[j-nsp] Destination NAT
Per Westerlund
p1 at westerlund.se
Thu Nov 28 04:30:51 EST 2013
Below is what I believe is a working solution.
First, with destination nat, matching on public IP/port, the destination IP/port is translated from 24.173.164.162 :3333 to 132.147.160.3:23.
Next, the policy match statement has to allow just that, after the translation: 132.147.160.3:23. "junos-telnet" is a preconfigured way of saying TCP/23.
/Per
------- snip ------------
set security zones security-zone trust address-book address ALTOS_SERVER 132.147.160.3/32
set security nat destination pool DNAT_POOL address 132.147.160.3/32
set security nat destination pool DNAT_POOL address port 23
set security nat destination rule-set DNAT_RULE from zone untrust
set security nat destination rule-set DNAT_RULE rule rule1 match destination-address 24.173.164.162/32
set security nat destination rule-set DNAT_RULE rule rule1 match destination-port 3333
set security nat destination rule-set DNAT_RULE rule rule1 then destination-nat pool DNAT_POOL
set security policies from-zone untrust to-zone trust policy DNAT_ALTOS_POLICY match source-address any
set security policies from-zone untrust to-zone trust policy DNAT_ALTOS_POLICY match destination-address ALTOS_SERVER
set security policies from-zone untrust to-zone trust policy DNAT_ALTOS_POLICY match application junos-telnet
set security policies from-zone untrust to-zone trust policy DNAT_ALTOS_POLICY then permit
------- snip ------------
28 nov 2013 kl. 10:08 skrev Mohammad Khalil <eng.mssk at gmail.com>:
> set security policies from-zone untrust to-zone trust policy DNAT_POLICY match application junos-telnet
>
> But am already using 3333 right ? and junos-telnet is supposed to work in 23 ?
More information about the juniper-nsp
mailing list