SRX

Expand all | Collapse all

SRX SNAT FLOW SESSION

Jump to Best Answer
  • 1.  SRX SNAT FLOW SESSION

    Posted 04-30-2020 20:53

    I am struggling in uderstanding the SNAT. 

     

    Below is the flow session:

     

    Session ID: 443, Policy name: OK/6, Timeout: 2, Valid
    In: 192.168.111.2/51744 --> 91.201.212.238/80;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 6, Bytes: 430,
    Out: 91.201.212.238/80 --> 172.30.124.59/16613;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 4, Bytes: 467,
     
    We can say, there is a SNAT applied as the source is changed from 192.168.111.2 to 172.30.124.59. 
     
    Now, when we look at the SRX packet handing diagram:
     
    SRXpacketFlow.gif
     
     
    The route lookup actually happened before SNAT. So, my confusion is:
     
    - If route lookup is done before SNAT, then how can SRX know to where forward the packet after doing SNAT as I mentioned in the above flow session example?
     
    - If SNAT configuration has all the routing-related information such as zone, which interface to go then it still applies to policy check, however, the policy check also done before SNAT.
     
    Please share your thoughts so that it makes sense how actually SRX behaves in this scenario.
     
    Thank you.
     


  • 2.  RE: SRX SNAT FLOW SESSION
    Best Answer

     
    Posted 04-30-2020 21:03

    Hi,

     

    The route lookup happens on the destination IP and hence the Dst-NAT if any is always done before the route lookup as you can see in the flow diagram.

     

    Source NAT does not have any impact on the route lookup. Hope this helps.

     

    Thanks and Regards,

    Pradeep Kumar M

     

    || If this solves your problem, please mark this post as "Accepted Solution" so we can help others too ||



  • 3.  RE: SRX SNAT FLOW SESSION

    Posted 05-08-2020 19:17

    Thanks, Pradkm. This sentence removes the confusion - "Source NAT does not have any impact on the route lookup".

     

    Regards.