SRX Services Gateway
SRX Services Gateway

Ideas on Destination-nat'ing a large number of ports

09.15.10   |  
‎09-15-2010 02:28 PM

So we have a game that uses a number of ports. Some of the ports are contiguous, some are not.  As far as I can tell (in 10.3 on my SRX's) in the rule-sets for destination nats you have to create a rule for every single port.  There aren't any ranges or terms.  Am I missing something?  If I have ports to dnat like: 7000, 7100, 7200-7350, does that mean I have to create 151 rules?  That seems grossly stupid to me so I am hoping I am missing something in this.

 

 

*snip*
    rule rule-game1-7000 {
        match {
            destination-address 66.x.y.15/32;
            destination-port 7000;
        }
        then {
            destination-nat pool dst-nat-game1-srv1;
        }
    }
    rule rule-game1-7100 {
        match {
            destination-address 66.x.x.15/32;
            destination-port 7100;
        }
        then {
            destination-nat pool dst-nat-game1-srv1;
        }
    }
    rule rule-game1-7200 {
        match {
            destination-address 66.x.x.15/32;
            destination-port 7200;
        }
        then {
            destination-nat pool dst-nat-game1-srv2;
        }
    }
    rule rule-game1-7201 {
        match {
            destination-address 66.x.x.15/32;
            destination-port 7201;
        }
        then {
            destination-nat pool dst-nat-game1-srv2;
        }
    }
}

 

 

3 REPLIES
SRX Services Gateway

Re: Ideas on Destination-nat'ing a large number of ports

09.16.10   |  
‎09-16-2010 10:24 AM

Hi,

 

I dont think so we have range for detination port.

 

But you remove the destination port so allowing all port to get translated into destination-nat pool dst-nat-game1-srv1.

Then you can block the not interested ports through policy and allowing interested ports thru policy.

 

    rule rule-game1-7100 {
        match {
            destination-address 66.x.x.15/32;
            destination-port 7100;    <<<<<<<<REMOVE this<<<<<<<<<<
        }
        then {
            destination-nat pool dst-nat-game1-srv1;

SRX Services Gateway

Re: Ideas on Destination-nat'ing a large number of ports

09.16.10   |  
‎09-16-2010 02:00 PM

I don't think you looked at my example very carefully.  For each IP there are multiple destination ports not all of which go to the same private server.  That is the challenge here. 

SRX Services Gateway

Re: Ideas on Destination-nat'ing a large number of ports

09.27.10   |  
‎09-27-2010 08:15 AM

 

I've yet to come across a way to do this as you want - I had exactly the same problem recently migrating 130 Equiinet Cachepilots to the SRX210 - a single external address with NAT's going to different hosts on different ports. Thankfully there were only a few sites that had only modest port ranges and nothing like what you are trying to do, otherwise I'd of broken down in tears.

 

If there's a clever way to achieve this relatively simple task (I'd go as far as to say basic firewalling task) I've yet to find anyone with an explanation or a working example (or even a not working one!). If you happen to find one please share it around as this is a question I see popping up often.