[j-nsp] Destination NAT

[Per Westerlund]

I am sorry to say that I think it is almost correct. The policy rules are evaluated after destination NAT handling, where the destination port has already been translated. You should probably exchange:

> set security policies from-zone untrust to-zone trust policy DNAT_POLICY match application TELNET_DNAT

for:

set security policies from-zone untrust to-zone trust policy DNAT_POLICY match application junos-telnet

/Per


28 nov 2013 kl. 09:48 skrev Asad Raza <asadgardezi at gmail.com>:

> Actually your NAT pool config need changes as well. Following is the correct config with changes highlighted:
> 
> Assumption:
> 
> Real (private) IP of server: x.x.x.x:23
> Public (NAT) IP of server : y.y.y.y:3333
> 
> set security zones security-zone trust address-book address SERVER
> x.x.x.x/32
> 
> set applications application TELNET_DNAT protocol tcp
> set applications application TELNET_DNAT destination-port 3333
> 
> set security nat destination pool DNAT_POOL address x.x.x.x/32
> set security nat destination pool DNAT_POOL address port 23
> 
> set security nat destination rule-set DNAT_RULE from zone untrust
> 
> set security nat destination rule-set DNAT_RULE rule rule1 match
> destination-address y.y.y.y/32
> set security nat destination rule-set DNAT_RULE rule rule1 match
> destination-port 3333
> set security nat destination rule-set DNAT_RULE rule rule1 then
> destination-nat pool DNAT_POOL
> 
> set security policies from-zone untrust to-zone trust policy DNAT_POLICY
> match source-address any
> set security policies from-zone untrust to-zone trust policy DNAT_POLICY
> match destination-address SERVER
> set security policies from-zone untrust to-zone trust policy DNAT_POLICY
> match application TELNET_DNAT
> set security policies from-zone untrust to-zone trust policy DNAT_POLICY
> then permit
> 
> Hope it works now :)
> 
> Regards,
> 
> Asad