SRX

last person joined: 12 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX port forwarding clarification

    Posted 12-16-2018 17:33

    Hi,

     

    I am migrating from SSG to SRX: allow SSH on a non-standard port from the WAN and forwarding it to a machine on the standard port.

     

    WAN:nnnn -> 192.168.3.100:22

     

    Trying to understand why I need to do something that was posted in 2011 from https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-port-forwarding-translation/m-p/100942. Specifically the untrust-to-trust policy needs to match the junos-ssh application in addition to my custom one that refers to the non-standard port. Isn't the destination pool host definition enough?

     

    Thanks

     

    version 12.1X46-D71;

security {
        destination {
            pool DNAT-host-SSH-test {
                address 192.168.3.100/32 port 22;
            }
            rule-set DST-NAT {
                from zone untrust;
                rule Rule1 {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                        destination-port nnnn;
                    }
                    then {
                        destination-nat {
                            pool {
                                DNAT-host-SSH-test;
                            }
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone untrust to-zone trust {
            policy UNTRUST-to-TRUST-test {
                match {
                    source-address any;
                    destination-address any;
                    application [ SSH-DNAT junos-ssh ];
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
        }
    }
}

applications {
    application SSH-DNAT {
        protocol tcp;
        source-port 1024-65535;
        destination-port nnnn;
    }
}

     



  • 2.  RE: SRX port forwarding clarification
    Best Answer

     
    Posted 12-16-2018 17:54
    Since destination nat translation occurs before security policies are applied, you need to specify the post-translation port in your policy. I would not expect you need to reference the pre-translated port.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110


  • 3.  RE: SRX port forwarding clarification

    Posted 12-17-2018 21:16

    Thanks for your reply.

     

    "I would not expect you need to reference the pre-translated port. "

     

    You're right! Removing the SSH-DNAT application from my DST-NAT still works. By looking at the diagram referenced in KB16110 I think I understand it. I have:

    • screen
    • nat - source
    • nat - destination (listed in OP rule w/ pre translated port nnnn)
    • policies - trust to untrust
    • policies - untrust to trust (listed in OP policy w/ post translated port)
    • zones - trust
    • zones - untrust

    JunOS looks at Screens, Static NAT, Dest NAT, Route, (Forwarding Lookup), Zones, Policy, .... I gather at Dest NAT it's evaluating the pre translated port? And then when it evaluates Policy, it looks at at the post translated port (which in my case since I want the standard port, it would be junos-ssh)? If I wanted to use the same port as pre-translated, only then would I reference my SSH-DNAT application.

     

    Is my thinking correct?

     

    If so could I also remove the standard port from my pool DNAT host? Instead of

                pool DNAT-host-SSH-test {
                address 192.168.3.100/32 port 22;
            }

    I define the host to

                pool DNAT-host-SSH-test {
                address 192.168.3.100/32;
            }

    and that way I can forward multiple ports to the same host.

     

     

    Thanks



  • 4.  RE: SRX port forwarding clarification

     
    Posted 12-18-2018 11:41

    Correct--if you don't specify a port in your nat translation all inbound traffic ports will remain the same. You can then rely on your security policy to allow or block actual traffic.



  • 5.  RE: SRX port forwarding clarification

    Posted 12-19-2018 00:00

    FYI, I just tried removing port 22 from

                pool DNAT-host-SSH-test {
                address 192.168.3.100/32 port 22;
            }

    but that prevented the port forwarding from working.



  • 6.  RE: SRX port forwarding clarification

     
    Posted 12-19-2018 08:15

    Can you post your current security nat and security policies config?



  • 7.  RE: SRX port forwarding clarification

    Posted 12-19-2018 11:55
    @smicker wrote:

    > Can you post your current security nat and security policies config?

     

    I've posted the config over at the beginning of thread https://forums.juniper.net/t5/SRX-Services-Gateway/Dynamic-VPN-client-can-t-ping-some-remote-protected-resources/m-p/419775#M51761.

     

    Thanks!