SRX Services Gateway
Reply
Contributor
Gorf
Posts: 43
Registered: ‎08-04-2010
0

Ideas on Destination-nat'ing a large number of ports

So we have a game that uses a number of ports. Some of the ports are contiguous, some are not.  As far as I can tell (in 10.3 on my SRX's) in the rule-sets for destination nats you have to create a rule for every single port.  There aren't any ranges or terms.  Am I missing something?  If I have ports to dnat like: 7000, 7100, 7200-7350, does that mean I have to create 151 rules?  That seems grossly stupid to me so I am hoping I am missing something in this.

 

 

*snip*
    rule rule-game1-7000 {
        match {
            destination-address 66.x.y.15/32;
            destination-port 7000;
        }
        then {
            destination-nat pool dst-nat-game1-srv1;
        }
    }
    rule rule-game1-7100 {
        match {
            destination-address 66.x.x.15/32;
            destination-port 7100;
        }
        then {
            destination-nat pool dst-nat-game1-srv1;
        }
    }
    rule rule-game1-7200 {
        match {
            destination-address 66.x.x.15/32;
            destination-port 7200;
        }
        then {
            destination-nat pool dst-nat-game1-srv2;
        }
    }
    rule rule-game1-7201 {
        match {
            destination-address 66.x.x.15/32;
            destination-port 7201;
        }
        then {
            destination-nat pool dst-nat-game1-srv2;
        }
    }
}

 

 

Super Contributor
arizvi
Posts: 287
Registered: ‎10-21-2008
0

Re: Ideas on Destination-nat'ing a large number of ports

Hi,

 

I dont think so we have range for detination port.

 

But you remove the destination port so allowing all port to get translated into destination-nat pool dst-nat-game1-srv1.

Then you can block the not interested ports through policy and allowing interested ports thru policy.

 

    rule rule-game1-7100 {
        match {
            destination-address 66.x.x.15/32;
            destination-port 7100;    <<<<<<<<REMOVE this<<<<<<<<<<
        }
        then {
            destination-nat pool dst-nat-game1-srv1;

Contributor
Gorf
Posts: 43
Registered: ‎08-04-2010
0

Re: Ideas on Destination-nat'ing a large number of ports

I don't think you looked at my example very carefully.  For each IP there are multiple destination ports not all of which go to the same private server.  That is the challenge here. 

Visitor
Tim_Evans
Posts: 6
Registered: ‎04-27-2010
0

Re: Ideas on Destination-nat'ing a large number of ports

 

I've yet to come across a way to do this as you want - I had exactly the same problem recently migrating 130 Equiinet Cachepilots to the SRX210 - a single external address with NAT's going to different hosts on different ports. Thankfully there were only a few sites that had only modest port ranges and nothing like what you are trying to do, otherwise I'd of broken down in tears.

 

If there's a clever way to achieve this relatively simple task (I'd go as far as to say basic firewalling task) I've yet to find anyone with an explanation or a working example (or even a not working one!). If you happen to find one please share it around as this is a question I see popping up often.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.