SRX

junos equivilant to screenos VIP port redirection

I'm not very familiar with Juniper; I’m trying to replicate a VIP config from ScreenOS device with a Junos srx 340 unit. but, still not working. Would it be possible to get your expertise about the config?

in screen os we were able to open a port on the untrust and point it to another port on our trust using a VIP

From ScreenOS example:

" set interface ethernet0/3 description "SRDP" vip 172.21.24.30: 80 "Oracle4" 10.200.3.37:778

We’ve figured out how to do a straight port mapping (thanks to the document: junos for the screenos user)

set security nat destination pool SRDP-VIP-NAT address 10.200.3.37/32
set security nat destination pool SRDP-VIP-NAT address port 7778

set security nat destination rule-set VIP from zone SRDP
set security nat destination rule-set VIP rule r1 match destination-address 172.21.24.30/32
set security nat destination rule-set VIP rule r1 match destination-port 80
set security nat destination rule-set VIP rule r1 then destination-nat pool SRDP-VIP-NAT

set security zones security-zone trust address-book address HTS11 10.200.3.37/32

set security policies from-zone SRDP to-zone Trust policy Allow-VIP match source-address VIP-172.21.24.30
set security policies from-zone SRDP to-zone Trust policy Allow-VIP match destination-address HTS11
set security policies from-zone SRDP to-zone Trust policy Allow-VIP match application Oracle4
set security policies from-zone SRDP to-zone Trust policy Allow-VIP match application junos-http
set security policies from-zone SRDP to-zone Trust policy Allow-VIP then permit

set security nat proxy-arp interface "SRDP" ge-0/0/4.0 address 172.21.24.30/32

Thank you

Ismail

Hi,

if to remove :

del security policies from-zone SRDP to-zone Trust policy Allow-VIP match source-address VIP-172.21.24.30
del security policies from-zone SRDP to-zone Trust policy Allow-VIP match application junos-http

or set the first one as any

Hi,

Many thanks for your reply, I don't want to delete my config, I just want to make sure it is the correct config to convert from Netscreen OS VIP to srx.

As Alex notes, your source in the policy will be the ultimate device requesting access to the  server, not the pre NAT status of your destination.  And since you are changing the port http you won't need that custom oracle port as it will be changed by the time it hits this policy.

set security zones security-zone trust address-book address HTS11 10.200.3.37/32

set security policies from-zone SRDP to-zone Trust policy Allow-VIP match source-address any <<< or restricted to devices you want
set security policies from-zone SRDP to-zone Trust policy Allow-VIP match destination-address HTS11
set security policies from-zone SRDP to-zone Trust policy Allow-VIP match application junos-http
set security policies from-zone SRDP to-zone Trust policy Allow-VIP then permit

you might consider adding logging as well.

set security policies from-zone SRDP to-zone Trust policy Allow-VIP then log session-close

This is a full set of examples on the nat variations

https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

Hi Steve,

Many thanks for your help. I'm a bit confused here.

Would you please advice with my new config if it is still correct to apply?

set security zones security-zone trust address-book address HTS11 10.200.3.37/32

set security policies from-zone SRDP to-zone Trust policy Allow-VIP match source-address VIP-172.21.24.30
set security policies from-zone SRDP to-zone Trust policy Allow-VIP match destination-address HTS11
set security policies from-zone SRDP to-zone Trust policy Allow-VIP match application junos-http
set security policies from-zone SRDP to-zone Trust policy Allow-VIP then permit
set security policies from-zone SRDP to-zone Trust policy Allow-VIP then log session-close

set security nat proxy-arp interface "SRDP" ge-0/0/4.0 address 172.21.24.30/32

Regards,

ismail

This is not right

set security policies from-zone SRDP to-zone Trust policy Allow-VIP match source-address VIP-172.21.24.30

The source address is the ip address of the client making the request NOT the pre-NAT address of the destination in the packet.  

Policy is written to the post destination NAT address and the original destination address is NOT in the policy.

Assuming you allow any internet address to acces this host the correct line is 

set security policies from-zone SRDP to-zone Trust policy Allow-VIP match source-address any

But you can restrict external hosts by creating address objects and using them here.  But it is the client requesting the connection nothing to do with your server or nat addresses.

Hello Ismail,

In Junos the syntax for destination address and port translation can be understood simply as under.

For simplicity , lets consider the following:-

SIP1 = Source IP as seen by the Client.

DIP1 = Destination IP as seen by the Client

DPort1= Destination Port as seen by the Client

SIP2 = Source IP as seen by the Server.

DIP2= Destination IP as seen by the Server

DPort2= Destination Port as seen by the Server

In your case, because you are only looking to NAT the incoming service's port and IP, SIP1 & SIP2 have the same value.

