SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  junos equivilant to screenos VIP port redirection

    Posted 03-15-2012 15:33

     

    I’m trying to replicate a soon to be retired ScreenOS device with a Junos srx unit.

     

    in screen os we were able to open a port on the untrust and point it to another port on our trust using a VIP

     

    ie public 1.1.1.2 port 8080 was pointed to private 192.168.1.100 port 80

     

    ScreenOS example:

     

    set service "http-8080" protocol tcp src-port 1024-65535 dst-port 8080-8080

    set service "http-8081" protocol tcp src-port 1024-65535 dst-port 8081-8081

    set interface ethernet0/1 vip 1.1.1.2 8080 "HTTP" 192.168.1.100

    set interface ethernet0/1 vip 1.1.1.2 8081 "HTTP" 192.168.1.101

    set policy from untrust to dmz any vip(1.1.1.2) "http-8080" permit

    set policy from untrust to dmz any vip(1.1.1.2) "http-8081" permit

     

     

     

     

    I’ve figured out how to do a strait port mapping (thanks to the document: junos for the screenos user)

     

    set security nat destination pool dnat-pool-1 address 10.1.1.100/32

    set security nat destination rule-set dst-nat from zone untrust

    set security nat destination rule-set dst-nat rule rule1 match destination-address 1.1.1.100/32

    set security nat destination rule-set dst-nat rule rule1 match destination-port 80

    set security nat destination rule-set dst-nat rule rule1 then destination-nat pool dnat-pool-1

    set security zones security-zone trust address-book address webserver 10.1.1.100

    set security zones security-zone trust address-book address-set servergroup address webserver

    set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address servergroup application junos-http

    set security policies from-zone untrust to-zone trust policy static-nat then permit

     

    but how do I do the port redirection?

     

    Thanks

     

    Paul

     



  • 2.  RE: junos equivilant to screenos VIP port redirection
    Best Answer

    Posted 03-15-2012 17:22
    @pgartner wrote:

    but how do I do the port redirection?

    In the destination nat pool config.  You will want to create a 1-address "pool" (I know, not the best choice of terminology) that defines the internal address and port number.
     
    Your "match" clause of your destination NAT rule should match the public IP and public port number, with the "then" clause pointing to the pool.
     
    So, for example, your ScreenOS VIP looks like this:

    set interface ethernet0/1 vip 1.1.1.2 8080 "HTTP" 192.168.1.100
     
    That, as you mentioned, take public IP 1.1.1.2 port 8080 and translates it to 192.168.1.100 port 80.
     
    On the SRX, it would look like this:

    security {
  nat {
    destination {
      pool web-1 {
        address 192.168.1.100/32 port 80;
      }
      rule-set incoming-web {
        from zone untrust;
        rule web1 {
          match {
            destination-address 1.1.1.2/32;
            destination-port 8080;
          }
          then {
            destination-nat pool web-1;
          }
        }
      }
    }
  }
}

     
    Or... in "set" form to configure those lines:
     

    set security nat destination pool web-1 address 192.168.1.100/32
set security nat destination pool web-1 address port 80
set security nat destination rule-set incoming-web from zone untrust
set security nat destination rule-set incoming-web rule web1 match destination-address 1.1.1.2/32
set security nat destination rule-set incoming-web rule web1 match destination-port 8080
set security nat destination rule-set incoming-web rule web1 then destination-nat pool web-1

     



  • 3.  RE: junos equivilant to screenos VIP port redirection

    Posted 03-19-2012 04:18

    perfect. worked likes a charm.

     

    Thanks

     

    Paul