Hi everyone
I am trying to set up tcpdump to capture traffic involving 199.199.199.10
PC1 199.199.199.10--199.199.199.1 fe0/0/1-TRUST-SRX-UNTRUST-fe-0/0/2-200.200.200.1---200.200.200.2 PC2
SET UP:
SRX has vlan 199, vlan.199, 199.199.199.1, zone TRUST
SRX has vlan 200, vlan.200, 200.200.200.1 zone UNTRUST
SRX peforms STATIC NAT (DEST) and change the destination IP 100.100.100.10 to 200.200.200.20
Below we can see SRX successfullys NATS and route the traffic to 200.200.200.2
The whole config is under additional info at the bottom of this post.
root> show security nat static rule all
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
Static NAT rule: RULE1 Rule-set: ZEE1
Rule-Id : 1
Rule position : 1
From zone : TRUST
Destination addresses : 100.100.100.10
Host addresses : 200.200.200.20
Netmask : 32
Host routing-instance : N/A
Translation hits : 186
root> show security flow session
Session ID: 2232, Policy name: A/4, Timeout: 2, Valid
In: 199.199.199.10/33662 --> 100.100.100.10/1;icmp, If: vlan.199, Pkts: 1, Bytes: 60
Out: 200.200.200.20/1 --> 199.199.199.10/33662;icmp, If: vlan.200, Pkts: 1, Bytes: 60
Below I have set up the tcpdum to capture all routed traffic received on vlan .199:
root@% tcpdump -i vlan.199
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on vlan.199, capture size 96 bytes
Reverse lookup for 199.199.199.1 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.
01:53:00.832297 In arp who-has 199.199.199.1 (54:e0:32:d3:b8:08) tell 199.199.199.10
01:53:00.832401 Out arp reply 199.199.199.1 is-at 54:e0:32:d3:b8:08
PC1 can reach 200.200.200.20 , using natted IP 100.100.100.10 as can be seen in session flow but tcpdump on SRX is only capturing ARP traffic not transit traffic( I did not specify any filter so all traffic that terverses vlan.199 should be captured).
This is my first time doing tcpdumb on SRX, so not sure if I am missing anything.
Thanks
Additional info:
root> show configuration | display set
set version 11.4R7.5
set system root-authentication encrypted-password "$1$K8pkQCB3$PMhEh2V68NzABTnuUWOiv0"
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members all
set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan199
set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan200
set interfaces fe-0/0/3 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan199
set interfaces fe-0/0/4 unit 0
set interfaces fe-0/0/5 unit 0
set interfaces fe-0/0/6 unit 0
set interfaces fe-0/0/7 unit 0
set interfaces vlan unit 199 family inet address 199.199.199.1/24
set interfaces vlan unit 200 family inet address 200.200.200.1/24
set security address-book global address ZEE 200.200.200.20/32
set security address-book global address GIGI 100.100.100.10/32
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat static rule-set ZEE1 from zone TRUST
set security nat static rule-set ZEE1 rule RULE1 match destination-address 100.100.100.10/32
set security nat static rule-set ZEE1 rule RULE1 then static-nat prefix 200.200.200.20/32
set security policies from-zone TRUST to-zone UNTRUST policy A match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy A match destination-address ZEE
set security policies from-zone TRUST to-zone UNTRUST policy A match application any
set security policies from-zone TRUST to-zone UNTRUST policy A then permit
set security policies from-zone UNTRUST to-zone TRUST policy A match source-address GIGI
set security policies from-zone UNTRUST to-zone TRUST policy A match destination-address any
set security policies from-zone UNTRUST to-zone TRUST policy A match application any
set security policies from-zone UNTRUST to-zone TRUST policy A then permit
set security zones security-zone TRUST host-inbound-traffic system-services all
set security zones security-zone TRUST interfaces vlan.199
set security zones security-zone UNTRUST host-inbound-traffic system-services all
set security zones security-zone UNTRUST interfaces vlan.200
set vlans vlan199 vlan-id 199
set vlans vlan199 l3-interface vlan.199
set vlans vlan200 vlan-id 200
set vlans vlan200 l3-interface vlan.200