[j-nsp] Destination NAT

[Asad Raza]

Hi,

DNAT is done before the policy match/route lookup. You need to allow x.x.x.x in the policy instead of y.y.y.y

Regards,

Asad
On Nov 28, 2013, at 11:00 AM, Mohammad Khalil <eng.mssk at gmail.com> wrote:

> Hi All
> I have srx210h
> I Have a server with an IP address x.x.x.x and want to allow telnet access
> to it on different port (I chose 3333) , and assigned it the public IP
> address y.y.y.y
> But seems not working
> set security zones security-zone trust address-book address SERVER
> y.y.y.y/32
> 
> set applications application TELNET_DNAT protocol tcp
> set applications application TELNET_DNAT destination-port 3333
> 
> set security nat destination pool DNAT_POOL address y.y.y.y/32
> set security nat destination pool DNAT_POOL address port 23
> 
> set security nat destination rule-set DNAT_RULE from zone untrust
> 
> set security nat destination rule-set DNAT_RULE rule rule1 match
> destination-address x.x.x.x/32
> set security nat destination rule-set DNAT_RULE rule rule1 match
> destination-port 3333
> set security nat destination rule-set DNAT_RULE rule rule1 then
> destination-nat pool DNAT_POOL
> 
> set security policies from-zone untrust to-zone trust policy DNAT_POLICY
> match source-address any
> set security policies from-zone untrust to-zone trust policy DNAT_POLICY
> match destination-address SERVER
> set security policies from-zone untrust to-zone trust policy DNAT_POLICY
> match application TELNET_DNAT
> set security policies from-zone untrust to-zone trust policy DNAT_POLICY
> then permit
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp