[j-nsp] Destination NAT

[Asad Raza]

Actually your NAT pool config need changes as well. Following is the correct config with changes highlighted:

Assumption:

Real (private) IP of server: x.x.x.x:23
Public (NAT) IP of server : y.y.y.y:3333

set security zones security-zone trust address-book address SERVER
x.x.x.x/32

set applications application TELNET_DNAT protocol tcp
set applications application TELNET_DNAT destination-port 3333

set security nat destination pool DNAT_POOL address x.x.x.x/32
set security nat destination pool DNAT_POOL address port 23

set security nat destination rule-set DNAT_RULE from zone untrust

set security nat destination rule-set DNAT_RULE rule rule1 match
destination-address y.y.y.y/32
set security nat destination rule-set DNAT_RULE rule rule1 match
destination-port 3333
set security nat destination rule-set DNAT_RULE rule rule1 then
destination-nat pool DNAT_POOL

set security policies from-zone untrust to-zone trust policy DNAT_POLICY
match source-address any
set security policies from-zone untrust to-zone trust policy DNAT_POLICY
match destination-address SERVER
set security policies from-zone untrust to-zone trust policy DNAT_POLICY
match application TELNET_DNAT
set security policies from-zone untrust to-zone trust policy DNAT_POLICY
then permit

Hope it works now :)

Regards,

Asad
On Nov 28, 2013, at 11:40 AM, Asad Raza <asadgardezi at gmail.com> wrote:

> Again,
> 
> Your config says that x.x.x.x is the physical IP address of the server and y.y.y.y is the NAT pool IP.
> 
> So, in the security policy, you will allow the physical IP address (x.x.x.x) in the destination address INSTEAD of y.y.y.y.
> 
> it should be like following:
> 
>> set security zones security-zone trust address-book address SERVER x.x.x.x/32
> 
> 
> Regards,
> 
> Asad
> On Nov 28, 2013, at 11:33 AM, Mohammad Khalil <eng.mssk at gmail.com> wrote:
> 
>> But I already configured set security zones security-zone trust address-book address SERVER y.y.y.y/32
>> Which will contain the real IP address right ?
>> I followed the link below
>> http://www.fir3net.com/Juniper-SRX-Series-Gateway/juniper-srx-destination-nat-port-forwarding.html
>> 
>> 
>> On Thu, Nov 28, 2013 at 11:08 AM, Asad Raza <asadgardezi at gmail.com> wrote:
>> Hi,
>> 
>> DNAT is done before the policy match/route lookup. You need to allow x.x.x.x in the policy instead of y.y.y.y
>> 
>> Regards,
>> 
>> Asad
>> On Nov 28, 2013, at 11:00 AM, Mohammad Khalil <eng.mssk at gmail.com> wrote:
>> 
>> > Hi All
>> > I have srx210h
>> > I Have a server with an IP address x.x.x.x and want to allow telnet access
>> > to it on different port (I chose 3333) , and assigned it the public IP
>> > address y.y.y.y
>> > But seems not working
>> > set security zones security-zone trust address-book address SERVER
>> > y.y.y.y/32
>> >
>> > set applications application TELNET_DNAT protocol tcp
>> > set applications application TELNET_DNAT destination-port 3333
>> >
>> > set security nat destination pool DNAT_POOL address y.y.y.y/32
>> > set security nat destination pool DNAT_POOL address port 23
>> >
>> > set security nat destination rule-set DNAT_RULE from zone untrust
>> >
>> > set security nat destination rule-set DNAT_RULE rule rule1 match
>> > destination-address x.x.x.x/32
>> > set security nat destination rule-set DNAT_RULE rule rule1 match
>> > destination-port 3333
>> > set security nat destination rule-set DNAT_RULE rule rule1 then
>> > destination-nat pool DNAT_POOL
>> >
>> > set security policies from-zone untrust to-zone trust policy DNAT_POLICY
>> > match source-address any
>> > set security policies from-zone untrust to-zone trust policy DNAT_POLICY
>> > match destination-address SERVER
>> > set security policies from-zone untrust to-zone trust policy DNAT_POLICY
>> > match application TELNET_DNAT
>> > set security policies from-zone untrust to-zone trust policy DNAT_POLICY
>> > then permit
>> > _______________________________________________
>> > juniper-nsp mailing list juniper-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>> 
>> 
>