SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Static NAT single port translating

    Posted 03-15-2010 06:57

    Hallo!

    I have SRX100, it has external ip (x.x.x.x) on fe0/0/7 interface and coputer device 192.168.16.200 is connected to him via vlan in trust zone in internal network. I want to make static nat only for one port, x.x.x.x:2099 -> 192.168.16.200:22 to make remote ssh fro external IP to this device. Everywhere i found only how to translate ip pools.... but what shall i do to translate just one port? in cisco PIX i did it like 

    access-list 101 permit tcp any host 192.168.16.200 eq 22

    static (inside,outside) tcp x.x.x.x 2099 192.168.16.200 22 netmask 255.255.255.255 0 0

    Thanks!



  • 2.  RE: Static NAT single port translating

    Posted 03-16-2010 11:47

    I think I am missing something with the below configuratoin, but might be a good starting point for you:

     

    set security nat static rule-set test from zone untrust
    set security nat static rule-set test rule test1 match destination-address x.x.x.x/32
    set security nat static rule-set test rule test1 then static-nat prefix 192.168.16.200/32

     

    set applications application test term term0 protocol tcp
    set applications application test term term0 source-port 2099
    set applications application test term term0 destination-port 22

     

    set security policies from-zone untrust to-zone trust policy 766733 match source-address any
    set security policies from-zone untrust to-zone trust policy 766733 match destination-address x.x.x.x/32
    set security policies from-zone untrust to-zone trust policy 766733 match application test
    set security policies from-zone untrust to-zone trust policy 766733 then permit



  • 3.  RE: Static NAT single port translating
    Best Answer

    Posted 03-16-2010 12:18

    i'm pretty sure you can accomplish this with Destination NAT with PAT:

     

    I think this will work -- a modified version of what we are using to forward SMTP to our email server

     

    [edit security nat destination]

     

     

    pool IronPort {
        address 10.10.10.20/32;

    pool emailServer {

        address 10.x.x.20/32 port XYZ;   ## Internal IP and port

    }

    rule-set dst-nat {
        from zone untrust;
        rule mail-dst-nat-SMTP {
            match {
                destination-address x.x.x.x/32;    ## public interface IP here
                destination-port 25;     ## whatever port you want to forward
            }
            then {
                destination-nat pool emailServer;
            }
        }
    if this works please flag as solved to help anyone else that might need similar help.
    EDIT - forgot to add - if the public IP is NOT the same as your public interface IP, then make sure to include the proxy-arp entry under [edit security nat proxy-arp]
    good luck!
    Will

     



  • 4.  RE: Static NAT single port translating

    Posted 03-16-2010 12:38

    thank you, it works!