SRX Services Gateway
Highlighted
SRX Services Gateway

How to log NAT traffic or see NAT "failed" reason?

[ Edited ]
‎02-19-2019 10:16 AM

I'm trying to set up network address translation on my Juniper to redirect all incoming traffic to a proxy server on the LAN.  I think I have it set up properly, but I'm obviously missing something.  On the monitoring screen, I see the following:

 

Name Action Sessions (Succ/Failed/Current)
ProxyRule ProxyPool (0/675/0)

 

Obviously something is wrong.  So how do I view information about those failures?

 

I tried setting up some logging using the following command, but when I view the "traffic-log" file in the viewer I don't see anything related to NAT:

set system syslog file traffic-log any any

 

And this is my policy:

 

        from-zone Internet to-zone Internal {
            policy AllowProxy {
                match {
                    source-address any;
                    destination-address any;
                    application Proxy;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
        }

Any tips?

2 REPLIES 2
SRX Services Gateway

Re: How to log NAT traffic or see NAT "failed" reason?

‎02-19-2019 12:24 PM

Hi Scott,

 

I am assuming that we are talking about a Destination NAT rule but please let us know. Also please check the following:

 

  • Look for any errors related to NAT:
> show log messages
  • Confirm how many sessions exist that were permitted by the security-policy AllowProxy in order to tell how many NAT translations exist:
> show security flow sessions destination-prefix [proxy_server_address] | match AllowProxy | count
  • Lets check further info about the NAT rule and pool:
> show security nat destination rule ProxyRule
> show security nat destination pool ProxyPool
  • Also let us know the device model and junos version:
> show version
> show chassis hardware

 

Pura Vida from Costa Rica - Kudos are appreciated!
Mark as Resolved if it applies.
SRX Services Gateway

Re: How to log NAT traffic or see NAT "failed" reason?

‎02-19-2019 03:37 PM

Confirm the proxy pool address is associated with the zone Internal.

Do a show route for this address

Get the interface of egress for the active route

Confirm that interface is assigned to zone Internal

 

Confirm the zone assignments in the nat rule are correct

from the Internet zone and to the Internal zone

 

Confirm the custom application Proxy matches protocol and port for any restrictions in the nat rule.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home