SRX

Expand all | Collapse all

Destination NAT with range of ports

  • 1.  Destination NAT with range of ports

    Posted 04-04-2012 00:31

    Hi to all.
    First of all I'll say as always - I'm noob in JunOS
    I have SRX 210. And I need to forward a range of ports to internal hardware. Range is more than 1000 ports, so I can't do this with rule sets, cause each rule operates with only one port. And you understand... 1000+ ports.... 1000+ rules.... It's annoying!

    Any ideas? It can't be true that  there is no instrument  for doing this task in Junos

     



  • 2.  RE: Destination NAT with range of ports

    Posted 04-04-2012 02:34

    Is it one piece of internal hardware or a bunch of devices?

     

    I read this feature was supposed to be out long ago but I cannot find any info on it at the minute.

     

    Are you using port translation?  Maybe you could just use Static NAT?

     

    This KB might help you.  Let me know your exact scenario

     

    kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf



  • 3.  RE: Destination NAT with range of ports

    Posted 04-04-2012 03:56

    First of all - thanks for your attention

    I saw this document before and it doesn't help in my situation.The limitations are the same - all of the examples shows how to forward one port with rule-set.

    ""set rule-set rs1 rule r1 match destination-port 80""

    I have an internal hardware - it's polycom video server, and I need to forward a bunch of ports to it.



  • 4.  RE: Destination NAT with range of ports

    Posted 04-04-2012 04:08

    OK so why dont you use Static NAT to create a direct one to one mapping between the SRX and this device?  No port translation will happen and this will foward all ports to and from it.

     

    111.111.11.11 is your WAN address and 10.10.10.10 is your internal device name.

     

    You could define the ports in an application or policy and block the unnecessary ports.

    static {
                rule-set S-NAT {
                    from zone untrust;
                    rule S-NAT-rule {
                        match {
                            destination-address 111.111.11.11/32;
                        }
                        then {
                            static-nat prefix 10.10.10.10/32;
                        }
                    }
                }
            } 

     





  • 5.  RE: Destination NAT with range of ports

    Posted 04-04-2012 04:37

    No. I can't do this. this SRX already is forwarding ports to ftp server and to SIP pbx. and this is company's gateway. No way((



  • 6.  RE: Destination NAT with range of ports

    Posted 04-04-2012 07:05

    You may be left with limited options.

     

    I cant seem to find any documentation on this.  There was talk of it in 10.4 but I cannot find it in 11.1 anywhere.

     

    Without using static NAT you may hvae to configure all those rule-sets or maybe re-configure your addressing?  Do you have a single external address or a range?

     

     



  • 7.  RE: Destination NAT with range of ports

    Posted 04-04-2012 23:27

    It's pity, but I can't change my addressing and I have only 1 public IP. That's why I'm searching for the decision in Destination NAT. It was so simple in ScreenOS and so difficult in JUNOS..... I assume that so obvious task must have some trivial and simple solution. Maybe some policies must be involved..... Searching the solution, any help will be appreciated

     



  • 8.  RE: Destination NAT with range of ports

     
    Posted 04-05-2012 00:21

    Hi

     

    If you want to translate most of your ports to one server, while only several ports to the others,

    you can try something like

     

    lab@srxA-1# show security nat 
    destination {
        pool pool23 {
            address 10.10.10.10/32 port 23;
        }
        pool pool80 {
            address 10.10.10.20/32 port 80;
        }
        pool pool-other {
            address 10.10.10.100/32;
        }
        rule-set rs1 {
            from zone untrust;
            rule 10 {
                match {
                    destination-address 1.1.1.1/32;
                    destination-port 23;
                }
                then {
                    destination-nat pool pool23;
                }
            }
            rule 20 {
                match {
                    destination-address 1.1.1.1/32;
                    destination-port 80;
                }
                then {
                    destination-nat pool pool80;
                }
            }
            rule 100 {
                match {
                    destination-address 1.1.1.1/32;
                }
                then {
                    destination-nat pool pool-other;
                }
            }
        }
    }

     



  • 9.  RE: Destination NAT with range of ports

     
    Posted 04-05-2012 00:28

    Hey there,

     

    Destination NAT port-ranges has been brought up a few times on this forum now:

     

    http://forums.juniper.net/t5/SRX-Services-Gateway/NAT-Problems/m-p/41462#M4040

     

    http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-Destination-NAT-and-multiple-ports/m-p/39957#M3607

     

    http://forums.juniper.net/t5/SRX-Services-Gateway/NAT-Questions-Issues/m-p/87090/highlight/true#M10597

     

    but alas there is still no solution for it.  Get onto your SE about it and get them to raise an enhancement request, though based on how long this issue has been around, I wonder if there is some fundamental architecture issue in the SRX that stops this from being available.

     

     



  • 10.  RE: Destination NAT with range of ports

    Posted 04-05-2012 02:52

    Thanks. You give me a lot of material, but there are no answers((  Finding solution in progress



  • 11.  RE: Destination NAT with range of ports

    Posted 08-03-2012 18:43

    Hi, We were stuck with this issue many times as well, and PK's post from earlier is probably the best option.

