SRX Services Gateway
Highlighted
SRX Services Gateway

SRX SNAT FLOW SESSION

‎04-30-2020 08:53 PM

I am struggling in uderstanding the SNAT. 

 

Below is the flow session:

 

Session ID: 443, Policy name: OK/6, Timeout: 2, Valid
In: 192.168.111.2/51744 --> 91.201.212.238/80;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 6, Bytes: 430,
Out: 91.201.212.238/80 --> 172.30.124.59/16613;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 4, Bytes: 467,
 
We can say, there is a SNAT applied as the source is changed from 192.168.111.2 to 172.30.124.59. 
 
Now, when we look at the SRX packet handing diagram:
 
SRXpacketFlow.gif
 
 
The route lookup actually happened before SNAT. So, my confusion is:
 
- If route lookup is done before SNAT, then how can SRX know to where forward the packet after doing SNAT as I mentioned in the above flow session example?
 
- If SNAT configuration has all the routing-related information such as zone, which interface to go then it still applies to policy check, however, the policy check also done before SNAT.
 
Please share your thoughts so that it makes sense how actually SRX behaves in this scenario.
 
Thank you.
 
2 REPLIES 2
Highlighted
SRX Services Gateway
Solution
Accepted by topic author CP1
‎05-08-2020 07:12 PM

Re: SRX SNAT FLOW SESSION

‎04-30-2020 09:03 PM

Hi,

 

The route lookup happens on the destination IP and hence the Dst-NAT if any is always done before the route lookup as you can see in the flow diagram.

 

Source NAT does not have any impact on the route lookup. Hope this helps.

 

Thanks and Regards,

Pradeep Kumar M

 

|| If this solves your problem, please mark this post as "Accepted Solution" so we can help others too ||

Highlighted
SRX Services Gateway

Re: SRX SNAT FLOW SESSION

‎05-08-2020 07:17 PM

Thanks, Pradkm. This sentence removes the confusion - "Source NAT does not have any impact on the route lookup".

 

Regards.