SRX

last person joined: 8 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Port forward / Destination NAT

    Posted 06-06-2015 11:17

    Hello.

     

    I am having trouble understanding how to set up a port forward on my Juniper SRX100. I know that I must use destination NAT but I find it very advanced to set up? What I am looking to do is that incoming data for port 5111 is forwarded to a specific IP on my subnet (e.g. 192.168.10.70). Can anyone help me in doing this? I will post my current configuration below if it should be necessary:

    Spoiler
    ## Last changed: 2015-06-02 13:46:33 CEST
version 11.2R4.3;
system {
    host-name srx100b;
    time-zone Europe/Copenhagen;
    root-authentication {
        encrypted-password "$1$EGzp.PqP$zgzLGDehNwe0M6yXLGfo71"; ## SECRET-DATA
    }
    name-server {
        8.8.8.8;
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.10.1;
            }
            pool 192.168.10.0/24 {
                address-range low 192.168.10.2 high 192.168.10.9;
            }
            propagate-settings fe-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.10.1/24;
            }
        }
    }
}
protocols {
    stp;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

     

     

     

    Thanks in advance!



  • 2.  RE: Port forward / Destination NAT

    Posted 06-06-2015 15:14
    I've found this guide:
    http://www.juniper.net/documentation/en_US/junos12.1/topics/example/nat-security-destination-address-port-translation-configuring.html

    But in that guide they are saying that the uplink interface is 1.1.1.200. My question is, how do I know What to use for my network? If the router receives DHCP IP, it might change every time?


  • 3.  RE: Port forward / Destination NAT

    Posted 06-06-2015 17:36

    Since you won't know the ip address just drop that line from the match criteria.  and add a line for protocol tcp to make the port match the most specific possible.  Since your rule will specify inbound traffic from the untrust zone to tcp 5111 only the desired traffic will hit the rule and have the destination nat performed.

     

    You can also specify interface instead of zone if you had more traffic in the untrust zone than this single interface.



  • 4.  RE: Port forward / Destination NAT

    Posted 06-07-2015 01:22

    Thanks for the answer. Will it be something like this?:

     

    Spoiler
    security {
	nat {
		destination {
			pool dst-nat-pool-1 {
				address 192.168.10.70/32 port 5111;
			}
			rule-set rs1 {
				from zone untrust;
				rule r1 {
					match {
						destination-port 5111;
					}
					then {
						destination-nat pool dst-nat-pool-1;
					}
				}
			}
		}
		
	address-book {
		global {
			address {
				server-1 192.168.10.70/32;
			}
		}
	}
}

	policies {
		from-zone untrust to-zone trust {
			policy server-access {
				match {
					source-address any;
					destination-address [ server-1 ];
					application any;
				}
				then {
					permit;
				}
			}
		}
	}
}

    I don't quite understand what you mean by "add a line for protocol tcp to make the port match the most specific possible"?

     

    Thanks in advance.



  • 5.  RE: Port forward / Destination NAT

    Posted 06-07-2015 05:16

    I've now tried and I have found out that it is not possible to simply "drop the destination address from the match criteria" - I can't leave the Destination Address blank, it forces me to type an IP. I have tried typing in "any" and using wildcards * but nothing works. Any suggestions?



  • 6.  RE: Port forward / Destination NAT

    Posted 06-07-2015 05:33

    I have found out that you could input "0.0.0.0/0" as destination address - would this get the correct behaviour?



  • 7.  RE: Port forward / Destination NAT

    Posted 06-07-2015 11:29

    Jonas,

     

    For destination NAT to work for port forwarding, match the destination address as the public address and the destination port as the public facing port which needs to be accessible from the internet.

     

    The "then" statement should consist of a destination NAT pool which would redirect or un-nat the requests to the internal (original) IP of the server along with the port.

     

    Here is an example :-

     

    Pubic Facing IP is 172.16.1.2/32 listening on port 2222
Internal IP is 192.168.1.5/32 listening on port 22

set security nat destination pool dnat-192_168 address 192.168.1.5/32
set security nat destination pool dnat-192_168 address port 22

set security nat destination rule-set dst-nat from zone untrust

set security nat destination rule-set dst-nat rule rule1 match destination-address 172.16.1.2/32
set security nat destination rule-set dst-nat rule rule1 match destination-port 2222
set security nat destination rule-set dst-nat rule rule1 then destination-nat pool dnat-192_168

    Hope this helps.

     

    Please mark as solution if this resolves your issue.

     

    Regards,

    Sahil