SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Port Forwarding assistance

    Posted 05-30-2015 10:46

    We have just configured the NAT to hide 10.1.1.0/24 network behind one public IP and now need assistance with policy commands to allow inbound traffic and open port 80 to the web server 10.1.1.2 which is part of the same network:

     

     

    ge-0/0/0.0 = 2.3.4.5 (public IP) = untrust

    ge-0/0/15.0 = 10.1.1.1 (private IP, default gateway) = trust

    10.1.1.2 = Web Server (http, https) = PAT inbound

    10.1.1.3 = Mail Server (smtp) = PAT inbound

    Outbound NAT = any any

     

     

    What are the line by line commands required to forward port 80 to web server 10.1.1.2?

    Thanks in advance...



  • 2.  RE: Port Forwarding assistance
    Best Answer

     
    Posted 06-02-2015 04:10

    Hello ,

     

    Here is the sample configuration  :

     

    root# show security nat destination | display set
    set security nat destination pool web-server address 10.1.1.2/32
    set security nat destination pool web-server address port 80
    set security nat destination rule-set test rule 1 match destination-address <public-Ip-of-web-server>
    set security nat destination rule-set test rule 1 match destination-port 80
    set security nat destination rule-set test rule 1 then destination-nat pool web-server



  • 3.  RE: Port Forwarding assistance

    Posted 06-04-2015 20:48

    Can someone explain the word pool in front of web-server?

    Does it mean that you can have multiple servers listed in the pool?



  • 4.  RE: Port Forwarding assistance

     
    Posted 06-04-2015 21:06

    Hello ,

     

    The "pool"  term is the NAT pool that we are creating with the Web server IP . We can specify a range of Pool IPs / Web server IP s also in the pool configuration instead of single IP adddress or port .



  • 5.  RE: Port Forwarding assistance

    Posted 06-05-2015 10:40

    Thank you for your clarification so can I do the following:

     

    set security nat destination pool web-server address 10.1.1.2/32
    set security nat destination pool web-server address port 80

    set security nat destination pool web-server address 10.1.1.3/32
    set security nat destination pool web-server address port 80

    set security nat destination pool web-server address 10.1.1.4/32
    set security nat destination pool web-server address port 80

    etc..

     

    Shoud the name for each 'WEB-SERVER' be different for each address?



  • 6.  RE: Port Forwarding assistance

    Posted 07-10-2015 03:33

    You may find this tech note listing all the common nat scenarios helpful as well.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=TN81



  • 7.  RE: Port Forwarding assistance

    Posted 07-09-2015 18:05

    What to do when the port you want to port forward is not one of the default ports in junos like junos-http/s or junos-smtp etc? For example, I want to port forward 5070 or 32400 etc...

     

    DEFAULT EXAMPLE:

    set security policies from-zone UNTRUST to-zone TRUST policy PUBLIC-TO-PRIVATE-WEB match source-address any
    set security policies from-zone UNTRUST to-zone TRUST policy PUBLIC-TO-PRIVATE-WEB match destination-address WEB
    set security policies from-zone UNTRUST to-zone TRUST policy PUBLIC-TO-PRIVATE-WEB match application junos-http

     

    If junos-http a default port what to do for ports that are not? What should say after "application?" Please kindly advise.

    Thanks in advance...



  • 8.  RE: Port Forwarding assistance

     
    Posted 07-09-2015 20:00

    Hello ,

     

    You can create customer Application under [ edit application application ]  with non default ports and call them i the security application part .

     

    Check this out : http://kb.juniper.net/InfoCenter/index?page=content&id=KB13365&smlogin=true