SRX for beginners #2

After my srx for beginners post has become the most popular article of this blog, I have decided to improve it a little bit as it is missing some vital information. Without talking too much let’s summarize what we will do in this post

  • What is a flow session?
  • How can we interpret a flow session entry?
  • How can we open a standard port/application on SRX and do destination NAT?
  • How can we open a non-standard port and do destination NAT?
  • How can we do proxy-arp?

In this post, we will use the same topology like previous post but I have added three new devices in this new topology so that I can show source/destination nat and proxy arp.

SRX for beginners topology

SRX for beginners topology

Let’s get started:

What is a flow session?

Juniper SRX is a stateful firewall hence box doesn’t forward an IP packet and forgets it. It has to remember which IP packets it has received and which packets it is expecting. It isn’t exactly like this but for the sake of simplicity let’s assume like this now. So what does a session look like on an SRX firewall. In order to show this from PC1 device, I telnet to TCP port 80 of host which is outside my test network and see how the flow session looks like on our SRX firewall.

TCP 80 connection is established towards the host

Now let’s see how this session looks like on our firewall

As you can see, we can display sessions by “show security flow session” command and by giving more options e.g destination-port you can filter session table.

How can we interpret a flow session entry?

Now let’s drill down this single flow session entry line by line.

Line 1

  • 109 : Each session is given a session identifier by the firewall, here 109
  • allow-internal-clients/4 : Security which exactly matches this specific traffic and number 4 is the policy index.
  • 294 : When a session is created it starts with default timeout and counts down to zero as long as no packet is seen. If it reaches 0 session is removed

Line 2

  • : Source IP address/Port of the source host which created the session
  •;tcp : Destination IP address/Port of the destination host and the transport layer protocol which is tcp here
  • ge-0/0/1.0 : The ingress interface of the packet
  • Pkts: 2, Bytes: 112 Number of packets and Bytes received on this direction
  • Line 3
    A flow session has two wings and this one is the wing on the reverse direction.

    • : This is the same as our destination address
    • : This is the address to which replies back but it is different than our source IP address since we are doing source NAT and port translation
    • ge-0/0/0.0 : Ingress interface of the return packets
    • Pkts: 1, Bytes: 60 : IP packet and Bytes received from the destination

    How can we open a default/standard port/application on SRX and do destination NAT?

    In the topology, we have a Web server and we would like to allow public HTTP service i.e anyone who types on their browser from Internet will be redirected to our internal web server i.e we will create a destination NAT rule and a security policy allowing this HTTP traffic.

    First thing we should go to configuration mode

    Then we can paste the following commands to configure destination NAT

    Destination NAT

    Note: In order to forward traffic to the internal server, a pool is required

    Security Policy
    If you don’t permit the HTTP traffic in a security policy, destination NAT has no use.
    On this setup I am moving from zone specific address groups to global addresses for which I am moving my old address book to global level and I am adding new address entry for webserver.

    Now we can create the security policy.

    Note: On SRX, default applications are prefixed by junos- as you can see for junos-http application.

    Finally commit your changes. Now we telnet to the IP from outside network ( and check the session table.

    As you can see request for is translated to by SRX.

    How can we open a non-standard port and do destination NAT?

    Now we have a different requirement. There is an SMTP server which is listening on port default port 25 but we somehow want everyone to access this host on port 2025 instead of the default port. Now we will configure this scenario.

    First Address book entry

    Note: Pay attention that pool we created is for port 25 but actual port match is for 2025

    Now security policy

    Note: You may be asking why do we use junos-smtp application which has port 25 instead of an application which has destination port 2025. The reason is that security policy processing is done after destination is processed hence when security policy does the match, port is already translated to 25 from 2025.

    For example, if you were to redirect(port nat) 2025 port to another non-standard port e.g 2000 on this smtp server then you would have to create an application e.g named custom-smtp and permit this application on this policy.

    But this isn’t what we are configuring now. We just redirect outside 2025 port to internal 25 port.

    Now we telnet from our Internet host

    Heyyy, we have got the smtp response on non-standard port 2025. Let’s check the flow session.

    Yes, port 2025 is translated to 25 as it can be seen in the flow session too.

    You can also check the translation hits by the following command to see if the NAT rule is really being hit or not.

    How can we do proxy-arp?

    According to our topology, we have only one WAN IP assigned to the external interface which is but our ISP has given us a /24 block from which now we also would like to use IP address for some services. However we don’t want to assign this IP address to the external interface. The problem is that if you don’t assign an IP to an interface, you don’t respond to ARP requests for that IP. In order to solve this problem we need to configure proxy arp. To demonstrate this, we have a scenario. We have an application server IP of which is in the internal network and application is running on TCP port 8080. We would like everyone on Internet to access this application via TCP port 80 i.e we will redirect TCP80 requests coming to to the internal TCP8080.

