Static or destination NAT is not working in filter based forwarding or source-based routing scenario

Static or destination NAT is not working in filter based forwarding or source-based routing scenarios.

User has two ISPs: ISP-1 and ISP-2 connected to SRX on ge-0/0/0 and ge-0/0/1 respectively. Both the ISPs are in the same zone untrust. A server (192.168.1.69) is connected on interface ge-0/0/2, for which there is a static (or destination) NAT configured on the device for all the packets coming from zone untrust. User wants to send all the packets from a server to ISP-1. The topology is as follows:

static-destination-nat-not-working-filter-based-forwarding-source-based-routing-scenario-1
The configuration is as follows:

If we try to ping from our server 192.168.1.69 to Internet (say 192.168.5.1) we are able to ping successfully but ping from Internet (say 192.168.5.1) fails to 192.168.3.69 (public IP of 192.168.1.69). We want the ping from Internet to our server to succeed.
If we enable traceoptions on our device to see why the packet is getting dropped:

To correct change the routing-instance from type “forwarding” to “virtual-router” and put the interface ge-0/0/0 in that virtual-router so that the route lookup now takes place in the newly created routing-instance table in which the default route is through ISP-1 i.e. ge-0/0/0. Also we will have to create different zones now for the ISP-1 and ISP-2. New configuration will be as follows:

Now if we will check the traceoptions the same log entry will now appear like this:
Apr 23 23:44:41 23:44:41.609788:CID-0:RT: route lookup: dest-ip 192.168.5.1 orig ifp ge-0/0/0.0 output_ifp ge-0/0/0.0 orig-zone 10 out-zone 10 vsd 0
You can see now both original and output interface are same.

Also if you check the session:
xroot@220# run show security flow session protocol icmp
Session ID: 12067, Policy name: default-policy-00/2, Timeout: 2, Valid
In: 192.168.5.1/0 –> 192.168.3.69/3454;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84
Out: 192.168.1.69/3454 –> 192.168.5.1/0;icmp, If: ge-0/0/2.0, Pkts: 1, Bytes: 84
Total sessions: 1
Now the interface is ge-0/0/0 instead of ge-0/0/1 as seen earlier.

About the author

James Palmer

Leave a Comment