[j-nsp] Destination NAT

Asad Raza asadgardezi at gmail.com
Thu Nov 28 03:40:51 EST 2013


Again,

Your config says that x.x.x.x is the physical IP address of the server and y.y.y.y is the NAT pool IP.

So, in the security policy, you will allow the physical IP address (x.x.x.x) in the destination address INSTEAD of y.y.y.y.

it should be like following:

> set security zones security-zone trust address-book address SERVER x.x.x.x/32


Regards,

Asad
On Nov 28, 2013, at 11:33 AM, Mohammad Khalil <eng.mssk at gmail.com> wrote:

> But I already configured set security zones security-zone trust address-book address SERVER y.y.y.y/32
> Which will contain the real IP address right ?
> I followed the link below
> http://www.fir3net.com/Juniper-SRX-Series-Gateway/juniper-srx-destination-nat-port-forwarding.html
> 
> 
> On Thu, Nov 28, 2013 at 11:08 AM, Asad Raza <asadgardezi at gmail.com> wrote:
> Hi,
> 
> DNAT is done before the policy match/route lookup. You need to allow x.x.x.x in the policy instead of y.y.y.y
> 
> Regards,
> 
> Asad
> On Nov 28, 2013, at 11:00 AM, Mohammad Khalil <eng.mssk at gmail.com> wrote:
> 
> > Hi All
> > I have srx210h
> > I Have a server with an IP address x.x.x.x and want to allow telnet access
> > to it on different port (I chose 3333) , and assigned it the public IP
> > address y.y.y.y
> > But seems not working
> > set security zones security-zone trust address-book address SERVER
> > y.y.y.y/32
> >
> > set applications application TELNET_DNAT protocol tcp
> > set applications application TELNET_DNAT destination-port 3333
> >
> > set security nat destination pool DNAT_POOL address y.y.y.y/32
> > set security nat destination pool DNAT_POOL address port 23
> >
> > set security nat destination rule-set DNAT_RULE from zone untrust
> >
> > set security nat destination rule-set DNAT_RULE rule rule1 match
> > destination-address x.x.x.x/32
> > set security nat destination rule-set DNAT_RULE rule rule1 match
> > destination-port 3333
> > set security nat destination rule-set DNAT_RULE rule rule1 then
> > destination-nat pool DNAT_POOL
> >
> > set security policies from-zone untrust to-zone trust policy DNAT_POLICY
> > match source-address any
> > set security policies from-zone untrust to-zone trust policy DNAT_POLICY
> > match destination-address SERVER
> > set security policies from-zone untrust to-zone trust policy DNAT_POLICY
> > match application TELNET_DNAT
> > set security policies from-zone untrust to-zone trust policy DNAT_POLICY
> > then permit
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> 



More information about the juniper-nsp mailing list