[j-nsp] Destination NAT

Per Westerlund p1 at westerlund.se
Thu Nov 28 04:30:51 EST 2013


Below is what I believe is a working solution.

First, with destination nat, matching on public IP/port, the destination IP/port is translated from 24.173.164.162 :3333 to 132.147.160.3:23.

Next, the policy match statement has to allow just that, after the translation: 132.147.160.3:23. "junos-telnet" is a preconfigured way of saying TCP/23.

/Per

------- snip ------------
set security zones security-zone trust address-book address ALTOS_SERVER 132.147.160.3/32

set security nat destination pool DNAT_POOL address 132.147.160.3/32
set security nat destination pool DNAT_POOL address port 23

set security nat destination rule-set DNAT_RULE from zone untrust
set security nat destination rule-set DNAT_RULE rule rule1 match destination-address 24.173.164.162/32
set security nat destination rule-set DNAT_RULE rule rule1 match destination-port 3333
set security nat destination rule-set DNAT_RULE rule rule1 then destination-nat pool DNAT_POOL

set security policies from-zone untrust to-zone trust policy DNAT_ALTOS_POLICY match source-address any
set security policies from-zone untrust to-zone trust policy DNAT_ALTOS_POLICY match destination-address ALTOS_SERVER
set security policies from-zone untrust to-zone trust policy DNAT_ALTOS_POLICY match application junos-telnet
set security policies from-zone untrust to-zone trust policy DNAT_ALTOS_POLICY then permit
------- snip ------------


28 nov 2013 kl. 10:08 skrev Mohammad Khalil <eng.mssk at gmail.com>:

> set security policies from-zone untrust to-zone trust policy DNAT_POLICY match application junos-telnet
> 
> But am already using 3333 right ? and junos-telnet is supposed to work in 23  ?



More information about the juniper-nsp mailing list