Since this thread seems to be the top google hit on this issue:
* There is a way to hack this a bit and get inbound port ranges working with 'nat destination'
* Yes, it sucks that dest pools STILL (2018) do not support port ranges.
* Yes, it sucks that you cannot use 'nat static' if your ISP provides you with a dynamic IP address for the SRX.
* Yes, ScreenOS was a lot easier to configure for this.
Here's what I did (similar to what obi-lan said):
In my case, mosh (which is really awesome, so I don't use classic ssh anymore) defaults to udp 60000-61000.
I get a dynamic IP from my ISP.
In the nat destination rule-set, add a rule that matches on the port range:
rule RIG-MOSH {
match {
destination-address 0.0.0.0/0;
destination-port {
60000 to 61000;
}
}
then {
destination-nat {
pool {
RIG-MOSH-INT;
}
}
}
}
Create the nat destination pool, use dest server's IP only (no port #'s):
pool RIG-MOSH-INT {
address 192.168.1.77/32;
}
Create the policy that limits access to 60000-61000:
from-zone untrust to-zone trust {
policy allow-rig-mosh {
match {
source-address any;
destination-address RIG;
application MOSH;
}
then {
permit {
destination-address {
drop-untranslated;
}
}
}
}
}
Where application is:
applications {
application MOSH {
protocol udp;
destination-port 60000-61000;
}
}
Donn