[j-nsp] Destination NAT
Mohammad Khalil
eng.mssk at gmail.com
Thu Nov 28 04:08:55 EST 2013
set security policies from-zone untrust to-zone trust policy
DNAT_POLICY match application junos-telnet
But am already using 3333 right ? and junos-telnet is supposed to work in
23 ?
On Thu, Nov 28, 2013 at 12:04 PM, Mohammad Khalil <eng.mssk at gmail.com>wrote:
> Sorry but it did not work again
> set security zones security-zone trust address-book address ALTOS_SERVER
> 132.147.160.3/32
>
>
> set applications application TELNET_DNAT protocol tcp
> set applications application TELNET_DNAT destination-port 3333
>
> set security nat destination pool DNAT_POOL address 132.147.160.3/32
>
> set security nat destination pool DNAT_POOL address port 23
>
> set security nat destination rule-set DNAT_RULE from zone untrust
>
> set security nat destination rule-set DNAT_RULE rule rule1 match
> destination-address 24.173.164.162/32
>
> set security nat destination rule-set DNAT_RULE rule rule1 match
> destination-port 3333
> set security nat destination rule-set DNAT_RULE rule rule1 then
> destination-nat pool DNAT_POOL
>
> set security policies from-zone untrust to-zone trust policy
> DNAT_ALTOS_POLICY match source-address any
> set security policies from-zone untrust to-zone trust policy
> DNAT_ALTOS_POLICY match destination-address ALTOS_SERVER
> set security policies from-zone untrust to-zone trust policy
> DNAT_ALTOS_POLICY match application TELNET_DNAT
> set security policies from-zone untrust to-zone trust policy
> DNAT_ALTOS_POLICY then permit
>
>
> On Thu, Nov 28, 2013 at 11:56 AM, Per Westerlund <p1 at westerlund.se> wrote:
>
>> I am sorry to say that I think it is almost correct. The policy rules are
>> evaluated after destination NAT handling, where the destination port has
>> already been translated. You should probably exchange:
>>
>> set security policies from-zone untrust to-zone trust policy
>> DNAT_POLICY match application TELNET_DNAT
>>
>>
>> for:
>>
>> set security policies from-zone untrust to-zone trust policy
>> DNAT_POLICY match application junos-telnet
>>
>> /Per
>>
>>
>> 28 nov 2013 kl. 09:48 skrev Asad Raza <asadgardezi at gmail.com>:
>>
>> Actually your NAT pool config need changes as well. Following is the
>> correct config with changes highlighted:
>>
>> Assumption:
>>
>> Real (private) IP of server: x.x.x.x:23
>> Public (NAT) IP of server : y.y.y.y:3333
>>
>> set security zones security-zone trust address-book address SERVER
>> x.x.x.x/32
>>
>> set applications application TELNET_DNAT protocol tcp
>> set applications application TELNET_DNAT destination-port 3333
>>
>> set security nat destination pool DNAT_POOL address x.x.x.x/32
>> set security nat destination pool DNAT_POOL address port 23
>>
>> set security nat destination rule-set DNAT_RULE from zone untrust
>>
>> set security nat destination rule-set DNAT_RULE rule rule1 match
>> destination-address y.y.y.y/32
>> set security nat destination rule-set DNAT_RULE rule rule1 match
>> destination-port 3333
>> set security nat destination rule-set DNAT_RULE rule rule1 then
>> destination-nat pool DNAT_POOL
>>
>> set security policies from-zone untrust to-zone trust policy DNAT_POLICY
>> match source-address any
>> set security policies from-zone untrust to-zone trust policy DNAT_POLICY
>> match destination-address SERVER
>> set security policies from-zone untrust to-zone trust policy DNAT_POLICY
>> match application TELNET_DNAT
>> set security policies from-zone untrust to-zone trust policy DNAT_POLICY
>> then permit
>>
>> Hope it works now :)
>>
>> Regards,
>>
>> Asad
>>
>>
>>
>
More information about the juniper-nsp
mailing list