Current Junos Flow Module
Below is diagram of the Junos Flow Module. It depicts the series of events that take place in the flowd module. Burn this into memory now!
Below is a diagram of the Junos Flow Module in Junos 9.1 and earlier.
- NAT and Security policies are configured together (a policy must match traffic and NAT actions specificed within the policy)
- Routing/Policy evaluation is done before Destination NAT.
Example#1 [Destination NAT where the destination IP address within the incoming packet is not an IP address the SRX has a route to] In this example let's assume the public network is in a zone called "untrusted" and the private network is a zone called "trusted". Our ISP has given us 100.100.100.1 to use for our FTP server and has routed this address to our SRX. We have leveraged this address to configure destination NAT for users on the internet to access the FTP server. In this case the SRX will not have a route directing 100.100.100.1 to the internal zone. This means zone lookup/polcy match will fail and ultimately drop the packet. Placing a route on the SRX for the 100.100.100.1/32 address can be done as a workaround but this is inefficient and goofy.
Example#2 [NAT Configuration that requires multiple security policies (due to the fact that NAT and Security Poilcy are configured together)] In the example below the alternate private network of 192.168.2.0/24 has the exact same security requirements as the 220.127.116.11/30 network and they reside in the same zone. Let's also say that no destination NAT is needed between 192.168.1.0/24 and 192.168.2.0/24 networks. We can simply just route between these networks. It would be ideal in this case to create a single rule in the security policy. This cannot be done as NAT parameters are configured within the security policy. To accomplish this tasks multiple policies would need to be configured.
Next-Generation NAT (used in Junos 9.2 or later)
In Junos 9.2 the flow module was changed so that Destination NAT happens prior to route and policy lookup and the NAT and Security Policy configuration was decoupled. At the time this was called "Next Generation NAT" It was a good move as it makes configuration cleaner (in my opinion) and eliminated the issues explained above.
Wrap Up & Comments
Junos version older than 9.2 are very OLD. A lot of what was discussed in the post (issues examples, etc.) will not be a concern in any modern day deployment (or lab test for that matter). However you may run into specific configuration/topologies where understanding the order of events in the flow module will help troubleshoot and issues or allow you to drive out the correct NAT configuration in a complex topology.
Just a note to anyone who is reading the Junos 11.1 Documentation. If you browse to the section called "SRX Series Services Gateway Processing Overview" you will find the flow diagram depicted is actually the old flow diagram. This is incorrect as Junos 11.1 uses "Next Generation NAT"