     

    because it will match the Destination port rules in the order of the rules, you can put the most specific matches that you need first, then towards the end put the least specific.  

     

    For example - we wanted to redirect SIP 5060 and a range of UDP ports for RTP with over 1000 ports in the range, too much too type manually, with only a single IP Static NAT is not the option.

     

    So the answer was to create all the single port rules first, then have a final rule matching destination and protocol UDP only, which would result in all UDP packets (after the more specific matches) being forwarded to the VoIP device.  

     

    The ports then are restricted as per normal in the firewall policies where ranges can be applied.

     

    Hope this helps, because it was driving us crazy for some time.



  • 12.  RE: Destination NAT with range of ports

    Posted 10-19-2015 11:42

    you say screen OS its so easy, how do it on Screen OS, i have the same problem with Avaya RTP ports



  • 13.  RE: Destination NAT with range of ports

    Posted 12-23-2015 00:59

    Stumled here while looking info for port ranges. Just wanted to share my solution:

     

    show security nat destination
    pool ava {
        address d.d.d.d.d/32;
    }
    rule-set ava-dest-nat {
        from zone untrust;
        rule ava-in {
            match {
                source-address [ a.a.a.a/32 b.b.b.b/32 ];
                destination-address c.c.c.c/32;
            }
            then {
                destination-nat {
                    pool {
                        ava;
                    }
                }
            }
        }
    }

    Connection to Avaya was coming from two specific IP:s so I just translated all ports from these IP:s and have more tight port setup in zone policies.



  • 14.  RE: Destination NAT with range of ports

    Posted 02-20-2018 12:42

    Since this thread seems to be the top google hit on this issue:

     

    * There is a way to hack this a bit and get inbound port ranges working with 'nat destination'

    * Yes, it sucks that dest pools STILL (2018) do not support port ranges.

    * Yes, it sucks that you cannot use 'nat static' if your ISP provides you with a dynamic IP address for the SRX.

    * Yes, ScreenOS was a lot easier to configure for this.

     

    Here's what I did (similar to what obi-lan said):

    In my case, mosh (which is really awesome, so I don't use classic ssh anymore) defaults to udp 60000-61000.

    I get a dynamic IP from my ISP.

     

    In the nat destination rule-set, add a rule that matches on the port range:

     

     

    rule RIG-MOSH {
        match {
            destination-address 0.0.0.0/0;
            destination-port {
                60000 to 61000;
            }
        }
        then {
            destination-nat {
                pool {
                    RIG-MOSH-INT;
                }
            }
        }
    }

    Create the nat destination pool, use dest server's IP only (no port #'s):

     

     

    pool RIG-MOSH-INT {
        address 192.168.1.77/32;
    }

    Create the policy that limits access to 60000-61000:

     

    from-zone untrust to-zone trust {
        policy allow-rig-mosh {
            match {
                source-address any;
                destination-address RIG;
                application MOSH;
            }
            then {
                permit {
                    destination-address {
                        drop-untranslated;
                    }
                }
            }
        }
    }

    Where application is:

     

    applications {
        application MOSH {
            protocol udp;
            destination-port 60000-61000;
        }
    }

    Donn



  • 15.  RE: Destination NAT with range of ports

    Posted 10-09-2012 01:58

    I just saw on release notes of 11.4R5 this new feature:

     

    Release 11.4R5 New Features

    Network Address Translation (NAT)

    Network Address Translation support for port mapping—This feature is supported on all branch SRX Series and J Series devices

    Network Address Translation (NAT) now provides destination-port low to high and mapped-port low to high statements to allow static NAT to map ports as follows:

    • To map multiple IP addresses to the same IP addresses on a specified range of ports
    • To map a specific IP address and port to a different IP address and port

    http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/release-notes/11.4/index.html?topic-62163.html#jd0e22495

     

    Is it indeed the feature required to perform destination nat for range of ports?

    Did anyone manage to use it successfully?

     



  • 16.  RE: Destination NAT with range of ports

    Posted 03-30-2013 03:11

    Static NAT work only with on Public IP address. Most ISP provide us Dynamic IP, so it isn't a good solution.



  • 17.  RE: Destination NAT with range of ports

    Posted 05-24-2015 10:16

    Hello,

     

    I'm super new to Juniper but.....seriously? I have a firewall cluster with the FREE version of vyatta doing this, I toughed I will be able to migrate to Juniper cluster seamlessly, how come Juniper don't support this feature????

     

    Is it in the road map for future releases???

     

    Rafa

     

     



  • 18.  RE: Destination NAT with range of ports

    Posted 09-17-2015 09:17

    looks like this can be done with static nat (one ip can be used for many) instead of DNAT

     

    http://www.juniper.net/documentation/en_US/junos12.1x46/topics/example/example-static-nat-port-mapping-configuring.html