SRX

Is there a way to define a destination match condition with a protocol as well as IP address and port?

NAT rules match only IP and port. You might be able to combine NAT with your policy in some way.

So  does it apply the rule to all protocols that match ip and port?

Destination NAT works PRIOR to application of security policy. So you would have to create your destination NAT rule based only on IP and port. You could then create your security policy based on the NAT'd IP / Port / Protocol combination.

I think I understand the new Junos NAT flow versus the screenOS NAT flow.  The problem I am trying to address is NATing inbound ICMP and TCP trafffic on certain ports to one IP and inbound UDP traffic to a different IP.  All without being able to use protocols in the destination NAT definition.  Based on this discussion it looks like I am out of luck how to do destination nat with UDP port?

Thanks

I believe that you are. Off the top of my head I think that you could accomplish what you wanted through some manipulations based on filter based forwarding.

You could create a FW filter that matched on Port/IP/Protocol - pipe it into a routing-instance and then apply the Dest-NAT just on that routing instance.

Would get a bit complex (meaning I haven't thought this all the way through 🙂 But I think it would work.

Good call JTAC came back with the same solution.  However we decided to return the SRX devices and get SSG appliances which can accomplish the same thing in a single simple policy statement.  

We have been monitoring the progress of the SRX platform thinking that now would be a good time to move in that direction and away from ScreenOS but I think there are still some rough patches in the SRX line that still need some refinement.  

Attached is the solution using a firewall filter and a routing instance that JTAC provided. 

Thanks

Attachment(s)

routing instances_virtual router.txt   3 KB 1 version