SRX

Hi to all.
First of all I'll say as always - I'm noob in JunOS
I have SRX 210. And I need to forward a range of ports to internal hardware. Range is more than 1000 ports, so I can't do this with rule sets, cause each rule operates with only one port. And you understand... 1000+ ports.... 1000+ rules.... It's annoying!

Any ideas? It can't be true that  there is no instrument  for doing this task in Junos

Is it one piece of internal hardware or a bunch of devices?

I read this feature was supposed to be out long ago but I cannot find any info on it at the minute.

Are you using port translation?  Maybe you could just use Static NAT?

This KB might help you.  Let me know your exact scenario

kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

First of all - thanks for your attention

I saw this document before and it doesn't help in my situation.The limitations are the same - all of the examples shows how to forward one port with rule-set.

""set rule-set rs1 rule r1 match destination-port 80""

I have an internal hardware - it's polycom video server, and I need to forward a bunch of ports to it.

OK so why dont you use Static NAT to create a direct one to one mapping between the SRX and this device?  No port translation will happen and this will foward all ports to and from it.

111.111.11.11 is your WAN address and 10.10.10.10 is your internal device name.

You could define the ports in an application or policy and block the unnecessary ports.

static {
            rule-set S-NAT {
                from zone untrust;
                rule S-NAT-rule {
                    match {
                        destination-address 111.111.11.11/32;
                    }
                    then {
                        static-nat prefix 10.10.10.10/32;
                    }
                }
            }
        } 

No. I can't do this. this SRX already is forwarding ports to ftp server and to SIP pbx. and this is company's gateway. No way((

You may be left with limited options.

I cant seem to find any documentation on this.  There was talk of it in 10.4 but I cannot find it in 11.1 anywhere.

Without using static NAT you may hvae to configure all those rule-sets or maybe re-configure your addressing?  Do you have a single external address or a range?

It's pity, but I can't change my addressing and I have only 1 public IP. That's why I'm searching for the decision in Destination NAT. It was so simple in ScreenOS and so difficult in JUNOS..... I assume that so obvious task must have some trivial and simple solution. Maybe some policies must be involved..... Searching the solution, any help will be appreciated

Hi

If you want to translate most of your ports to one server, while only several ports to the others,

you can try something like

lab@srxA-1# show security nat 
destination {
    pool pool23 {
        address 10.10.10.10/32 port 23;
    }
    pool pool80 {
        address 10.10.10.20/32 port 80;
    }
    pool pool-other {
        address 10.10.10.100/32;
    }
    rule-set rs1 {
        from zone untrust;
        rule 10 {
            match {
                destination-address 1.1.1.1/32;
                destination-port 23;
            }
            then {
                destination-nat pool pool23;
            }
        }
        rule 20 {
            match {
                destination-address 1.1.1.1/32;
                destination-port 80;
            }
            then {
                destination-nat pool pool80;
            }
        }
        rule 100 {
            match {
                destination-address 1.1.1.1/32;
            }
            then {
                destination-nat pool pool-other;
            }
        }
    }
}

Hey there,

Destination NAT port-ranges has been brought up a few times on this forum now:

http://forums.juniper.net/t5/SRX-Services-Gateway/NAT-Problems/m-p/41462#M4040

http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-Destination-NAT-and-multiple-ports/m-p/39957#M3607

http://forums.juniper.net/t5/SRX-Services-Gateway/NAT-Questions-Issues/m-p/87090/highlight/true#M10597

but alas there is still no solution for it.  Get onto your SE about it and get them to raise an enhancement request, though based on how long this issue has been around, I wonder if there is some fundamental architecture issue in the SRX that stops this from being available.

Thanks. You give me a lot of material, but there are no answers((  Finding solution in progress

Hi, We were stuck with this issue many times as well, and PK's post from earlier is probably the best option.

because it will match the Destination port rules in the order of the rules, you can put the most specific matches that you need first, then towards the end put the least specific.  

For example - we wanted to redirect SIP 5060 and a range of UDP ports for RTP with over 1000 ports in the range, too much too type manually, with only a single IP Static NAT is not the option.

So the answer was to create all the single port rules first, then have a final rule matching destination and protocol UDP only, which would result in all UDP packets (after the more specific matches) being forwarded to the VoIP device.  

The ports then are restricted as per normal in the firewall policies where ranges can be applied.

Hope this helps, because it was driving us crazy for some time.

you say screen OS its so easy, how do it on Screen OS, i have the same problem with Avaya RTP ports

Stumled here while looking info for port ranges. Just wanted to share my solution:

show security nat destination
pool ava {
    address d.d.d.d.d/32;
}
rule-set ava-dest-nat {
    from zone untrust;
    rule ava-in {
        match {
            source-address [ a.a.a.a/32 b.b.b.b/32 ];
            destination-address c.c.c.c/32;
        }
        then {
            destination-nat {
                pool {
                    ava;
                }
            }
        }
    }
}

Connection to Avaya was coming from two specific IP:s so I just translated all ports from these IP:s and have more tight port setup in zone policies.

Since this thread seems to be the top google hit on this issue:

* There is a way to hack this a bit and get inbound port ranges working with 'nat destination'

* Yes, it sucks that dest pools STILL (2018) do not support port ranges.

* Yes, it sucks that you cannot use 'nat static' if your ISP provides you with a dynamic IP address for the SRX.

* Yes, ScreenOS was a lot easier to configure for this.

Here's what I did (similar to what obi-lan said):

In my case, mosh (which is really awesome, so I don't use classic ssh anymore) defaults to udp 60000-61000.

I get a dynamic IP from my ISP.

In the nat destination rule-set, add a rule that matches on the port range:

rule RIG-MOSH {
    match {
        destination-address 0.0.0.0/0;
        destination-port {
            60000 to 61000;
        }
    }
    then {
        destination-nat {
            pool {
                RIG-MOSH-INT;
            }
        }
    }
}

Create the nat destination pool, use dest server's IP only (no port #'s):

pool RIG-MOSH-INT {
    address 192.168.1.77/32;
}

Create the policy that limits access to 60000-61000:

from-zone untrust to-zone trust {
    policy allow-rig-mosh {
        match {
            source-address any;
            destination-address RIG;
            application MOSH;
        }
        then {
            permit {
                destination-address {
                    drop-untranslated;
                }
            }
        }
    }
}

Where application is:

applications {
    application MOSH {
        protocol udp;
        destination-port 60000-61000;
    }
}

Donn

I just saw on release notes of 11.4R5 this new feature:

Release 11.4R5 New Features

Network Address Translation (NAT)

Network Address Translation support for port mapping—This feature is supported on all branch SRX Series and J Series devices

Network Address Translation (NAT) now provides destination-port low to high and mapped-port low to high statements to allow static NAT to map ports as follows:

• To map multiple IP addresses to the same IP addresses on a specified range of ports
• To map a specific IP address and port to a different IP address and port

http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/release-notes/11.4/index.html?topic-62163.html#jd0e22495

Is it indeed the feature required to perform destination nat for range of ports?

Did anyone manage to use it successfully?

Static NAT work only with on Public IP address. Most ISP provide us Dynamic IP, so it isn't a good solution.

Hello,

I'm super new to Juniper but.....seriously? I have a firewall cluster with the FREE version of vyatta doing this, I toughed I will be able to migrate to Juniper cluster seamlessly, how come Juniper don't support this feature????

Is it in the road map for future releases???

Rafa

looks like this can be done with static nat (one ip can be used for many) instead of DNAT

http://www.juniper.net/documentation/en_US/junos12.1x46/topics/example/example-static-nat-port-mapping-configuring.html