SRX

Is it really not possible to use a port range when doing destination NAT?  Currently using 10.4.R3.4 on a pair of SRX650's, and i really need to setup a port range for a destination NAT of a couple hundred ports.  Not something i want to do individually.

Hi

 

No, that's not possible currently. Another strange constraint that was discussed here recently -

you can match on port, but not on protocol (tcp/udp).

 

By the way, if you don't need port translation, you can use static NAT (1-to-1 mapping of ip

addresses with no chang of ports).

we typically do a static NAT, but in this case, we have two servers sharing the same IP, their services just use different ranges.

Greetings,

 

I have been researching this lately and I am rather amazed you can't specify a range,, however, I did find a nifty trick to accomplish this task with minimal effort.

 

First, write a bash shell script like this:

 

 

 

for i in {15100..15200}
do
echo "
set security nat destination pool VOIP_$i address 10.10.10.10/32
set security nat destination pool VOIP_$i address port $i
set security nat destination rule-set SET_1 rule VOIP_$i match source-address 0.0.0.0/0
set security nat destination rule-set SET_1 rule VOIP_$i match destination-address 74.125.225.179/32
set security nat destination rule-set SET_1 rule VOIP_$i match destination-port $i
set security nat destination rule-set SET_1 rule VOIP_$i then destination-nat pool VOIP_$i
"
done
~

 

then, execute it like so:

 

$ bash script1.sh

set security nat destination pool VOIP_15100 address 10.10.10.10/32
set security nat destination pool VOIP_15100 address port 15100
set security nat destination rule-set SET_1 rule VOIP_15100 match source-address 0.0.0.0/0
set security nat destination rule-set SET_1 rule VOIP_15100 match destination-address 74.125.225.179/32
set security nat destination rule-set SET_1 rule VOIP_15100 match destination-port 15100
set security nat destination rule-set SET_1 rule VOIP_15100 then destination-nat pool VOIP_15100

set security nat destination pool VOIP_15101 address 10.10.10.10/32
set security nat destination pool VOIP_15101 address port 15101
set security nat destination rule-set SET_1 rule VOIP_15101 match source-address 0.0.0.0/0
set security nat destination rule-set SET_1 rule VOIP_15101 match destination-address 74.125.225.179/32
set security nat destination rule-set SET_1 rule VOIP_15101 match destination-port 15101
set security nat destination rule-set SET_1 rule VOIP_15101 then destination-nat pool VOIP_15101

set security nat destination pool VOIP_15102 address 10.10.10.10/32
set security nat destination pool VOIP_15102 address port 15102
set security nat destination rule-set SET_1 rule VOIP_15102 match source-address 0.0.0.0/0
set security nat destination rule-set SET_1 rule VOIP_15102 match destination-address 74.125.225.179/32
set security nat destination rule-set SET_1 rule VOIP_15102 match destination-port 15102
set security nat destination rule-set SET_1 rule VOIP_15102 then destination-nat pool VOIP_15102

set security nat destination pool VOIP_15103 address 10.10.10.10/32
set security nat destination pool VOIP_15103 address port 15103
set security nat destination rule-set SET_1 rule VOIP_15103 match source-address 0.0.0.0/0
set security nat destination rule-set SET_1 rule VOIP_15103 match destination-address 74.125.225.179/32
set security nat destination rule-set SET_1 rule VOIP_15103 match destination-port 15103
set security nat destination rule-set SET_1 rule VOIP_15103 then destination-nat pool VOIP_15103

set security nat destination pool VOIP_15104 address 10.10.10.10/32
set security nat destination pool VOIP_15104 address port 15104
set security nat destination rule-set SET_1 rule VOIP_15104 match source-address 0.0.0.0/0
set security nat destination rule-set SET_1 rule VOIP_15104 match destination-address 74.125.225.179/32
set security nat destination rule-set SET_1 rule VOIP_15104 match destination-port 15104
set security nat destination rule-set SET_1 rule VOIP_15104 then destination-nat pool VOIP_15104

set security nat destination pool VOIP_15105 address 10.10.10.10/32
set security nat destination pool VOIP_15105 address port 15105
set security nat destination rule-set SET_1 rule VOIP_15105 match source-address 0.0.0.0/0
set security nat destination rule-set SET_1 rule VOIP_15105 match destination-address 74.125.225.179/32
set security nat destination rule-set SET_1 rule VOIP_15105 match destination-port 15105
set security nat destination rule-set SET_1 rule VOIP_15105 then destination-nat pool VOIP_15105

 

 

You get the idea.  Other handy trick to get this into the configuration of the srx is after you save this output to a text file and either scp it to your SRX or open the vi editor directly on the SRX bash shell ( run start shell from the cli mode > prompt on the SRX and paste it in ) you can then go into the configure mode of the JUNOS CLI and run "load set filename.txt"  I had to append this set file with the display set output of the existing configuration otherwise it looked like it was going to remove everything else, but after I did that it worked quite nicely.

 

Hope that helps everyone,, take care

Also notable - since this post is already bumped - 10.4R9 and up now allows specifying a port range in static-nat, still not for destination nat however.