SRX

Hello;

I have configured destination nat for port range. It works fine but I can not remotely manage my srx.

If I delete the destination nat rule it works fine. I must manage SRX and destination nat (multiple ports) for ip 10.80.36.2

Here is my config;

root# show system services
ssh;
xnm-clear-text;
web-management {
    https {
        system-generated-certificate;
    }
}

[edit]
root# show security nat destination
pool dnat-pool-1 {
    address 10.80.36.2/32;
}
rule-set dst-nat {
    from zone untrust;
    rule r1 {
        match {
            destination-address 88.xxx.xxx.xx/32;
        }
        then {
            destination-nat pool dnat-pool-1;
        }
    }
}
[edit]
root# show security policies from-zone untrust to-zone trust
policy dst-nat {
    match {
        source-address any;
        destination-address any;
        application [ junos-telnet CCTV ];
    }
    then {
        permit;
    }
}

[edit]
root# show security zones security-zone untrust
screen untrust-screen;
host-inbound-traffic {
    system-services {
        ssh;
        https;
    }
}
interfaces {
    pp0.0 {
        host-inbound-traffic {
            system-services {
                https;
                ssh;
            }
        }
    }
    at-1/0/0.0 {
        host-inbound-traffic {
            system-services {
                ssh;
                https;
            }
        }
    }
}

[edit]

Under system services https web-management you need to add the external interface on which you will connect , I think it is your at-1/0/0.0

Hello;

That configutarion is correct. It is all interfaces. It was before only my wan interface which is pp0.0 ans still not working

The nat rule is forwarding all traffic to internal ip address even the management ports.

Thanks

@Novartis

I assume you are trying to remotely manage your SRX via the 88.xxx.xxx.xx/32 IP address.

When you try to telnet to this IP, it is getting translated to the address that you specify for your destination NAT pool.  This is because flows occur before traffic that is destined to the RE, and once the translation occurs the traffic doesn't go to the right place.

You could try to edit your destination NAT policy to NOT translate if there is a match for 88.xxx.xxx.xxx/32 AND port 23 (telnet) or port 22 (ssh) or port 443 (https--the web management interface).

Hello;

You Mean This???;

root# show security nat destination
pool srx-pool {
    address 10.80.36.254/32 port 22;  (SRX IP)
}
pool dnat-pool-1 {
    address 10.80.36.253/32;
}
rule-set dst-nat {
    from zone untrust;
    rule r1 {
        match {
            destination-address 88.xxx.xxx.xx/32;
        }
        then {
            destination-nat pool dnat-pool-1;
        }
    }
}

Still the I can not reach the device from port 22.

I need to forward port range (RTP Ports) to host 10.80.36.253. 

Hi, @Novartis.

First, please confirm that you are indeed attempting to manage the box via the 88.xxx.xxx.xxx/32 IP address.

Second, if you are, what I actually meant was something more akin to the following:

root# show | compare
[edit security]
+   nat {
+       destination {
+           pool dnat-pool-1 {
+               address 10.80.36.253/32;
+           }
+           rule-set dst-nat {
+               from zone untrust;
+               rule remote-mgmt {
+                   match {
+                       destination-address 88.88.88.88/32;
+                       destination-port 23;
+                   }
+                   then {
+                       destination-nat {
+                           off;
+                       }
+                   }
+               }
+               rule else-dst-nat {
+                   match {
+                       destination-address 88.88.88.88/32;
+                   }
+                   then {
+                       destination-nat {
+                           pool {
+                               dnat-pool-1;
+                           }
+                       }
+                   }
+               }
+           }
+       }
+   }

[edit]

I'm not able to test the above, but that _should_ let you telnet to port 23. Change the destination-port to 22 for ssh access. Also, this depends on you correctly setting the appropriate zone to allow the appropriate inbound host traffic (ssh, telnet, etc as necessary).

Awesome.

It works. Thank you very much

You're welcome!

Just remember that if you need to translate to your internal IP for the ports specified, it won't work.  There isn't really a way around this for your setup and your requirements.