SRX Services Gateway
Highlighted
SRX Services Gateway

Port Nat

‎07-21-2016 08:53 AM

I know this must be simple but it is eluding me.

My remote users need to access a terminal server inside our network, I really prefer not to have 3389 open. I would rather have them connect to <public ip address>:4001 and have the SRX translate that to <server internal ip address>:3389

 

 

I tried using the following:
set security nat destination pool test address 192.168.1.1/32
set security nat destination pool test address port 4000
set security nat destination rule-set test rule 1 match destination-address <public-Ip-of-web-server>
set security nat destination rule-set test rule 1 match destination-port 3389
set security nat destination rule-set test rule 1 then destination-nat pool test

 

commit check
[edit security nat destination]

 'rule-set test'

  missing mandatory statement: 'from'

error: configuration check-out failed: (missing mandetory statements)

 

I have tried several different examples/setups and none have worked.

Getting the answer in the form of CLI would be great.

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: Port Nat

[ Edited ]
‎07-21-2016 09:12 AM

Hello,

 

Please use the below configuration to acheive your requirement.

 

set security nat destination pool test address <internal-ip-address>
set security nat destination pool test address port <internal-port-no.>

set security nat destination rule-set test from zone <external-zone-name>
set security nat destination rule-set test rule 1 match destination-address <public-Ip-of-web-server>
set security nat destination rule-set test rule 1 match destination-port <external/public-port-no.>
set security nat destination rule-set test rule 1 then destination-nat pool test

 

Also you need to set proxy arp if the external Ip address is different than the external interface IP address.

 

set security nat proxy-arp interface <external-interface>

 

Please let me know if the above configuration helps to acheive your requirement.

 

Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. 🙂

Highlighted
SRX Services Gateway

Re: Port Nat

‎07-21-2016 11:44 AM

Did not work.

 

At this point I have to believe it is somewhere else in the configuration. This is a new device and not in production.

 



root@xxxxx# show security nat destination | display set
set security nat destination pool test address 192.168.1.21/32
set security nat destination pool test address port 3389
set security nat destination rule-set test from zone untrust
set security nat destination rule-set test rule 1 match destination-address <piblic ip address>/29
set security nat destination rule-set test rule 1 match destination-port 4000
set security nat destination rule-set test rule 1 then destination-nat pool test

 

}
login {
user srxadmin {
uid 2000;
class super-user;
authentication {
encrypted-password "$5$YWGvMpY2$CjPkJ6TeNknFFUCTikaiFF/2x80cDnMDuhXPq2TnOE/"; ## SECRET-DATA
}
}
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface ge-0/0/1.0;
}
https {
system-generated-certificate;
interface ge-0/0/1.0;
}
}
dhcp {
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
router {
192.168.1.1;
}
propagate-settings ge-0/0/0.0;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 131.107.13.100;
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule trust-to-untrust {
match {
source-address 192.168.0.0/16;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool test {
address 192.168.1.21/32 port 3389;
}
rule-set test {
from zone untrust;
rule 1 {
match {
destination-address 173.161.47.145/29;
destination-port {
4000;
}
}
then {
destination-nat {
pool {
test;
}
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy laptop {
match {
source-address any-ipv4;
destination-address any-ipv4;
application rdp;
}
then {
permit;
}
}
policy Untrust-to-Trust {
description "deny all inbound traffic except that which is specifically allowed by security policies";
match {
source-address any;
destination-address any;
application any;
source-identity any;
}
then {
deny;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
ge-0/0/3.0;
ge-0/0/4.0;
ge-0/0/5.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
tftp;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address <public ip address>/29;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.1.1/24;
address 192.168.17.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.168.2.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 192.168.3.1/24;
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
address 192.168.4.1/24;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 192.168.5.1/24;
}
}
}
ge-0/0/6 {
unit 0;
}
ge-0/0/7 {
unit 0;
}
lo0 {
unit 0 {
family inet {
address 127.0.0.1/29;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop <ISP Gateway Address>;
}
}
applications {
application rdp {
protocol tcp;
source-port 3389;
destination-port 4000;
}
}

Highlighted
SRX Services Gateway

Re: Port Nat

‎07-21-2016 01:28 PM

I moved back to a base install of the configuration and started over. I dont know what the problem was but it works now.

I used the instrctions from https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

 

Specifically Page 8

Feedback