SRX Services Gateway
SRX Services Gateway

junos equivilant to screenos VIP port redirection

‎03-15-2012 03:32 PM

 

I’m trying to replicate a soon to be retired ScreenOS device with a Junos srx unit.

 

in screen os we were able to open a port on the untrust and point it to another port on our trust using a VIP

 

ie public 1.1.1.2 port 8080 was pointed to private 192.168.1.100 port 80

 

ScreenOS example:

 

set service "http-8080" protocol tcp src-port 1024-65535 dst-port 8080-8080

set service "http-8081" protocol tcp src-port 1024-65535 dst-port 8081-8081

set interface ethernet0/1 vip 1.1.1.2 8080 "HTTP" 192.168.1.100

set interface ethernet0/1 vip 1.1.1.2 8081 "HTTP" 192.168.1.101

set policy from untrust to dmz any vip(1.1.1.2) "http-8080" permit

set policy from untrust to dmz any vip(1.1.1.2) "http-8081" permit

 

 

 

 

I’ve figured out how to do a strait port mapping (thanks to the document: junos for the screenos user)

 

set security nat destination pool dnat-pool-1 address 10.1.1.100/32

set security nat destination rule-set dst-nat from zone untrust

set security nat destination rule-set dst-nat rule rule1 match destination-address 1.1.1.100/32

set security nat destination rule-set dst-nat rule rule1 match destination-port 80

set security nat destination rule-set dst-nat rule rule1 then destination-nat pool dnat-pool-1

set security zones security-zone trust address-book address webserver 10.1.1.100

set security zones security-zone trust address-book address-set servergroup address webserver

set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address servergroup application junos-http

set security policies from-zone untrust to-zone trust policy static-nat then permit

 

but how do I do the port redirection?

 

Thanks

 

Paul

 

2 REPLIES 2
SRX Services Gateway
Solution
Accepted by topic author pgartner
‎08-26-2015 01:27 AM

Re: junos equivilant to screenos VIP port redirection

‎03-15-2012 05:22 PM

@pgartner wrote:

but how do I do the port redirection?


In the destination nat pool config.  You will want to create a 1-address "pool" (I know, not the best choice of terminology) that defines the internal address and port number.
 
Your "match" clause of your destination NAT rule should match the public IP and public port number, with the "then" clause pointing to the pool.
 
So, for example, your ScreenOS VIP looks like this:

set interface ethernet0/1 vip 1.1.1.2 8080 "HTTP" 192.168.1.100
 
That, as you mentioned, take public IP 1.1.1.2 port 8080 and translates it to 192.168.1.100 port 80.
 
On the SRX, it would look like this:

security {
  nat {
    destination {
      pool web-1 {
        address 192.168.1.100/32 port 80;
      }
      rule-set incoming-web {
        from zone untrust;
        rule web1 {
          match {
            destination-address 1.1.1.2/32;
            destination-port 8080;
          }
          then {
            destination-nat pool web-1;
          }
        }
      }
    }
  }
}

 
Or... in "set" form to configure those lines:
 

set security nat destination pool web-1 address 192.168.1.100/32
set security nat destination pool web-1 address port 80
set security nat destination rule-set incoming-web from zone untrust
set security nat destination rule-set incoming-web rule web1 match destination-address 1.1.1.2/32
set security nat destination rule-set incoming-web rule web1 match destination-port 8080
set security nat destination rule-set incoming-web rule web1 then destination-nat pool web-1

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
SRX Services Gateway

Re: junos equivilant to screenos VIP port redirection

‎03-19-2012 04:18 AM

perfect. worked likes a charm.

 

Thanks

 

Paul