SRX Services Gateway
Highlighted
SRX Services Gateway

Destination NAT (Port Forwarding) Passthrough for VPN

‎11-16-2014 11:58 PM

I have a VPN server located at 192.168.1.10.

The Juniper SRX has a private IP of 192.168.1.1 on fe-0/0/1.0 and a public IP of 222.222.222.222 on fe-0/0/0.0.

 

I want to forward ports used for VPN PPTP, L2TP, and IPSec from the Juniper box to the VPN server.

These are ports 500, 1701, 1723, 4500 on UDP and TCP.

 

What configuration should I use for this destination nat? I have tried for hours and been having trouble getting this working.

 

 

 

5 REPLIES 5
SRX Services Gateway

Re: Destination NAT (Port Forwarding) Passthrough for VPN

‎11-17-2014 12:17 AM

Here you go..


root@SRX# show security nat destination                 
pool Pool1 {
    address 192.168.1.10/32 port 500;
}
pool Pool2 {
    address 192.168.1.10/32 port 1701;
}
pool Pool3 {
    address 192.168.1.10/32 port 1723;
}
pool Pool4 {
    address 192.168.1.10/32 port 4500;
}
rule-set 1 {
    from interface fe-0/0/0.0;
    rule 1 {
        match {
            destination-address 222.222.222.222/32;
            destination-port 500;
        }
        then {
            destination-nat pool Pool1;
        }
    }
    rule 2 {
        match {
            destination-address 222.222.222.222/32;
            destination-port 1701;
        }
        then {
            destination-nat pool Pool2;
        }
    }
    rule 3 {
        match {
            destination-address 222.222.222.222/32;
            destination-port 1723;
        }
        then {
            destination-nat pool Pool3;
        }
    }
    rule 4 {
        match {
            destination-address 222.222.222.222/32;
            destination-port 4500;
        }
        then {
            destination-nat pool Pool4;
        }
    }
}



SET COMMANDS:

root@SRX# show security nat destination | display set
set security nat destination pool Pool1 address 192.168.1.10/32
set security nat destination pool Pool1 address port 500
set security nat destination pool Pool2 address 192.168.1.10/32
set security nat destination pool Pool2 address port 1701
set security nat destination pool Pool3 address 192.168.1.10/32
set security nat destination pool Pool3 address port 1723
set security nat destination pool Pool4 address 192.168.1.10/32
set security nat destination pool Pool4 address port 4500
set security nat destination rule-set 1 from interface fe-0/0/0.0
set security nat destination rule-set 1 rule 1 match destination-address 222.222.222.222/32
set security nat destination rule-set 1 rule 1 match destination-port 500
set security nat destination rule-set 1 rule 1 then destination-nat pool Pool1
set security nat destination rule-set 1 rule 2 match destination-address 222.222.222.222/32
set security nat destination rule-set 1 rule 2 match destination-port 1701
set security nat destination rule-set 1 rule 2 then destination-nat pool Pool2
set security nat destination rule-set 1 rule 3 match destination-address 222.222.222.222/32
set security nat destination rule-set 1 rule 3 match destination-port 1723
set security nat destination rule-set 1 rule 3 then destination-nat pool Pool3
set security nat destination rule-set 1 rule 4 match destination-address 222.222.222.222/32
set security nat destination rule-set 1 rule 4 match destination-port 4500
set security nat destination rule-set 1 rule 4 then destination-nat pool Pool4

 

Thanks,

Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

 

 

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: Destination NAT (Port Forwarding) Passthrough for VPN

[ Edited ]
‎11-17-2014 07:44 PM

I'm still having an issue.

 

The packets seem to hit the SRX box and then are dropped.

1. How can I troubleshoot this? Is there a way I can see why the SRX box is dropping the packets?

 

2. Do I need to define a from-zone to-zone security policy to permit the ports for traffic to flow from the Internet zone to the Internal zone?

 

3. Do I need to define a "host-inbound-traffic" section within the Internet zone to allow the traffic in?

 

4. What is Proxy ARP, and do I need it for this NAT?

 

Highlighted
SRX Services Gateway

Re: Destination NAT (Port Forwarding) Passthrough for VPN

‎11-17-2014 07:46 PM

Yes, you need a security policy.

 

Thanks,

Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

 

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: Destination NAT (Port Forwarding) Passthrough for VPN

‎11-17-2014 07:59 PM

Is there anything missing/is this correct?

 

  from-zone Internet to-zone Internal {

            policy allowVPNaccess {

                match {

                    source-address any;

                    destination-address 192.168.1.10;

                }

                then {

                    permit;

                }

            }

        }

Highlighted
SRX Services Gateway
Solution
Accepted by topic author JacobAU
‎08-26-2015 01:27 AM

Re: Destination NAT (Port Forwarding) Passthrough for VPN

‎11-17-2014 08:16 PM

"match application " is missing.

 

you can use "match application any"

 

Thanks,

Suraj

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Feedback