Thanks for your reply.
"I would not expect you need to reference the pre-translated port. "
You're right! Removing the SSH-DNAT application from my DST-NAT still works. By looking at the diagram referenced in KB16110 I think I understand it. I have:
- screen
- nat - source
- nat - destination (listed in OP rule w/ pre translated port nnnn)
- policies - trust to untrust
- policies - untrust to trust (listed in OP policy w/ post translated port)
- zones - trust
- zones - untrust
JunOS looks at Screens, Static NAT, Dest NAT, Route, (Forwarding Lookup), Zones, Policy, .... I gather at Dest NAT it's evaluating the pre translated port? And then when it evaluates Policy, it looks at at the post translated port (which in my case since I want the standard port, it would be junos-ssh)? If I wanted to use the same port as pre-translated, only then would I reference my SSH-DNAT application.
Is my thinking correct?
If so could I also remove the standard port from my pool DNAT host? Instead of
pool DNAT-host-SSH-test {
address 192.168.3.100/32 port 22;
}
I define the host to
pool DNAT-host-SSH-test {
address 192.168.3.100/32;
}
and that way I can forward multiple ports to the same host.
Thanks