Here comes my 50 cent.
This is the dst-NAT rule, destination is any:
[edit security nat destination]
lab@srx# show
pool trust-192_168_100_2 {
address 192.168.100.2/32;
}
rule-set on_pp0 {
from interface pp0.0;
rule 1 {
match {
destination-address 0.0.0.0/0;
destination-port 80;
}
then {
destination-nat pool trust-192_168_100_2;
}
}
}
This is the policy, include the "drop-untranslated" statement, that prevents you from forwarding unwanted ports
and addresses:
[edit security policies from-zone untrust to-zone trust]
lab@srx# show
policy on_pp0 {
match {
source-address any;
destination-address 192.168.100.0-24;
application any;
}
then {
permit {
destination-address {
drop-untranslated;
}
}
}
}
The address-book entry:
[edit security zones security-zone trust address-book]
lab@srx# show
address 192.168.100.0-24 192.168.100.0/24;
That works on my 210 testing device. Thanks for the challenge 🙂
Regards,
Klaus