That
rule-session-count-alarm is just an artifact from using J-Web. I've removed it.
root@GATEWAY> show security flow session destination-prefix 172.22.1.27/32
Total sessions: 0
root@GATEWAY> show security flow session destination-prefix 172.22.1.0/24
Session ID: 77309438102, Policy name: self-traffic-policy/1, Timeout: 6, Session State: Valid
In: 172.22.1.38/62655 --> 172.22.1.1/161;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 122,
Out: 172.22.1.1/161 --> 172.22.1.38/62655;udp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 140,
Session ID: 55834603762, Policy name: self-traffic-policy/1, Timeout: 60, Session State: Valid
In: 172.22.1.1/514 --> 172.22.1.17/514;udp, Conn Tag: 0x0, If: .local..0, Pkts: 2039, Bytes: 343961,
Out: 172.22.1.17/514 --> 172.22.1.1/514;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 0, Bytes: 0,
Session ID: 77309442367, Policy name: self-traffic-policy/1, Timeout: 1800, Session State: Valid
In: 172.22.1.17/51469 --> 172.22.1.1/22;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 309, Bytes: 22036,
Out: 172.22.1.1/22 --> 172.22.1.17/51469;tcp, Conn Tag: 0x0, If: .local..0, Pkts: 312, Bytes: 38401,
Session ID: 77309447908, Policy name: self-traffic-policy/1, Timeout: 2, Session State: Valid
In: 172.22.25.164/16748 --> 172.22.1.1/43915;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 46,
Out: 172.22.1.1/43915 --> 172.22.25.164/16748;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 46,
Total sessions: 4
root@GATEWAY>
Is this warning relevant? I don't use fxp0.
[edit]
root@GATEWAY# show routing-options
static {
route 0.0.0.0/0 next-hop pp0.0;
}
[edit]
root@GATEWAY# commit and-quit
[edit security]
'nat'
warning: Configuring NAT rule with match address 0.0.0.0/0 and source-nat/destination-nat off
adds default reject route, causing fxp0's IP not accessible from outside subnets.
commit complete
Exiting configuration mode
root@GATEWAY>
------------------------------
Cole Tarbet
------------------------------
Original Message:
Sent: 11-06-2022 06:39
From: STEVE PULUKA
Subject: SRX320 - Destination NAT not working
All of the elements appear to be configured
- Nat rule and pool
- proxy arp
- security policy
The only unusual thing I see is this parameter on the 443 nat rule that is not on the other ports for this address. What is this for? I'm not familiar with the command.
rule-session-count-alarm raise-threshold 4294967295 clear-threshold 1;
Also during the test can you look at the active session table using the destination nat address
show security flow session destination-address 172.22.1.27/32
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 11-05-2022 19:12
From: COLE TARBET
Subject: SRX320 - Destination NAT not working
Hi everyone, I am moving this production config from an SRX300 (failed) to an SRX320.
My Destination NAT setup is not working - I can't access the internal web servers.
Since everything is so similar and worked before, I'm really not sure what's going on.
juniper-srx320-config-2022-11-05 - Pastebin.com
I can see that the translations are being hit, but no sessions are being created.
show security nat destination rule Destination NAT rule: r2 Rule set : rs1 Description : PowerSchool 443 Rule Id : 2 Rule position : 2 From zone : untrust Destination addresses : 555.555.555.52 - 555.555.555.52 Destination port : 443 - 443 Action : dst-nat-pool-powerschool Translation hits : 239 Successful sessions : 0 Number of sessions : 0
root@GATEWAY> show routeinet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/5] 00:22:12 > via pp0.0333.333.333.47/32 *[Local/0] 00:22:12 Local via pp0.0172.22.0.0/16 *[Direct/0] 00:27:25 > via ge-0/0/1.0555.555.555.14/32 *[Direct/0] 00:22:12 > via pp0.0
------------------------------
COLE TARBET
------------------------------