Verifying NAT Configuration

Purpose

The NAT trace options hierarchy configures trace file and flags for verification purposes. J Series and SRX Series devices have two main components. Those are the Routing Engine (RE) and the Packet Forwarding Engine (PFE). The PFE is divided into the ukernel portion and the real-time portion. For verification, you can turn on flags individually to debug NAT functionality on the RE, ukernel PFE, or real-time PFE. The trace data is written to /var/log/security-trace by default.

Note: If session logging has been enabled in the policy configurations on the device, the session logs will include specific NAT details for each session. See Monitoring Policy Statistics for information on how to enable session logging and Information Provided in Session Log Entries for SRX Series Services Gateways for a description of information provided in session logs.

Use the security nat traceoptions command to verify if the NAT configurations are correctly updated to the device upon commit. To verify if NAT translations are being applied to the traffic and to view individual traffic flow processing with NAT translations, use the security flow traceoptions command.

Action

To filter a specific flow, you can define a packet filter and use it as a traceoption :

To verify NAT traffic and to enable all traffic trace in data plane, use the traceoption set security flow traceoptions flag basic-datapath command.

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• Static NAT Configuration Overview
• Destination NAT Configuration Overview
• Source NAT Configuration Overview