    Now we do connect to TCP80 port of from Internet host and see the session table

    Yes it works! we redirect port 80 to internal 8080 port.

    Now I am hoping that I have completed SRX for beginners posts!

10 thoughts on “SRX for beginners #2

  1. IB

    If you have an public IP subnet and are going to use destination or static NAT don’t forget to set security > nat > proxy-arp for your addresses on the respective outgoing interface as long as you do not use the address of the SRX itself.

    1. rtoodtoo Post author

      Thanks for the feedback. Very good point actually. Hence, I have updated the post and added the proxy-arp scenario.



    I am completely new with juniper product and I got an opportunity to get knowledge of srx220 due to my Cisco pix is malfunctioning since last 2 weeks, and it is going to be replaced by srx220. Will you please help me to configure that box. I am sending you the network diagram and config file of my pix-525. I think here is no any option to upload any jpg file so I am elaborating my network.

    We are using 7 to 8 vlans in our network created in cisco 4510r catalyst switch which is connected with cisco pix through vlan 500 and default route configured in 4510r is the ip of pix inside ip which is The pix is in between the 4510r and cisco router and i have no access of that router. That router is under ISP so I can’t change in that router. The outside ip of pix is is directly connected to the router. Config of pix-525 are follows:

    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    interface gb-ethernet0 1000auto shutdown
    interface gb-ethernet1 1000auto shutdown
    interface ethernet2 100full
    interface ethernet3 100full
    interface ethernet4 auto shutdown
    interface ethernet5 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif gb-ethernet0 inside1 security99
    nameif gb-ethernet1 inside2 security90
    nameif ethernet2 intf4 security8
    nameif ethernet3 radio-phy security10
    nameif ethernet4 intf6 security12
    nameif ethernet5 intf7 security14
    enable password ################# encrypted
    passwd ################ encrypted
    hostname cupix
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    access-list acl_out permit icmp any any
    access-list acl_out permit udp any any eq domain
    access-list acl_out permit ip any any
    access-list acl_out permit tcp any any
    access-list acl_in permit icmp any any
    access-list acl_in permit udp any any eq domain
    access-list acl_in permit tcp any any
    access-list RADIO-PHY permit ip host any
    access-list RADIO-PHY permit ip host any
    access-list RADIO-PHY permit tcp any
    access-list RJABZR_CASH permit ip host any
    access-list RJABZR_CASH permit ip host any
    access-list RJABZR_CASH permit ip host any
    access-list RJABZR_CASH permit ip host any
    access-list RJABZR_CASH permit ip host any
    access-list RJABZR_CASH permit ip host any
    access-list RJABZR_CASH permit ip host any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu inside1 1500
    mtu inside2 1500
    mtu intf4 1500
    mtu radio-phy 1500
    mtu intf6 1500
    mtu intf7 1500
    ip address outside
    ip address inside
    no ip address inside1
    no ip address inside2
    no ip address intf4
    ip address radio-phy
    no ip address intf6
    no ip address intf7
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address inside1
    no failover ip address inside2
    no failover ip address intf4
    no failover ip address radio-phy
    no failover ip address intf6
    no failover ip address intf7
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list RJABZR_CASH
    nat (inside) 1 0 0
    nat (inside) 1 0
    nat (inside) 1 0 0
    nat (inside) 1 0 0
    nat (inside) 1 0 0
    nat (inside) 1 0 0
    nat (inside) 1 0 0
    nat (inside) 1 0 0
    nat (inside) 1 0 0
    nat (inside) 1 0 0
    nat (inside) 1 0 0
    nat (inside) 1 0 0
    access-group acl_out in interface outside
    access-group acl_in i
    route outside 1
    route inside 1
    route inside 1
    route inside 1
    route inside 1
    route inside 1
    route inside 1
    route inside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0

    So will you please send me the configuration of that box which will be installed here. and I requests to you for make of post of this problem like your others posts which are very clearly understandable.


    Anand Chourasia

  3. Amol

    Hi ,

    This artical is really helpful for me .Can you please involve vpn configuration also .



  4. Nils


    Just read it for accessing web server from outside case. Have one query how private IP address can be telnet or accessible from outside, Only Public IP address are rout able and accessible over internet, i thing something wrong in typing or i missed something. Please clarify me. Thanks

  5. Arbe


    I need to open some ports from to the ports are UDP 5060 and 4000 to 4012. Network map:

    Can you help me?

    SRX is in flow mode:

    admin@SRX210> show security flow status
    Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: flow based (reboot needed to change to drop)
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
    Advanced services data-plane memory mode: Default
    Flow trace status
    Flow tracing status: off
    Flow session distribution
    Distribution mode: RR-based



  6. Gregory Wendel

    Thanks for the great pages. Your reminder to add the dhcp to the host allowed services seems so obvious now, but during troubleshooting was kicking my butt. Very good information. Drinks are on me if you are ever in the Washington DC area.


You have a feedback?