Junos OS

Expand all | Collapse all

Can static NAT support single public IP forwarding three non-contiguous ports to single private IP?

Jump to Best Answer
  • 1.  Can static NAT support single public IP forwarding three non-contiguous ports to single private IP?

    Posted 05-23-2018 10:21

    I read through Juniper's example-configuring-static-nat-for-port-mapping and can't find the commands for setting up a static NAT where a single public IP address forwards mulitple non-contiguous ports (in my case 3 ports, 22, 443, 80) to a single private IP address.

     

    Is this supported and anyone have an example?



  • 2.  RE: Can static NAT support single public IP forwarding three non-contiguous ports to single private IP?

     
    Posted 05-23-2018 17:16

    By default static nat is mapping the ip address one for one on all ports.  So you don't need to configure ports at all for normal forwarding.

     

    The example you are looking at is changing the destination ports in addition to mapping the ip address which is why they are specified. If you are running these normal protocol ports 22, 443 and 80 without change then nothing needs to be configured or specified in the static nat rule at all.

     



  • 3.  RE: Can static NAT support single public IP forwarding three non-contiguous ports to single private IP?

    Posted 05-25-2018 08:14

    I understand by default it does all ports. There are options to forward a single port or contiguous range of ports. I'm looking to only forward three non-contiguous ports. I don't want my SRX 345 to forward all ports 22 thru 8080 to my little server, just the three.

     

     

     

     



  • 4.  RE: Can static NAT support single public IP forwarding three non-contiguous ports to single private IP?

     
    Posted 05-26-2018 04:14

    Sorry, but I think we might be talking past each other.

     

    I don't think now that you are looking for static nat.  With this feature you are dedicating a single ip address on the public side to a single ip address on the private side.  It cannot be used then for any other server or purpose.  Thus the concept of only forwarding certain port is not in the configuration.  You are dedicating the public ip to that private ip for all ports.

     

    Where you apply the restrictions is in the security policy.  Only those ports with a security permit policy configured will actually reach the private server address.

     

    The port configuration you see for static nat is if you need to translate the port in addition to the ip address, changing 443 to 8080 for example.

     

    If you are looking to share an ip address and send three ports to one server and other ports to other servers then you would need to configure destination nat for the inbound traffic and source nat if the server initiates outbound traffic on that port.  If all the traffic is inbound no source nat policy is needed as it will match the existing session.

     



  • 5.  RE: Can static NAT support single public IP forwarding three non-contiguous ports to single private IP?
    Best Answer

     
    Posted 05-27-2018 02:13

    An example:

     

    set security nat static rule-set rs from zone untrust
    set security nat static rule-set rs rule r1 match destination-address 203.0.113.1/32
    set security nat static rule-set rs rule r1 match destination-port 22
    set security nat static rule-set rs rule r1 then static-nat prefix 10.1.1.1/32
    set security nat static rule-set rs rule r1 then static-nat prefix mapped-port 22
    set security nat static rule-set rs rule r2 match destination-address 203.0.113.1/32
    set security nat static rule-set rs rule r2 match destination-port 80
    set security nat static rule-set rs rule r2 then static-nat prefix 10.1.1.1/32
    set security nat static rule-set rs rule r2 then static-nat prefix mapped-port 80
    set security nat static rule-set rs rule r3 match destination-address 203.0.113.1/32
    set security nat static rule-set rs rule r3 match destination-port 443
    set security nat static rule-set rs rule r3 then static-nat prefix 10.1.1.1/32
    set security nat static rule-set rs rule r3 then static-nat prefix mapped-port 443

    but I think what you are really looking for is a destination NAT

    set security nat destination pool p22 address 10.1.1.1/32 port 22
    set security nat destination pool p80 address 10.1.1.1/32 port 80
    set security nat destination pool p443 address 10.1.1.1/32 port 443
    set security nat destination rule-set rs from zone untrust
    set security nat destination rule-set rs rule r1 match destination-address 203.0.113.1/32
    set security nat destination rule-set rs rule r1 match destination-port 22
    set security nat destination rule-set rs rule r1 then destination-nat pool p22
    set security nat destination rule-set rs rule r2 match destination-address 203.0.113.1/32
    set security nat destination rule-set rs rule r2 match destination-port 80
    set security nat destination rule-set rs rule r2 then destination-nat pool p80
    set security nat destination rule-set rs rule r3 match destination-address 203.0.113.1/32
    set security nat destination rule-set rs rule r3 match destination-port 443
    set security nat destination rule-set rs rule r3 then destination-nat pool p443

    Regards, Wojtek

     



  • 6.  RE: Can static NAT support single public IP forwarding three non-contiguous ports to single private IP?

     
    Posted 05-27-2018 03:38

    This configuration is really unnecessary.  The ports are going to forward this way anyway and you are still dedicating all the port forwarding for the ip address and need to restrict in the security policy.  So all this does is add extra configuration to the static nat that changes nothing from simpley forwarding the ip address alone.

     

    set security nat static rule-set rs from zone untrust
    set security nat static rule-set rs rule r1 match destination-address 203.0.113.1/32
    set security nat static rule-set rs rule r1 match destination-port 22
    set security nat static rule-set rs rule r1 then static-nat prefix 10.1.1.1/32
    set security nat static rule-set rs rule r1 then static-nat prefix mapped-port 22
    set security nat static rule-set rs rule r2 match destination-address 203.0.113.1/32
    set security nat static rule-set rs rule r2 match destination-port 80
    set security nat static rule-set rs rule r2 then static-nat prefix 10.1.1.1/32
    set security nat static rule-set rs rule r2 then static-nat prefix mapped-port 80
    set security nat static rule-set rs rule r3 match destination-address 203.0.113.1/32
    set security nat static rule-set rs rule r3 match destination-port 443
    set security nat static rule-set rs rule r3 then static-nat prefix 10.1.1.1/32
    set security nat static rule-set rs rule r3 then static-nat prefix mapped-port 443

     



  • 7.  RE: Can static NAT support single public IP forwarding three non-contiguous ports to single private IP?

     
    Posted 05-27-2018 04:01

    Totally agree

    Anyway...  that is an example that majorjuniper asked for.

    Regards, Wojtek



  • 8.  RE: Can static NAT support single public IP forwarding three non-contiguous ports to single private IP?

    Posted 05-29-2018 15:02

    Thank you for the example. I will try destination NAT.



  • 9.  RE: Can static NAT support single public IP forwarding three non-contiguous ports to single private IP?

    Posted 05-29-2018 15:26

    Is proxy-arp mandatory for destination NAT?

     

    From the Juniper docs:

     set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.200/32



  • 10.  RE: Can static NAT support single public IP forwarding three non-contiguous ports to single private IP?

     
    Posted 05-29-2018 17:15

    Proxy arp is required when your nat address is in the same subnet as an address configured on the SRX interface.  When this is the case the SRX must provide the arp responses for your nat flows and thus proxy arp has to be configured.

     

    But if the nat subnet is routed to your SRX interface and does not appear on any interface ip range, no proxy arp is needed.