SRX

I've got a host in my DMZ (private IP addressing) that I need external access to. However, I don't want the service exposed on the default port.  Due to other restrictions on the server, I can't change this port.

How can I reconfigure the SRX to translate this to another port? The O'Reilly JUNOS Security book doesn't appear to address this scenario.

e.g. host in untrust zone makes request to n.n.n.n:2345. SRX translates that to DMZ host y.y.y.y:22

Many thanks,

Ken

This is just normal destination-based NAT but you will add the destination-port to the pool.  When you leave the destination-port from the pool configuration it simplies does NAT. By adding the destination-port you are telling it to perform a PAT operation as well.

Simply add 'set security nat destination pool <pool-name> port <translated-port>

HTHs!

Hmm.  Maybe I'm not completely understanding, because what I've tried isn't working:

root@tdsfw01> show configuration security zones security-zone trust
address-book {
    address mercury 192.168.168.202/32;
}
host-inbound-traffic {
    system-services {
        all;
    }
    protocols {
        all;
    }
}
interfaces {
    vlan.0;
    vlan.100;
    vlan.69;
}

root@tdsfw01> show configuration security nat destination
pool mercury {
    address 192.168.168.202/32 port 22;
}

root@tdsfw01> show configuration security policies from-zone untrust to-zone trust
policy untrust-to-trust {
    match {
        source-address any;
        destination-address mercury;
        application ssh-2468;
    }
    then {
        permit;
        log {
            session-init;
        }
        count;
    }
}

 Then looking at the counters I see no activity after external testing:

root@tdsfw01> show security policies from-zone untrust to-zone trust detail
Policy: untrust-to-trust, action-type: permit, State: enabled, Index: 6, Scope Policy: 0
  Policy Type: Configured
  Sequence number: 1
  From zone: untrust, To zone: trust
  Source addresses:
    any-ipv4: 0.0.0.0/0
    any-ipv6: ::/0
  Destination addresses:
    mercury: 192.168.168.202/32
  Application: ssh-2468
    IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
      Source port range: [0-0]
      Destination port range: [2468-2468]
  Session log: at-create
  Policy statistics:
    Input  bytes     :                    0                    0 bps
    Output bytes     :                    0                    0 bps
    Input  packets   :                    0                    0 pps
    Output packets   :                    0                    0 pps
    Session rate     :                    0                    0 sps
    Active sessions  :                    0
    Session deletions:                    0
    Policy lookups   :                    0

Thanks,

Ken

Your destination NAT configuration is missing a rule-set, to actually match the correct traffic and apply the NAT to it.

In your case, it might look something like this:

rule-set ssh-to-mercury {
  from zone untrust;
  rule 1 {
    match {
      destination-address 100.99.98.1/32;
      destination-port 2468;
    }
    then {
      destination-nat pool mercury;
    }
  }
}

Naturally you would replace the destination address with the real public IP.

Thanks. Gave it a try, but no dice.  (Sorry if this is simple. I'm new to SRX).

root@tdsfw01> show configuration security nat destination
pool mercury {
    address 192.168.168.202/32 port 22;
}
rule-set ssh-to-mercury {
    from zone untrust;
    rule ssh-xlate {
        match {
            destination-address n.n.n.n/32;
            destination-port 2468;
        }
        then {
            destination-nat pool mercury;
        }
    }
}

root@tdsfw01>

 (n.n.n.n is the public internet-accessible IP of the firewall, and the IP all internal host are NAT'd behind).

I've confirmed the NAT rule is being hit and the counter is increasing:

root@tdsfw01> show security nat destination rule all
Total destination-nat rules: 1

Destination NAT rule: ssh-xlate            Rule-set: ssh-to-mercury
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : untrust
    Destination addresses    : n.n.n.n  - n.n.n.n
  Action                     : mercury
  Destination port           : 2468
  Translation hits           : 10

Oops, forgot to mention that the destination NAT happens before the security policies are checked.

You can reference the packet flow diagram here:

http://docs.google.com/viewer?a=v&q=cache:xaUPg9YadB0J:jnpr.net/us/en/local/pdf/app-notes/3500151-en.pdf+srx+packet+flow+diagram&hl=en&gl=us&pid=bl&srcid=ADGEEShZajbbnGb8NqKP71wh_DNFkh-xJGZryQeN5u3vM0Xk1Gj68th3E1m1g2abj4L1NWY4PMJ9MdrkHDLWBh3eVQJNR8YRMG7hmJIj5dtqPfewUXrXG_nVQ6XxbWT-Vcw6iYovCb1b&sig=AHIEtbTF3BOveu7ZPJAMzO2adtQs7t_Qmw

On page 5.

So, you will need to set your security policy to allow port 22, rather than port 2468.

Solved! Adding 'junos-ssh' to the security policy made it happen. I can now reach my internal server via ssh using a different port externally.

Thanks!

---

@kenspi wrote:

Solved! Adding 'junos-ssh' to the security policy made it happen. I can now reach my internal server via ssh using a different port externally.

---

Glad you got it working.  Just a quick note -- the only application you need in the security policy is port 22 (junos-ssh), you don't need the port 2468 application allowed there.  The destination NAT translates it to port 22 before it ever hits the security policy.

Destination NAT happens BEFORE the policies are checked did it for me! 🙂

Thanks!

I have tried using some ]of the technics here but they are not working for me.

this is the input i have applied:

Im trying to forward traffic from 208.82.15.42 to 192.168.40.40 using ports 80, 443, 8080

static {
rule-set web-enroll {
from zone untrust;
rule 10 {
match {
destination-address 208.82.15.42/32;
destination-port 80;
}
then {
static-nat {
prefix {
192.168.40.40/32;
mapped-port 80;
}
}
}
}
rule 20 {
match {
destination-address 208.82.15.42/32;
destination-port 443;
}
then {
static-nat {
prefix {
192.168.40.40/32;
mapped-port 443;
}
}
}
}
rule 30 {
match {
destination-address 208.82.15.42/32;
destination-port 8080;
}
then {
static-nat {
prefix {
192.168.40.40/32;
mapped-port 8080;
}
}
}
}
}
}
}

also have a problem with dst nat to 443, do you fix it?

destination {

  pool dst-nat-site-ssl {
  address 10.1.1.241/32 port 443;
 }

}

zones {
security-zone trust {
 address-book {
address site-ssl 10.1.1.241/32;

}

}

rule r6 {
match {
destination-address pub_ip_addr/32;
destination-port 443;
}
then {
destination-nat {
pool {
dst-nat-site-ssl;
}
}
}
}

from-zone untrust to-zone trust {
policy server-access {
match {
source-address any;
destination-address [site-ssl ];
application any;
}
then {
permit;
}
}

}