SRX

here is a session informaiton on SRX 1400

Session ID: 20285605, Policy name: VPN-ACF-CCT-to-Remote/101, State: Active, Timeout: 2, Valid
In: 10.1.138.32/3 --> 172.29.0.44/21;icmp, If: reth1.803, Pkts: 1, Bytes: 100
Out: 172.29.0.44/21 --> 10.1.138.32/3;icmp, If: st0.14, Pkts: 1, Bytes: 100

I want to ask that  in the third line . it mean that FW receives a packet whose source is 172.29.0.44 and dinstination 10.1.138.32 ? .or it  just means FW just sends a packet whose source is 10.1.138.32 , destination 172.29.0.44 out of st0.14.

or something else .

Out: 172.29.0.44/21 --> 10.1.138.32/3;icmp, If: st0.14, Pkts: 1, Bytes: 100

this means, SRX received the packet from 172.29.0.44/21 destined to 10.1.138.32/3 on st0.14. It was an ICMP packet with 100 Bytes.

When the Pkts: is 0, it means SRX expects the reply on st0.14 interface with source as 172.29.0.44/21 and destination as 10.1.138.32/3

 Below URL will give some more details on SRX session table.

http://www.juniper.net/documentation/en_US/junos12.1x44/topics/reference/command-summary/show-security-flow-session.html

Thanks,

Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

thank you so much

Hi caulfiedd@live.cn,

Thanks,can we mark the post as an "Accepted Solution" so others can benefit.

Thanks,

Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Good feedback,

but not very clear for me..

Does this example them mean, there was source NAT?

Suraj, the link provided is nice, but does not show how to read the output. 

I'd love to see an exmple of IN/OUT where we have NAT and where we don't have NAT. Anyone please?

Hello Willys,

using the session info from OP:

Session ID: 20285605, Policy name: VPN-ACF-CCT-to-Remote/101, State: Active, Timeout: 2, Valid
In: 10.1.138.32/3 --> 172.29.0.44/21;icmp, If: reth1.803, Pkts: 1, Bytes: 100
Out: 172.29.0.44/21 --> 10.1.138.32/3;icmp, If: st0.14, Pkts: 1, Bytes: 100

Say, there was PAT being done to IP address 192.1.1.1/32.  Then the session would look like:

Session ID: 20285605, Policy name: VPN-ACF-CCT-to-Remote/101, State: Active, Timeout: 2, Valid
In: 10.1.138.32/3 --> 172.29.0.44/21;icmp, If: reth1.803, Pkts: 1, Bytes: 100
Out: 172.29.0.44/21 --> 192.1.1.1/3;icmp, If: st0.14, Pkts: 1, Bytes: 100

I would interpret the session entries like this:

* source of the traffic is from 10.1.138.32 -> 172.29.0.44 (this is how the packet is put on the wire... how the FW initially sees the packet). 

* incoming interface of the original packet is reth1.803 interface

* the firewall is expecting traffic in the reverse direction to come in on st0.14 interface

* there is NAT involved since the return traffic's destination IP has reference to 192.1.1.1, instead of 10.1.138.32.  This makes sense, as this is how the packet would be seen by the firewall.

Hope this helps,

Regards,

Sam

Hi samc,

Much clearer and makes sense. I will take an example. 

Session ID: 200000001, Policy name: default-policy/2, Timeout: 1794, Valid
  In: 40.0.0.111/32852 --> 30.0.0.100/21;tcp, If: ge-0/0/2.0, Pkts: 25, Bytes: 1138
  Out: 30.0.0.100/21 --> 40.0.0.111/32852;tcp, If: ge-0/0/1.0, Pkts: 20, Bytes: 1152
Total sessions: 1

Traffic comes into SRX via ge-0/0/2.0 from Source:40.0.0.111 to Destination: 30.0.0.100

Traffic is expected in the reverse direction , via ge-0/0/1.0 from Source: 30.0.0.100 to Destination 40.0.0.111.

And in this case, no NAT has been Applied.