SRX

Hi All,

Need help to create nat for one public ip address, different ports on multiple servers. For example, access public ip address 1.1.1.1 port 80 will map to internal LAN 10.10.10.10 port 80, 1.1.1.1 port 21 to internal LAN 20.20.20.20 port 21 and 1.1.1.1 port 53 to  internal LAN 10.10.10.10 port 53. Can we achieve this via destination nat? if yes how?

Thanks

Hi

That should be straightforward - something like

# show security nat destination
pool pool_10_10_10_10 {
    address 10.10.10.10/32 port 80;
}
pool pool_20_20_20_20 {
    address 20.20.20.20/32 port 21;
}
pool pool_10_10_10_10_p53 {
    address 10.10.10.10/32 port 53;
}
rule-set rs1 {
    from zone untrust;
    rule 10 {
        match {
            destination-address 1.1.1.1/32;
            destination-port 80;
        }
        then {
            destination-nat pool pool_10_10_10_10;
        }
    }
    rule 20 {
        match {
            destination-address 1.1.1.1/32;
            destination-port 21;
        }
        then {
            destination-nat pool pool_20_20_20_20;
        }
    }
    rule 30 {
        match {
            destination-address 1.1.1.1/32;
            destination-port 53;
        }
        then {
            destination-nat pool pool_10_10_10_10_p53;
        }
    }
}

when try to set the destination port on static nat, there is not destination port as below:

SRX@root# set security nat static rule-set abc rule aaa match ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> destination-address  Destination address

It is related to the Junos version? Currently i'm running on 10.0R3.10. Should i upgrade to 10.4 then the destination port command will only be available?

Hi

Static NAT does not translate ports - this is by desing. So you can not match on port because

all ports will be passed untranslated, only ip is translated in both directions for static nat.

This does not depend on version.

But in corresponding security policies, you can filter on ports to allow only some of them

to pass to your internal network. Still, use destination nat if you need to translate ports.

So, put it as simple, how and where should i configure above port translating since static nat couldn't do it?

Hello,

As pk explained you should use set security nat destination instead of set security nat static.

It's more adapted in your case than doing static nat with port filtering at the security policy level.

Regards

i have created a dmz zone that contains my public ip 1.1.1.1/32, then set above nat destination, and set a policy to allow untrust to dmz, but still failed to connect my ftp server from Internet. Is there anything that i miss?

I can think of 2 common errors

1) Proxy-arp. Is 1.1.1.1 in the subnet of the incoming interface? If yes, you need proxy-arp (If it is the same as interface address - then not).

2) Policy. Can you post it here? Your destination address in a policy must be a post-translation address (not 1.1.1.1).

already set the proxy-arp, but the still failed:

destination {
            pool ftp {
                address 192.168.0.33/32 port 21;
            }
            rule-set ftp {
                from zone untrust;
                rule ftp1 {
                    match {
                        destination-address 1.1.1.1/32;
                        destination-port 21;
                    }
                    then {
                        destination-nat pool ftp;
                    }
                }

security-zone dmz {
            address-book {
                address ftp1 192.168.0.33/32;
            }
            host-inbound-traffic {
                system-services {
                    ftp;
                }
                protocols {
                    all;
                }
            }
        }
    }

from-zone untrust to-zone dmz {
            policy ftp11 {
                match {
                    source-address any;
                    destination-address ftp1;
                    application junos-ftp;
                }
                then {
                    permit {
                        destination-address {
                            drop-untranslated;
                        }
                    }

This part of the config seems correct. Can you put the whole config here (without public addresses and logins, of course)?

You can also try to enable policy logging, or view "sh sec flow session application ftp" at the time you try to initialize the ftp session. Flow traceoptions are also a troubleshooting option.

i find out the root cause is that previous has configured 1 static nat with the same public ip address, after remove that static nat, nat destination is finally working. Thanks for your help.