1. We create a pool of Destination IP and Destination Port as seen by server.

set security nat destination pool SRDP-VIP-NAT address DIP2
set security nat destination pool SRDP-VIP-NAT address port DPort2

2. We define the destination nat rule to convert the DIP1/DPort1 into DIP2/DPort2. Assuming that the Client is located in SRDP zone.

set security nat destination rule-set VIP from zone SRDP
set security nat destination rule-set VIP rule r1 match destination-address DIP1 
set security nat destination rule-set VIP rule r1 match destination-port DPORT1
set security nat destination rule-set VIP rule r1 then destination-nat pool SRDP-VIP-NAT

3. Define the security policy to allow the post natted Destination IP /Port and original source IP address combination.

set security policies from-zone SRDP to-zone Trust policy Allow-VIP match source-address <Address book defining SIP1>
set security policies from-zone SRDP to-zone Trust policy Allow-VIP match destination-address <Address-book defining DIP2>
set security policies from-zone SRDP to-zone Trust policy Allow-VIP match application <Application defining DPort2>
set security policies from-zone SRDP to-zone Trust policy Allow-VIP then permit

4. You would need to configure proxy-arp on the "Client side" interface only if DIP1 falls in the same subnet asthe "Client side" interface.

Hope this helps!

Thanks,

Hi,

Many thanks for your time and effort. Just to be honest with you, I'm very confused about that. this is what I have 

From ScreenOS config:

" set interface ethernet0/3 description "SRDP" vip 172.21.24.30: 80 "Oracle4" 10.200.3.37:778

The IP: 172.21.24.30 is part of SRDP zone

the Oracle4 application is part of the service application 

The IP: 10.200.3.37 is part of Trust zone 

The port 7778 is the  dst-port for Service Oracle4

Note: Please see the attached PNG for more info.

with regard to your example, I'm not sure if I reflected the right info to match your example.

SIP1 = Source IP as seen by the Client: VIP-172.21.24.30  

DIP1 = Destination IP as seen by the Client : 10.200.3.37/32

DPort1= Destination Port as seen by the Client : 7778

SIP2 = Source IP as seen by the Server. 10.200.3.37/32

DIP2= Destination IP as seen by the Server 80

DPort2= Destination Port as seen by the Server: 172.21.24.30/32

Once again, thanks for your help

Ismail

Hello Ismail,

Let me try again!

" set interface ethernet0/3 description "SRDP" vip 172.21.24.30: 80 "Oracle4" 10.200.3.37:778 "

converts a destination address of a packet (arriving in SRDP zone ) from 172.21.24.30 port 80 to 10.200.3.37 port 778.

On Junos it is achieved by the destination NAT rule written as :- 

set security nat destination pool SRDP-VIP-NAT address10.200.3.37
set security nat destination pool SRDP-VIP-NAT address port 778

set security nat destination rule-set VIP from zone SRDP
set security nat destination rule-set VIP rule r1 match destination-address  172.21.24.30
set security nat destination rule-set VIP rule r1 match destination-port 80
set security nat destination rule-set VIP rule r1 then destination-nat pool SRDP-VIP-NAT

Corresponding security policy would look like the following: -

set security zones security-zone trust address-book address HTS11 10.200.3.37/32

set security policies from-zone SRDP to-zone Trust policy Allow-VIP match source-address any   <<<<<<< You can use an address book with the client's subnet here.
set security policies from-zone SRDP to-zone Trust policy Allow-VIP match destination-address HTS11 
set security policies from-zone SRDP to-zone Trust policy Allow-VIP match application Oracle4 
set security policies from-zone SRDP to-zone Trust policy Allow-VIP then permit

P.S. :- I could not find any attachment with your last post.

Thanks!

Hi mate,

Once again, thank you for your help. I'll test the new config and I'll let you know.

Cheers

ismail

Hi Mate,

With regards to your config for Dest nat, I would like to know if I must add a proxy-arp for the Interface SRDP (ge-0/0/4.0)?

I've been adviced to add those two lines to the config. 

set security nat static rule-set static-nat-SRDP from interface ge-0/0/4.0
set security nat proxy-arp interface ge-0/0/4.0 address 172.21.24.30/32

Please advice.

Thanks,

Ismail

Hello Ismail,

You would only need to configure proxy-arp ONLY if the network of the ip address on ge-0/0/4.0 contains 172.21.24.30.

eg. 

If ge-0/0/4 has 172.21.24.1/24  --- then Yes, proxy arp is needed.

If ge-0/0/4 has 1.1.1.1/8 --- then No, proxy-arp is NOT needed.

Thanks!

Morning Mate,

Thank you so much for all your help and advice.

Regards,

Ismail

Hello Ismail,

Good to know that your issues seem resolved.

I also noticed that you have marked your own (Thanks You) comment as the "solution" to this thread.

It will be highly appreciated if you can mark the post with the actual answer as "Solution" (if possible) for others to quickly find it.

Thanks!