[j-nsp] Destination NAT

Mohammad Khalil eng.mssk at gmail.com
Thu Nov 28 04:32:47 EST 2013


set security policies from-zone untrust to-zone trust policy
DNAT_ALTOS_POLICY match application TELNET_DNAT

to

set security policies from-zone untrust to-zone trust policy
DNAT_ALTOS_POLICY match application junos-telnet

Did not work either


On Thu, Nov 28, 2013 at 12:30 PM, Per Westerlund <p1 at westerlund.se> wrote:

> Below is what I believe is a working solution.
>
> First, with destination nat, matching on public IP/port, the destination
> IP/port is translated from 24.173.164.162 :3333 to 132.147.160.3:23.
>
> Next, the policy match statement has to allow just that, after the
> translation: 132.147.160.3:23. "junos-telnet" is a preconfigured way of
> saying TCP/23.
>
> /Per
>
> ------- snip ------------
> set security zones security-zone trust address-book address ALTOS_SERVER
> 132.147.160.3/32
>
> set security nat destination pool DNAT_POOL address 132.147.160.3/32
> set security nat destination pool DNAT_POOL address port 23
>
> set security nat destination rule-set DNAT_RULE from zone untrust
> set security nat destination rule-set DNAT_RULE rule rule1 match
> destination-address 24.173.164.162/32
> set security nat destination rule-set DNAT_RULE rule rule1 match
> destination-port 3333
> set security nat destination rule-set DNAT_RULE rule rule1 then
> destination-nat pool DNAT_POOL
>
> set security policies from-zone untrust to-zone trust policy
> DNAT_ALTOS_POLICY match source-address any
> set security policies from-zone untrust to-zone trust policy
> DNAT_ALTOS_POLICY match destination-address ALTOS_SERVER
> set security policies from-zone untrust to-zone trust policy
> DNAT_ALTOS_POLICY match application junos-telnet
>
> set security policies from-zone untrust to-zone trust policy
> DNAT_ALTOS_POLICY then permit
> ------- snip ------------
>
>
> 28 nov 2013 kl. 10:08 skrev Mohammad Khalil <eng.mssk at gmail.com>:
>
> set security policies from-zone untrust to-zone trust policy
> DNAT_POLICY match application junos-telnet
>
> But am already using 3333 right ? and junos-telnet is supposed to work in
> 23  ?
>
>
>


More information about the juniper-nsp mailing list