Hello Ismail,
In Junos the syntax for destination address and port translation can be understood simply as under.
For simplicity , lets consider the following:-
SIP1 = Source IP as seen by the Client.
DIP1 = Destination IP as seen by the Client
DPort1= Destination Port as seen by the Client
SIP2 = Source IP as seen by the Server.
DIP2= Destination IP as seen by the Server
DPort2= Destination Port as seen by the Server
In your case, because you are only looking to NAT the incoming service's port and IP, SIP1 & SIP2 have the same value.
1. We create a pool of Destination IP and Destination Port as seen by server.
set security nat destination pool SRDP-VIP-NAT address DIP2
set security nat destination pool SRDP-VIP-NAT address port DPort2
2. We define the destination nat rule to convert the DIP1/DPort1 into DIP2/DPort2. Assuming that the Client is located in SRDP zone.
set security nat destination rule-set VIP from zone SRDP
set security nat destination rule-set VIP rule r1 match destination-address DIP1
set security nat destination rule-set VIP rule r1 match destination-port DPORT1
set security nat destination rule-set VIP rule r1 then destination-nat pool SRDP-VIP-NAT
3. Define the security policy to allow the post natted Destination IP /Port and original source IP address combination.
set security policies from-zone SRDP to-zone Trust policy Allow-VIP match source-address <Address book defining SIP1>
set security policies from-zone SRDP to-zone Trust policy Allow-VIP match destination-address <Address-book defining DIP2>
set security policies from-zone SRDP to-zone Trust policy Allow-VIP match application <Application defining DPort2>
set security policies from-zone SRDP to-zone Trust policy Allow-VIP then permit
4. You would need to configure proxy-arp on the "Client side" interface only if DIP1 falls in the same subnet asthe "Client side" interface.
Hope this helps!
Thanks,