Troubleshooting With Security Flow Traceoptions and options

No Comments

Hi,

Many people either have a blind eye to debug approach and some-others might not exactly know the below  feature in SRX , but in my Opinion, this has huge advantages. Mainly when your policies are not defined for traffic and you dont see a flow entry in your session table.

Topology

toplogy

Running Ping from other Router

ping_not_in_session_table

Now configuring the traceoptions

2_configuration_flow_traceoptions

Analyzing the trace-options

3_packet_drop_in_log

I found this method to be very handy and also used in live environments. How you write your filter is the key criteria to reduce the packet-match condition for the device.

Regards

Rakesh M

Quick Series 7 – SOURCE-NAT – INTERFACE-BASED NAT

No Comments

Hi,

This is the 7th post in the Quick-Series and this is on SRX-SOURCE-NAT using interface.

Requirement

All Lan traffic (172.20.101.0/24) trying to reach to other-end router 172.18.2.2 should be natted to 172.18.1.2 address.

 

Topology

topology

 

First thing is to verify our srx interface and zone definitions

 

pic-1_zones

Verify if proper policies are in place, also make sure you have to write a policy for traffic from trust zone to untrust zone in order for this traffic to flow.

pic-2-srx_nat_config

Final Verification

 

As we can see 172.20.101.1o is being translated to 172.18.1.2

pic-3-srx_verification

 

Regards

Rakesh M

 

 

 

 

Close Bitnami banner
Bitnami