Don't work dest nat for FTP

MikhailS · ‎06-21-2011

Don't work destination NAT for my FTP server. Connection with internet via ADSL modem that connect to SRX. IP-address FTP 172.30.0.20/32

interfaces {
    ge-0/0/0 {
        description "To LAN(Cisco 2960)";
        vlan-tagging;
        unit 4 {
            description "To LAN";
            vlan-id 4;                  
            family inet {
                address 172.30.0.230/24;
            }
        }
  
    fe-0/0/7 {
        description "To WAN(ADSL Modem)";
        unit 0 {
            family inet {
             
                address 62.118.2.205/26;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }                               
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 62.118.2.193;
        route 172.30.1.0/24 next-hop 172.30.0.1;
    }
}
security {
    nat {
        source {
            rule-set rs1 {
                from zone trust;
                to zone untrust;
                rule r1 {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {    
                            interface;
                        }
                    }
                }
                rule r2 {
                    match {
                        source-address 172.30.0.111/32;
                    }
                    then {
                        source-nat {
                            off;
                        }
                    }
                }
            }
        }
        destination {
            pool FTP {
                address 172.30.0.20/32 port 20;
            }
            pool FTP-command {
                address 172.30.0.20/32 port 21;
            }                           
            rule-set FTP {
                from zone untrust;
                rule ftp-data {
                    match {
                        destination-address 62.118.2.205/32;
                        destination-port 20;
                    }
                    then {
                        destination-nat pool FTP;
                    }
                }
                rule ftp-command {
                    match {
                        destination-address 62.118.2.205/32;
                        destination-port 21;
                    }
                    then {
                        destination-nat pool FTP-command;
                    }
                }
            }
        }
    }                                   
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {           
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
                ge-0/0/0.4;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all {
                        except;
                    }
                }
                protocols {
                    all {               
                        except;
                    }
                }
            }
            interfaces {
                fe-0/0/7.0;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy untrust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}
firewall {
    family inet {
        filter external {
            term ssh_from_outside {
                from {
                    port 22;
                }
                then {
                    discard;
                }                       
            }
        }
    }
}
applications {
    application RDP {
        protocol tcp;
        destination-port 3389;
    }
    application SMTP {
        protocol tcp;
        source-port smtp;
        destination-port 25;
    }
    application DNS application-protocol dns;
    application FTP application-protocol ftp;
}

Screenie · ‎01-10-2008

My guess is you need a proxy-arp for 172.30.0.20 on interface ge-0/0/0. You configure this in security nat proxy-arp. And you should have enough on one nat rule, the ftp alg should take care of translating the data stream when you only configure the command stream.

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

Don't work dest nat for FTP

Re: Don't work dest nat for FTP