SRX

woud someone please explain why this lab isnot working 

when i ping i find persistent NAT is not working 

[edit security policies]
root# show
from-zone public to-zone local {
policy 1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone local to-zone public {
policy 2 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
policy-rematch;

source {
pool Ahmed {
address {
80.80.80.1/24;
}
}
rule-set Ahmed {
from zone local;
to zone public;
rule 1 {
match {
source-address 10.10.10.2/32;
destination-address 7.7.7.2/32;
}
then {
source-nat {
pool {
Ahmed;
persistent-nat {
permit any-remote-host;
}
}
}
}
}
}
}

[edit security nat]
root# run show security flow session
Session ID: 10108, Policy name: self-traffic-policy/1, Timeout: 918, Valid
In: 3.3.3.10/54231 --> 3.3.3.1/22;tcp, If: ge-0/0/3.0, Pkts: 124, Bytes: 6740
Out: 3.3.3.1/22 --> 3.3.3.10/54231;tcp, If: .local..0, Pkts: 205, Bytes: 21297

Session ID: 10351, Policy name: self-traffic-policy/1, Timeout: 1800, Valid
In: 3.3.3.10/55850 --> 3.3.3.1/22;tcp, If: ge-0/0/3.0, Pkts: 258, Bytes: 15480
Out: 3.3.3.1/22 --> 3.3.3.10/55850;tcp, If: .local..0, Pkts: 284, Bytes: 29853

Session ID: 10459, Policy name: 2/8, Timeout: 2, Valid
In: 10.10.10.2/5107 --> 7.7.7.2/1;icmp, If: ge-0/0/2.0, Pkts: 1, Bytes: 60
Out: 7.7.7.2/1 --> 80.80.80.135/16252;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60

Session ID: 10460, Policy name: 2/8, Timeout: 2, Valid
In: 10.10.10.2/5108 --> 7.7.7.2/1;icmp, If: ge-0/0/2.0, Pkts: 1, Bytes: 60
Out: 7.7.7.2/1 --> 80.80.80.136/14942;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60

Session ID: 10461, Policy name: 2/8, Timeout: 4, Valid
In: 10.10.10.2/5109 --> 7.7.7.2/1;icmp, If: ge-0/0/2.0, Pkts: 1, Bytes: 60
Out: 7.7.7.2/1 --> 80.80.80.137/12065;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60

Session ID: 10462, Policy name: 2/8, Timeout: 4, Valid
In: 10.10.10.2/5110 --> 7.7.7.2/1;icmp, If: ge-0/0/2.0, Pkts: 1, Bytes: 60
Out: 7.7.7.2/1 --> 80.80.80.138/12265;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60

Hello,

Are you expecting that whenever 10.10.10.2 speaks with 7.7.7.2, it should get source-nated to same IP address from the pool?

If that is the case, you will require address persisten configuration.

Persistant-NAT with any-remote-host only opens a bidirectional connection for any traffic coming from 7.7.7.2 to NATed IP for a short duration of time.

It does not ensure that that SRX will give same IP address from the pool each time an IP goes out.

I believe your configuration is working correctly.

Regards,

Rushi

Hello,

Just to add you can use below link for further details.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB20711&actp=METADATA

Regards,

Rushi

Eng/Rushi 

thx for your time and your help 

and yes i though that persistent NAT function is ensure that the internal host will use the same reflexive address for all sessions + allow hosts on the post NAT side to initiate traffics rowards his reflexive address . 

*So i thought that the internal host has first to initiate traffics so that the persistent NAT will reserve an ip address from the source pool to allow hosts from the public side to initiate traffics toward that address ....