SRX

Expand all | Collapse all

SRX Destination NAT scenario

Jump to Best Answer
  • 1.  SRX Destination NAT scenario

    Posted 08-15-2017 08:36

    Hi everybody,

     

     

    Please consider the following example:

     

    SRX A must translate all packets destined to 192.168.200.200 with 10.31.254.17 i.e. destination port remains unchanged just destination Ip needs to be replaced.

     

    SRXA:

    set security nat destination pool TESTA address 10.31.254.17/32

    set security nat destination rule-set DNAT1 from zone untrust

    set security nat destination rule-set DNAT1 rule r1 match destination-address 192.168.200.200/32

    set security nat destination rule-set DNAT1 rule r1 then destination-nat pool TESTA

     

    Above I am not specifying any destination port, does it mean destination port will remain unchanged as we desired above?

     

    Thanks and have a good day!!



  • 2.  RE: SRX Destination NAT scenario
    Best Answer

     
    Posted 08-15-2017 10:26

    Yes. Above configuration will leave destination port unchanged.

    Official Juniper's example: https://www.juniper.net/documentation/en_US/junos/topics/example/security-nat-destination-single-address-translation-configuring.html

     

    Regards, Wojtek



  • 3.  RE: SRX Destination NAT scenario

    Posted 08-15-2017 10:30

    Yes this is correct. Consider only defining the ports you want to destination nat.

     

    If you wanted to change destination port, you would do something like this where port 80 is being translated to 8080.

     

    set security nat destination pool TESTA address 10.31.254.17/32

    set security nat destination pool TESTA address port 8080

    set security nat destination rule-set DNAT1 from zone untrust

    set security nat destination rule-set DNAT1 rule r1 match destination-address 192.168.200.200/32

    set security nat destination rule-set DNAT1 rule r1 match destination-port 80

    set security nat destination rule-set DNAT1 rule r1 then destination-nat pool TESTA