[j-nsp] Destination NAT

Thu Nov 28 05:57:54 EST 2013

Try to add this to your configuration:

[edit security flow]
perw at srx1# show
traceoptions {
    file dnat-telnet-debug;
    flag basic-datapath;
    packet-filter dnat-telnet-in {
        protocol tcp;
        destination-prefix 24.173.164.162/32;
        destination-port 3333;
    }
    packet-filter dnat-telnet-out {
        protocol tcp;
        source-prefix 132.147.160.3/32;
        source-port 23;
    }
}

This is a packet filter that is supposed to track inbound packets to 24.173.164.162:3333 and outbound packets from 132.147.160.3:23. For each such packet, it will log LOTS OF INFORMATION in the file /var/log/dnat-telnet-debug. The idea is this:

- Commit the configuration above.

- Try the connection towards 24.173.164.162:3333 once

It is not good if it is under constant "attack", then you have to add a source prefix to the inbound filter as well.

- Look in the log file with "show log dnat-telnet-debug"

If there is nothing in the log, the packets don't reach the SRX, you have another problem.
If there is something in the log, it will give a hint why there is no session set up.

As soon as you have an answer, at least temporarily disable the debug with:

per at srx1> configure
Entering configuration mode

[edit]
per at srx1# deactivate security flow traceoptions

[edit]
per at srx1# commit and-quit

per at srx1>

/Per

28 nov 2013 kl. 11:26 skrev Mohammad Khalil <eng.mssk at gmail.com>:

> No the session is not up , and I have changed the port to be 23 on both sides (junos-telnet) and still not working ?
> 