SRX

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  One of the server not used interface source nat?

    Posted 10-14-2020 09:00

    Hi all,

     

    I have something weird on srx5800 cluster and not sure is it normal or not. I have one server that have configure "destination nat" to that server. The ip segment for the destination nat is not same with ip source nat interface.

     

    When i ping from server itself to destination different zone it using ip "destination  nat" instead supposedly must using ip "source nat" interface. I can see it when i'm execute command "show security flow session source-prefix" . Is it normal due to have destination-nat or it not normal?

     

    Thanks and appreciate any feedback.



  • 2.  Re: One of the server not used interface source nat?

    Posted 10-20-2020 03:01

    Is the nat rule under security nat destination or security nat static?

     

    This would be the expected behavior for static but not destination.

     

    If it is under destination the other possibility is that the icmp traffic had an existing session from the inbound direction prior to your outbound ping.  Then the match would occur without creating a new session.  This you could verify with your view of the session table.

     



  • 3.  Re: One of the server not used interface source nat?

    Posted 10-20-2020 04:04

    Hi Spuluka,

     

     

    The rule is under destination NAT. I try to stop the session for example from continues ping and ping back and it still using IP under destination NAT not from IP Interface source NAT. Supposedly it should use IP Interface source NAT right for outgoing traffic?

     

     

    Thanks and appreciate your feedback