[j-nsp] Destination NAT

Per Westerlund p1 at westerlund.se
Thu Nov 28 05:57:54 EST 2013

Try to add this to your configuration:

[edit security flow]
perw at srx1# show
traceoptions {
    file dnat-telnet-debug;
    flag basic-datapath;
    packet-filter dnat-telnet-in {
        protocol tcp;
        destination-port 3333;
    packet-filter dnat-telnet-out {
        protocol tcp;
        source-port 23;

This is a packet filter that is supposed to track inbound packets to and outbound packets from For each such packet, it will log LOTS OF INFORMATION in the file /var/log/dnat-telnet-debug. The idea is this:

- Commit the configuration above.

- Try the connection towards once

It is not good if it is under constant "attack", then you have to add a source prefix to the inbound filter as well.

- Look in the log file with "show log dnat-telnet-debug"

If there is nothing in the log, the packets don't reach the SRX, you have another problem.
If there is something in the log, it will give a hint why there is no session set up.

As soon as you have an answer, at least temporarily disable the debug with:

per at srx1> configure
Entering configuration mode

per at srx1# deactivate security flow traceoptions

per at srx1# commit and-quit

per at srx1>


28 nov 2013 kl. 11:26 skrev Mohammad Khalil <eng.mssk at gmail.com>:

> No the session is not up , and I have changed the port to be 23 on both sides (junos-telnet) and still not working ?

More information about the juniper-nsp mailing list