Hello Everybody,
I've been breaking my head on how to change managment to different ports and limit it to th correct source-ip's. When i was in bed last night, an idea popped in my head, which i just tested. All seems to work fine and i want to share it with you, for a few kudos 😉
This example is based on ssh/port 22 which i want available from port 1022 on the public ip. I don't see any limitation in doing this with other services like http/https or ftp, but did not yet test this.
Step 1
Create a loopback interface with a dummy ip address:
[edit interfaces lo0]
root@core-router# show
unit 0 {
family inet {
address 1.1.1.1/32;
}
}
Step 2
Enable management services on the loopback interface:
[edit system services]
root@core-router# show
ftp;
ssh;
web-management {
http {
interface lo0.0;
}
https {
system-generated-certificate;
interface lo0.0;
}
}
Step 3
Create a new zone with a logical name, like mgmt, put the loopback int in the zone and create an address book entry for the loopback interface. Also enable all host-inbound-traffic:
[edit security zones security-zone mgmt]
root@core-router# show
address-book {
address mgmt-int 1.1.1.1/32;
}
interfaces {
lo0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
Step 4
(not sure if this is mandetory) set source-nat enabled for traffic initiated from the new zone:
(This rule enables source nat from zone trust and zone mgmt from any address to any address to the interface IP address)
[edit security nat source]
root@core-router# show
rule-set snat-to-inet {
from zone [ mgmt trust ];
to zone untrust;
rule snat-to-inet {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
Step 5
Create a pool with the address of the loopback interface and the destination port of the service (in this case SSH):
[edit security nat destination pool mgmt-22]
root@core-router# show
address 1.1.1.1/32 port 22;
Step 6
Create a destination nat policy with destination address the public interface ip address.
Use destination-port on which you want managment to listen (in this case 1022), use destination-nat pool we created in step 5:
[edit security nat destination rule-set dnat-untrust rule mgmt-22]
root@core-router# show
match {
source-address 0.0.0.0/0;
destination-address x.x.x.x/32; //x.x.x.x = public ip address!!
destination-port 1022;
}
then {
destination-nat pool mgmt-22;
}
Step 7
create a policy from zone untrust to mgmt to allow the management traffic:
I choose source any and application any for this test, but you can limit this offcourse!!!
[edit security policies from-zone untrust to-zone mgmt]
root@core-router# show
policy mgmt {
match {
source-address any;
destination-address mgmt-int;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
Now you can use port 22 to nat to a server behind the firewall (yes i tested it). Do keep in mind that you have to disable the host-inbound-services on the physical interface!!
[edit security zones security-zone untrust interfaces fe-0/0/7.0]
root@core-router# show
host-inbound-traffic {
system-services {
dhcp;
ping;
}
}
Example config of natting port 22 to a server with ip 10.50.2.50:
Step 1
Create a nat pool for the server:
[edit security nat destination pool server-22]
root@core-router# show
address 10.50.2.50/32 port 22;
Step 2
Create a destination-nat rule:
[edit security nat destination rule-set dnat-untrust rule server-22]
root@core-router# show
match {
source-address 0.0.0.0/0;
destination-address x.x.x.x/32; //x.x.x.x = public ip address!!
destination-port 22;
}
then {
destination-nat pool server-22;
}
Step 3
Create an address object:
[edit security zones security-zone trust address-book]
root@core-router# show
address server 10.50.2.50/32;
Step 4
Create a security policy to allow traffic to the server:
(Offcourse you can limit the traffic again to a certain source)
[edit security policies from-zone untrust to-zone trust policy permit-ssh-server]
root@core-router# show
match {
source-address any;
destination-address server;
application junos-ssh;
}
then {
permit;
log {
session-init;
session-close;
}
}
#ip's#managment#permitted#change#Management#Port