SRX

Expand all | Collapse all

SRX port forwarding clarification

Jump to Best Answer
  • 1.  SRX port forwarding clarification

    Posted 12-16-2018 17:33

    Hi,

     

    I am migrating from SSG to SRX: allow SSH on a non-standard port from the WAN and forwarding it to a machine on the standard port.

     

    WAN:nnnn -> 192.168.3.100:22

     

    Trying to understand why I need to do something that was posted in 2011 from https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-port-forwarding-translation/m-p/100942. Specifically the untrust-to-trust policy needs to match the junos-ssh application in addition to my custom one that refers to the non-standard port. Isn't the destination pool host definition enough?

     

    Thanks

     

    version 12.1X46-D71;
    
    security {
            destination {
                pool DNAT-host-SSH-test {
                    address 192.168.3.100/32 port 22;
                }
                rule-set DST-NAT {
                    from zone untrust;
                    rule Rule1 {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address 0.0.0.0/0;
                            destination-port nnnn;
                        }
                        then {
                            destination-nat {
                                pool {
                                    DNAT-host-SSH-test;
                                }
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone untrust to-zone trust {
                policy UNTRUST-to-TRUST-test {
                    match {
                        source-address any;
                        destination-address any;
                        application [ SSH-DNAT junos-ssh ];
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
            }
        }
    }
    
    applications {
        application SSH-DNAT {
            protocol tcp;
            source-port 1024-65535;
            destination-port nnnn;
        }
    }
    
    

     



  • 2.  RE: SRX port forwarding clarification
    Best Answer

     
    Posted 12-16-2018 17:54
    Since destination nat translation occurs before security policies are applied, you need to specify the post-translation port in your policy. I would not expect you need to reference the pre-translated port.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110


  • 3.  RE: SRX port forwarding clarification

    Posted 12-17-2018 21:16

    Thanks for your reply.

     

    "I would not expect you need to reference the pre-translated port. "

     

    You're right! Removing the SSH-DNAT application from my DST-NAT still works. By looking at the diagram referenced in KB16110 I think I understand it. I have:

    • screen
    • nat - source
    • nat - destination (listed in OP rule w/ pre translated port nnnn)
    • policies - trust to untrust
    • policies - untrust to trust (listed in OP policy w/ post translated port)
    • zones - trust
    • zones - untrust

    JunOS looks at Screens, Static NAT, Dest NAT, Route, (Forwarding Lookup), Zones, Policy, .... I gather at Dest NAT it's evaluating the pre translated port? And then when it evaluates Policy, it looks at at the post translated port (which in my case since I want the standard port, it would be junos-ssh)? If I wanted to use the same port as pre-translated, only then would I reference my SSH-DNAT application.

     

    Is my thinking correct?

     

    If so could I also remove the standard port from my pool DNAT host? Instead of

                pool DNAT-host-SSH-test {
                    address 192.168.3.100/32 port 22;
                }
    

    I define the host to

                pool DNAT-host-SSH-test {
                    address 192.168.3.100/32;
                }

    and that way I can forward multiple ports to the same host.

     

     

    Thanks



  • 4.  RE: SRX port forwarding clarification

     
    Posted 12-18-2018 11:41

    Correct--if you don't specify a port in your nat translation all inbound traffic ports will remain the same. You can then rely on your security policy to allow or block actual traffic.



  • 5.  RE: SRX port forwarding clarification

    Posted 12-19-2018 00:00

    FYI, I just tried removing port 22 from

                pool DNAT-host-SSH-test {
                    address 192.168.3.100/32 port 22;
                }

    but that prevented the port forwarding from working.



  • 6.  RE: SRX port forwarding clarification

     
    Posted 12-19-2018 08:15

    Can you post your current security nat and security policies config?




  • 7.  RE: SRX port forwarding clarification

    Posted 12-19-2018 11:55

    @smicker wrote:

    > Can you post your current security nat and security policies config?



     

    I've posted the config over at the beginning of thread https://forums.juniper.net/t5/SRX-Services-Gateway/Dynamic-VPN-client-can-t-ping-some-remote-protected-resources/m-p/419775#M51761.

     

    Thanks!