ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Mytos
Posts: 6
Registered: ‎04-12-2012
0

port forwarding with dhcp isp

i have tried the standard way of using a vip for port forwarding and i cant use vip with my isp because of a dynamic ip.

 

is there any work around where i can forward ports from a server in trust to untrust for outside communication?

 

have attached my cfg as text file

 

Super Contributor
lanman
Posts: 68
Registered: ‎11-27-2010
0

Re: port forwarding with dhcp isp

Hi,

 

You can use VIP's with a dynamic IP. But I don't see any VIP's defined in your current config.

I noticed a couple of things:

You have the minecraft en secams services defined with only one source port. Connecting clients will pick a random port in the range 0-65535. So you should define the services as:

set service "seccams" protocol tcp src-port 0-65535 dst-port 8085-8085

 

You defined the addresses of your servers with a netmask of /24 (255.255.255.0). That way your policies allow incoming traffic not only to your server, but to the whole internal LAN. Addresses should be defined as:

set address "Trust" "192.168.11.245" 192.168.11.245 255.255.255.255

 

Steve

 

Visitor
Mytos
Posts: 6
Registered: ‎04-12-2012
0

Re: port forwarding with dhcp isp

how would i define a vip, can i just use any ip, or do i have to use one in a certain range?

Super Contributor
lanman
Posts: 68
Registered: ‎11-27-2010
0

Re: port forwarding with dhcp isp

You add the VIP to your untrust interface (ethernet3). Because you only have the one public IP address, you add the VIP to that address:

 

- Network>Interfaces>List>Edit ethernet3>VIP

- Select "Same as the interface IP address" and click Add.

- Click New VIP service, select your public IP as Virtual IP

- Select the service in Map to service

- Enter the internal IP address of your server in "Map to IP"

 

Now create the policy to allow the traffic:

- Policy>Policies Untrust to Trust

- Source address: Any

- Destination address: VIP (ethernet3)

- Service: select service

- Action permit

 

 

Steve

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.