Flow SRX juniper - Destination Nat

figurello

Hi guys,

Our customer has a SRX240 firewall and I have implemented two internet links (from different ISPs).

The default gateway is link 1, but on link 2, I have destination nat pointing to a specific server, but when the packet come back, it doesn't respect the DNat table and goes out through link 1 (default gateway).
Please, I need to know if is it the correct behavior, or it should come back from the link where it came in (link 2).

Could you explain what is the correct packet data flow inside the appliance?

Anyone experienced this before?

Regards,

Aldur

What you're seeing is the correct behavior.

What occurs, as the flow module is concerned, is when the packet comes in the destination NAT occurs on the destination address in the packet. Then a route look up occurs, which tells the router/fw which interface to use and then security policies are applied. The same process occurs to calculate the return path, minus the destination nat, on the source address. This information is stored in the srx's session table. In your case the traffic is receiving the correct destination NAT, and the source address that the traffic has is telling the srx to use link 1 for the return traffic, even though the traffic is originally coming in on link 2.

The easiest way to overcome this problem would be to place a static route that points out link 2 for the traffic that is coming into that link. However, I'm guessing that the source address is unknown, hence why its using the default route and traversing link 1. Another option, albeit more of an advanced topic, would be to use filter based forwarding that would cause traffic sourced from the server to use link 2.

HTH