SRX Destination NAT

last person joined: 15 hours ago

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Back to discussions

Expand all | Collapse all

SRX Destination NAT

Jump to Best Answer

Erdem12-23-2014 08:05

Hoping someone can help me with this config question that I can't figure out. I am looking to setup a ...

p.k12-28-2014 08:15Best Answer

Hi The config like this should work lab@jlab# show nat { destination { ...

1. SRX Destination NAT

0 Recommend
Erdem
Posted 12-23-2014 08:05

Reply Reply Privately
Hoping someone can help me with this config question that I can't figure out. I am looking to setup a VoIP phone server on a network I support. They need various services forwarded to their servers from the public IP addres for managment and functionality. Everything was good when they had one device, but now they added another for expansion, and I can't figure out how to forward based on the port. Here is what I need:

TCP 22 (SSH) to 192.168.10.17 UDP 69 (TFTP) to 192.168.10.17 UDP 123 (NTP) to 192.168.10.17 UDP 33000-33070 (RTP/RTCP Softphone) to 192.168.10.17 UDP 5060-5061 (SIP) to 192.168.10.17 UDP 21000–21239 (SBC) to 192.168.10.17 TCP 7100-7505 (UI /MXIE) to 192.168.10.17 UDP 20000-20999 (RTP) to 192.168.10.18 UDP 75 (MX Cluster) to 192.168.10.17

and here is the relavant config

nat { } destination { pool dest-nat-zultys-main { address 192.168.10.17/32; } pool dest-nat-zultys-rtp { address 192.168.10.18/32; } } rule-set ruleset-inbound { from interface ge-0/0/0.0; rule r5 { match { destination-address A.Public.IP.Addr/32; } then { destination-nat { pool { dest-nat-zultys-main; } } } } } } policies { } from-zone untrust to-zone trust { policy server-zultys { match { source-address any; destination-address zultys-main; application any; } then { permit; } } } zones { security-zone trust { address-book { address zultys-main 192.168.10.17/32; address zultys-rtp 192.168.10.18/32; }

So, any thoughts. Some of the research I am seeing says this can't be done, but none of what I have seen has gotten this to work.
2. RE: SRX Destination NAT
Best Answer

0 Recommend
p.k
Posted 12-28-2014 08:15

Reply Reply Privately
Hi

The config like this should work

lab@jlab# show nat { destination { pool dest-nat-zultys-main { address 192.168.10.17/32; } pool dest-nat-zultys-rtp { address 192.168.10.18/32; } rule-set ruleset-inbound { from interface ge-0/0/0.0; rule r1 { match { destination-address 1.1.1.1/32; destination-port { 20000 to 20999; } } then { destination-nat { pool { dest-nat-zultys-rtp; } } } } rule r5 { match { destination-address 1.1.1.1/32; } then { destination-nat { pool { dest-nat-zultys-main; } } } } } } } policies { from-zone untrust to-zone trust { policy server-zultys { match { source-address any; destination-address [ zultys-main zultys-rtp ]; application any; } then { permit; } } } } zones { security-zone trust { address-book { address zultys-main 192.168.10.17/32; address zultys-rtp 192.168.10.18/32; } } }

However note that matching on port range is only supported in latest version to date, 12.1X47, which may be not as stable as the recommended one.

Also the policies should be more granular and permit only the allowed ports, not "any" application as in my example.

SRX

SRX Destination NAT

Erdem12-23-2014 08:05

p.k12-28-2014 08:15Best Answer

1. SRX Destination NAT

2. RE: SRX Destination NAT Best Answer

2. RE: SRX Destination NAT
Best Answer