I’m trying to replicate a soon to be retired ScreenOS device with a Junos srx unit.
in screen os we were able to open a port on the untrust and point it to another port on our trust using a VIP
ie public 1.1.1.2 port 8080 was pointed to private 192.168.1.100 port 80
ScreenOS example:
set service "http-8080" protocol tcp src-port 1024-65535 dst-port 8080-8080
set service "http-8081" protocol tcp src-port 1024-65535 dst-port 8081-8081
set interface ethernet0/1 vip 1.1.1.2 8080 "HTTP" 192.168.1.100
set interface ethernet0/1 vip 1.1.1.2 8081 "HTTP" 192.168.1.101
set policy from untrust to dmz any vip(1.1.1.2) "http-8080" permit
set policy from untrust to dmz any vip(1.1.1.2) "http-8081" permit
I’ve figured out how to do a strait port mapping (thanks to the document: junos for the screenos user)
set security nat destination pool dnat-pool-1 address 10.1.1.100/32
set security nat destination rule-set dst-nat from zone untrust
set security nat destination rule-set dst-nat rule rule1 match destination-address 1.1.1.100/32
set security nat destination rule-set dst-nat rule rule1 match destination-port 80
set security nat destination rule-set dst-nat rule rule1 then destination-nat pool dnat-pool-1
set security zones security-zone trust address-book address webserver 10.1.1.100
set security zones security-zone trust address-book address-set servergroup address webserver
set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address servergroup application junos-http
set security policies from-zone untrust to-zone trust policy static-nat then permit
but how do I do the port redirection?
Thanks
Paul