Static NAT is not working

Perform the following steps:

Note: For the flowchart version of these steps, click the flowchart icon:

Confirm the configuration by running the edit mode command:  show security nat static

Refer to KB15758 - SRX Getting Started - Configure NAT (Network Address Translation) for NAT configuration examples.

Does the NAT configuration appear correct?

Yes - Continue to Step 2
No - Correct the configuration. Then run traffic again to retest. If it still fails continue to Step 4.

Is the Destination IP (the Static NAT address) in the same subnet as the SRX external interface? 
(For example, if the Static NAT address is 1.1.1.2, and the SRX external IP address is 1.1.1.1/24, then the Static NAT address is on the same subnet as the SRX external IP address.)

Yes - Continue to Step 3
No - Jump to Step 4

 Run the configuration command:  show security nat proxy-arp

Is Proxy ARP configured for the Static NAT address?   For more information on Proxy ARP and how to configure it, go to KB21785 - [SRX] When and how to configure Proxy ARP.

Yes - Continue to Step 4
No - Configure Proxy ARP and recheck. If still the traffic does not pass, go to Step 4

Check if the NAT rule is being hit, by viewing the Translation Hits for a particular rule. For an example, go to KB21918 - Verify Static NAT Rules are being used.
Run the command show security nat static all/<rulename>

Do you see the Translation hits increase?

Yes - Jump to Step 6
No - Continue to Step 5

Using Firewall Filters, check if the traffic from the client to the Static NAT address is reaching the SRX (external interface).
For more info on how to setup firewall filters to count the ingress packets, go to KB21872 - [SRX] Example firewall filter used to count the number of incoming packets.

Do you see the filter packet counters increase?

Yes - Continue to Step 6
No - Troubleshoot with the network administrator or ISP to see if the packet is being dropped and determine why it is not reaching the SRX. If the ISP does not agree that they are dropping the packets, continue with Step 6 to show them that the packet is not reaching the SRX.

Setup Traceoptions and configure Packet Filters for the Source IP address (the client) and Destination IP address (the Static NAT address).
For more info on how to setup traceoptions, refer KB16108 - SRX Getting Started -- Configuring Traceoptions for Debugging and Trimming Output .

Did you find where the packet is being dropped? For more on how to analyze the traceoptions for packet drops, refer KB21757 - How to interpret Flow Traceoptions (for NAT troubleshooting).

Yes - Correct the issue and check again
No - Collect the information in KB21781 - SRX Data Collection Checklist - Logs/data to collect for troubleshooting, and open a case with your Technical Support Representative