Port Forward configuration check

last person joined: 23 hours ago

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Back to discussions

Expand all | Collapse all

Port Forward configuration check

Jump to Best Answer

1. Port Forward configuration check

Recommend

Erdem

Posted 10-23-2016 00:44

Helping with this thread

http://forums.juniper.net/t5/SRX-Services-Gateway/Port-Forward-and-DMZ-Help/td-p/298917

I've made this conf on my Juniper SRX210BE:

## Last changed: 2016-10-23 15:44:44 CEST
version 12.1X46-D55.3;
system {
    host-name JuniperSRX210;
    time-zone Europe/Rome;
    root-authentication {
        encrypted-password "password";
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.5.1;
            }
            pool 192.168.5.1/24 {
                address-range low 192.168.5.180 high 192.168.5.254;
            }
            propagate-settings ge-0/0/0.0;
        }
        dynamic-dns {
            client address.dyndns.com {
                server dyndns;
                agent dyndns;
                username username;
                password "password";
                interface ge-0/0/0.0;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    at-1/0/0 {
        encapsulation ethernet-over-atm;
        atm-options {
            vpi 8;
        }
        dsl-options {
            operating-mode auto;
        }
        unit 0 {
            encapsulation ppp-over-ether-over-atm-llc;
            vci 8.35;
        }
    }
    pp0 {
        traceoptions {
            flag all;
        }
        unit 0 {
            point-to-point;
            ppp-options {
                pap {
                    default-password "text";
                    local-name Ispname;
                    local-password "password";
                    passive;
                }
            }
            pppoe-options {
                underlying-interface at-1/0/0.0;
                client;
            }
            no-keepalives;
            family inet {
                negotiate-address;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.5.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 {
            next-hop pp0.0;
            metric 0;
        }
    }
}
applications {
    application appl1 {
        protocol tcp;
        destination-port 51413;
    }
    application appl2 {
        protocol tcp;
        destination-port 9101;
    }
    application appl3 {
        protocol tcp;
        destination-port 57532;
    }
}
security {
    alg {
        ftp ftps-extension;
        mgcp disable;
        rsh;
        sccp disable;
        sip {
            disable;
            application-screen {
                unknown-message {
                    permit-nat-applied;
                }
            }
            traceoptions {
                flag all;
            }
        }
    }
    flow {
        tcp-mss {
            all-tcp {
                mss 1350;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool pool1 {
                address 192.168.5.160/32;
            }
            pool pool2 {
                address 192.168.5.160/32;
            }
            pool pool3 {
                address 192.168.5.160/32;
            }
            rule-set nasports {
                from interface vlan.0;
                rule rule1 {
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 51413;
                    }
                    then {
                        destination-nat {
                            pool {
                                pool1;
                            }
                        }
                    }
                }
                rule rule2 {
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 9101;
                    }
                    then {
                        destination-nat {
                            pool {
                                pool2;
                            }
                        }
                    }
                }
                rule rule3 {
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 57532;
                    }
                    then {
                        destination-nat {
                            pool {
                                pool3;
                            }
                        }
                    }
                }
            }
        }
    }    
    policies {
        from-zone trust to-zone untrust {
            policy any {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    traceoptions {
        file flowtrace size 10m world-readable;
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                at-1/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                pp0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

But the three tcp ports, 51413,9101 and 57532 are always closed on local ip 192.168.5.160.

My ISP using dynamic ip.

i'm really appreciate any more help, Thanks

2. RE: Port Forward configuration check

0 Recommend
Erdem
Posted 10-23-2016 02:16

Reply Reply Privately
Hi,

I assume that you want to do port forwarding to the internet, the configuration is incorrect :-

from interface vlan.0 - The from interface should be your external interface.

destination-address 0.0.0.0/0 - This should be the IP address of your external interface.

The pools should contain a port as well for being translated to internally.

Please go through the following example which explains this and provides the correct configuration as well :-

https://www.juniper.net/techpubs/en_US/junos12.1/topics/example/nat-security-destination-address-port-translation-configuring.html

Regards,

Sahil Sharma

---------------------------------------------------

Please mark my solution as accepted if it helped, Kudos are appreciated as well.

3. RE: Port Forward configuration check
Best Answer

Recommend

Erdem

Posted 10-23-2016 06:37

Thanks for your reply.

Here it is working configuraztion

## Last changed: 2016-10-24 21:58:12 CEST
version 12.1X46-D55.3;
system {
    host-name JuniperSRX210;
    time-zone Europe/Rome;
    root-authentication {
        encrypted-password "password";
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.5.1;
            }
            pool 192.168.5.1/24 {
                address-range low 192.168.5.180 high 192.168.5.254;
            }
            propagate-settings ge-0/0/0.0;
        }
        dynamic-dns {
            client address.dyndns.com {
                server dyndns;
                agent dyndns;
                username username;
                password "password";
                interface pp0.0;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    at-1/0/0 {
        encapsulation ethernet-over-atm;
        atm-options {
            vpi 8;
        }
        dsl-options {
            operating-mode auto;
        }
        unit 0 {
            encapsulation ppp-over-ether-over-atm-llc;
            vci 8.35;
        }
    }
    pp0 {
        traceoptions {
            flag all;
        }
        unit 0 {
            point-to-point;
            ppp-options {
                pap {
                    default-password "password";
                    local-name Ispname;
                    local-password "password";
                    passive;
                }
            }
            pppoe-options {
                underlying-interface at-1/0/0.0;
                client;
            }
            no-keepalives;
            family inet {
                negotiate-address;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.5.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 {
            next-hop pp0.0;
            metric 0;
        }
    }
}
security {
    address-book {
        global {
            address server-1 192.168.5.160/32;
            address server-2 192.168.5.100/32;
        }
    }
    alg {
        ftp ftps-extension;
        mgcp disable;
        rsh;
        sccp disable;
        sip {
            disable;
            application-screen {
                unknown-message {
                    permit-nat-applied;
                }
            }
            traceoptions {
                flag all;
            }
        }
    }
    flow {
        tcp-mss {
            all-tcp {
                mss 1350;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool dst-nat-pool-1 {
                address 192.168.5.160/32;
            }
            pool dst-nat-pool-2 {
                address 192.168.5.100/32;
            }
            rule-set rs1 {
                from zone untrust;
                rule r1 {
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 51413;
                    }
                    then {
                        destination-nat {
                            pool {
                                dst-nat-pool-1;
                            }
                        }
                    }
                }
                rule r2 {
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 47313;
                    }
                    then {
                        destination-nat {
                            pool {
                                dst-nat-pool-2;
                            }
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy server-access {
                match {
                    source-address any;
                    destination-address [ server-1 server-2 ];
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    traceoptions {
        file flowtrace size 10m world-readable;
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                at-1/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                pp0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

Thanks

SRX

Port Forward configuration check

Erdem10-23-2016 00:44

Erdem10-23-2016 02:16

Erdem10-23-2016 06:37Best Answer

1. Port Forward configuration check

2. RE: Port Forward configuration check

3. RE: Port Forward configuration check Best Answer

3. RE: Port Forward configuration check
Best Answer