The order is: screen options -> D-NAT -> route lookup -> policy -> S-NAT -> others.
/chris --- -----Original Message----- From: Ge Moua <moua0...@umn.edu> Sender: juniper-nsp-boun...@puck.nether.net Date: Fri, 06 Jul 2012 08:41:10 To: <juniper-nsp@puck.nether.net> Subject: [j-nsp] order of operations for NAT & zone policy enforcement / SRX j-nsp: I am running into an issue on Juniper SRX where I am seeing zone policy deny for destination-based NAT traffic (ie, untrusted to trusted zone). My assumption for SRX order of operation is as follow: * perform zone policy enforcement (to dest NAT ip_addr / ARIN public) * perform NAT translation for dest_ip It would appear the order of operation here is reversed for flow that requires destination based NAT& zone policy enforcement: * peform NAT translation for dest_ip * perform zone policy enforcement (to real ip_addr / RFC-1918) Comments or feedback would greatly be appreciated. -- -- Regards, Ge Moua Univ of Minn Alumnus -- _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp