SRX Services Gateway
Reply
Contributor
vovochka
Posts: 15
Registered: ‎04-11-2011
0
Accepted Solution

SRX240 for port forwarding to multiple servers

Hi All,

 

Need help to create nat for one public ip address, different ports on multiple servers. For example, access public ip address 1.1.1.1 port 80 will map to internal LAN 10.10.10.10 port 80, 1.1.1.1 port 21 to internal LAN 20.20.20.20 port 21 and 1.1.1.1 port 53 to  internal LAN 10.10.10.10 port 53. Can we achieve this via destination nat? if yes how?

 

Thanks

Distinguished Expert
Distinguished Expert
pk
Posts: 797
Registered: ‎10-09-2008
0

Re: SRX240 for port forwarding to multiple servers

Hi

 

That should be straightforward - something like

 

# show security nat destination
pool pool_10_10_10_10 {
    address 10.10.10.10/32 port 80;
}
pool pool_20_20_20_20 {
    address 20.20.20.20/32 port 21;
}
pool pool_10_10_10_10_p53 {
    address 10.10.10.10/32 port 53;
}
rule-set rs1 {
    from zone untrust;
    rule 10 {
        match {
            destination-address 1.1.1.1/32;
            destination-port 80;
        }
        then {
            destination-nat pool pool_10_10_10_10;
        }
    }
    rule 20 {
        match {
            destination-address 1.1.1.1/32;
            destination-port 21;
        }
        then {
            destination-nat pool pool_20_20_20_20;
        }
    }
    rule 30 {
        match {
            destination-address 1.1.1.1/32;
            destination-port 53;
        }
        then {
            destination-nat pool pool_10_10_10_10_p53;
        }
    }
}

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Contributor
vovochka
Posts: 15
Registered: ‎04-11-2011
0

Re: SRX240 for port forwarding to multiple servers

when try to set the destination port on static nat, there is not destination port as below:

 

SRX@root# set security nat static rule-set abc rule aaa match ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> destination-address  Destination address


 

It is related to the Junos version? Currently i'm running on 10.0R3.10. Should i upgrade to 10.4 then the destination port command will only be available?

 

 

Distinguished Expert
Distinguished Expert
pk
Posts: 797
Registered: ‎10-09-2008
0

Re: SRX240 for port forwarding to multiple servers

Hi

 

Static NAT does not translate ports - this is by desing. So you can not match on port because

all ports will be passed untranslated, only ip is translated in both directions for static nat.

This does not depend on version.

 

But in corresponding security policies, you can filter on ports to allow only some of them

to pass to your internal network. Still, use destination nat if you need to translate ports.

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Contributor
vovochka
Posts: 15
Registered: ‎04-11-2011
0

Re: SRX240 for port forwarding to multiple servers

So, put it as simple, how and where should i configure above port translating since static nat couldn't do it?

Visitor
fbrice
Posts: 6
Registered: ‎04-03-2011
0

Re: SRX240 for port forwarding to multiple servers

Hello,

As pk explained you should use set security nat destination instead of set security nat static.

It's more adapted in your case than doing static nat with port filtering at the security policy level.

Regards

Contributor
vovochka
Posts: 15
Registered: ‎04-11-2011
0

Re: SRX240 for port forwarding to multiple servers

i have created a dmz zone that contains my public ip 1.1.1.1/32, then set above nat destination, and set a policy to allow untrust to dmz, but still failed to connect my ftp server from Internet. Is there anything that i miss?

Distinguished Expert
Distinguished Expert
pk
Posts: 797
Registered: ‎10-09-2008
0

Re: SRX240 for port forwarding to multiple servers

I can think of 2 common errors

1) Proxy-arp. Is 1.1.1.1 in the subnet of the incoming interface? If yes, you need proxy-arp (If it is the same as interface address - then not).

2) Policy. Can you post it here? Your destination address in a policy must be a post-translation address (not 1.1.1.1).

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Contributor
vovochka
Posts: 15
Registered: ‎04-11-2011
0

Re: SRX240 for port forwarding to multiple servers

already set the proxy-arp, but the still failed:

 

destination {
            pool ftp {
                address 192.168.0.33/32 port 21;
            }
            rule-set ftp {
                from zone untrust;
                rule ftp1 {
                    match {
                        destination-address 1.1.1.1/32;
                        destination-port 21;
                    }
                    then {
                        destination-nat pool ftp;
                    }
                }


security-zone dmz {
            address-book {
                address ftp1 192.168.0.33/32;
            }
            host-inbound-traffic {
                system-services {
                    ftp;
                }
                protocols {
                    all;
                }
            }
        }
    }


from-zone untrust to-zone dmz {
            policy ftp11 {
                match {
                    source-address any;
                    destination-address ftp1;
                    application junos-ftp;
                }
                then {
                    permit {
                        destination-address {
                            drop-untranslated;
                        }
                    }


 

 

Distinguished Expert
Distinguished Expert
pk
Posts: 797
Registered: ‎10-09-2008
0

Re: SRX240 for port forwarding to multiple servers

This part of the config seems correct. Can you put the whole config here (without public addresses and logins, of course)?

 

You can also try to enable policy logging, or view "sh sec flow session application ftp" at the time you try to initialize the ftp session. Flow traceoptions are also a troubleshooting option.

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.