For When You Can't Have The Real Thing
[ start | index | login ]
start > Juniper > SRX240 > VIP

VIP

Created by dave. Last edited by dave, 5 years and 312 days ago. Viewed 2,442 times. #3
[diff] [history] [edit] [rdf]
labels
attachments
(2 April 2012)

Problem

I want to create a ScreenOS-type VIP (aka a port forward) where one port on one IP is mapped to an unrelated port on another internal IP.

For example I want the firewall to listen on public IP 1.1.1.2 port 8080 and forward that traffic to 192.168.1.100 port 80.

Solution

Define a single-target NAT pool:

set security nat destination pool web-1 address 192.168.1.100/32
set security nat destination pool web-1 address port 80
set security nat destination rule-set incoming-web from zone untrust
set security nat destination rule-set incoming-web rule web1 match destination-address 1.1.1.2/32
set security nat destination rule-set incoming-web rule web1 match destination-port 8080
set security nat destination rule-set incoming-web rule web1 then destination-nat pool web-1

(>>Source)

If you have multiple ports from the same destination IP being forwarded to different ports/systems, add the additional targets as separate pools, and the NAT rules as separate rules in the same rule-set:

set security nat destination pool web-1 address 192.168.1.100/32
set security nat destination pool web-1 address port 80
set security nat destination pool web-2 address 192.168.1.100/32
set security nat destination pool web-2 address port 443
set security nat destination pool smtp-1 address 192.168.1.99/32
set security nat destination pool smtp-1 address port 25
set security nat destination rule-set incoming-traffic from zone untrust
set security nat destination rule-set incoming-traffic rule web1 match destination-address 1.1.1.2/32
set security nat destination rule-set incoming-traffic rule web1 match destination-port 8080
set security nat destination rule-set incoming-traffic rule web1 then destination-nat pool web-1
set security nat destination rule-set incoming-traffic rule web2 match destination-address 1.1.1.2/32
set security nat destination rule-set incoming-traffic rule web2 match destination-port 443
set security nat destination rule-set incoming-traffic rule web2 then destination-nat pool web-1
set security nat destination rule-set incoming-traffic rule smtp1 match destination-address 1.1.1.2/32
set security nat destination rule-set incoming-traffic rule smtp1 match destination-port 25
set security nat destination rule-set incoming-traffic rule smtp1 then destination-nat pool smtp-1

Don't forget your security policies. Note that the port in the security policy must refer to the address and port on the target system, not the public IP port (ie in our example above mapping port 8080 to port 80, the security policy must refer to destination ip 192.168.1.100 and port 80).

Note: don't be confused that the rule name is the same as the nat pool -- this isn't mandatory, it just happened to be like that in the example I was working from.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt