SRX Services Gateway
Highlighted
SRX Services Gateway

Port Forwarding assistance

[ Edited ]
‎05-30-2015 10:45 AM

We have just configured the NAT to hide 10.1.1.0/24 network behind one public IP and now need assistance with policy commands to allow inbound traffic and open port 80 to the web server 10.1.1.2 which is part of the same network:

 

 

ge-0/0/0.0 = 2.3.4.5 (public IP) = untrust

ge-0/0/15.0 = 10.1.1.1 (private IP, default gateway) = trust

10.1.1.2 = Web Server (http, https) = PAT inbound

10.1.1.3 = Mail Server (smtp) = PAT inbound

Outbound NAT = any any

 

 

What are the line by line commands required to forward port 80 to web server 10.1.1.2?

Thanks in advance...

7 REPLIES 7
Highlighted
SRX Services Gateway
Solution
Accepted by topic author clubber
‎08-26-2015 01:27 AM

Re: Port Forwarding assistance

‎06-02-2015 04:09 AM

Hello ,

 

Here is the sample configuration  :

 

root# show security nat destination | display set
set security nat destination pool web-server address 10.1.1.2/32
set security nat destination pool web-server address port 80
set security nat destination rule-set test rule 1 match destination-address <public-Ip-of-web-server>
set security nat destination rule-set test rule 1 match destination-port 80
set security nat destination rule-set test rule 1 then destination-nat pool web-server


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: Port Forwarding assistance

‎06-04-2015 08:47 PM

Can someone explain the word pool in front of web-server?

Does it mean that you can have multiple servers listed in the pool?

Highlighted
SRX Services Gateway

Re: Port Forwarding assistance

‎06-04-2015 09:05 PM

Hello ,

 

The "pool"  term is the NAT pool that we are creating with the Web server IP . We can specify a range of Pool IPs / Web server IP s also in the pool configuration instead of single IP adddress or port .


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: Port Forwarding assistance

[ Edited ]
‎06-05-2015 10:40 AM

Thank you for your clarification so can I do the following:

 

set security nat destination pool web-server address 10.1.1.2/32
set security nat destination pool web-server address port 80

set security nat destination pool web-server address 10.1.1.3/32
set security nat destination pool web-server address port 80

set security nat destination pool web-server address 10.1.1.4/32
set security nat destination pool web-server address port 80

etc..

 

Shoud the name for each 'WEB-SERVER' be different for each address?

Highlighted
SRX Services Gateway

Re: Port Forwarding assistance

[ Edited ]
‎07-09-2015 06:04 PM

What to do when the port you want to port forward is not one of the default ports in junos like junos-http/s or junos-smtp etc? For example, I want to port forward 5070 or 32400 etc...

 

DEFAULT EXAMPLE:

set security policies from-zone UNTRUST to-zone TRUST policy PUBLIC-TO-PRIVATE-WEB match source-address any
set security policies from-zone UNTRUST to-zone TRUST policy PUBLIC-TO-PRIVATE-WEB match destination-address WEB
set security policies from-zone UNTRUST to-zone TRUST policy PUBLIC-TO-PRIVATE-WEB match application junos-http

 

If junos-http a default port what to do for ports that are not? What should say after "application?" Please kindly advise.

Thanks in advance...

Highlighted
SRX Services Gateway

Re: Port Forwarding assistance

‎07-09-2015 08:00 PM

Hello ,

 

You can create customer Application under [ edit application application ]  with non default ports and call them i the security application part .

 

Check this out : http://kb.juniper.net/InfoCenter/index?page=content&id=KB13365&smlogin=true


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: Port Forwarding assistance

‎07-10-2015 03:33 AM

You may find this tech note listing all the common nat scenarios helpful as well.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=TN81

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Feedback