SRX

Expand all | Collapse all

Destination NAT (Port Forwarding) Passthrough for VPN

Jump to Best Answer
  • 1.  Destination NAT (Port Forwarding) Passthrough for VPN

    Posted 11-16-2014 23:59

    I have a VPN server located at 192.168.1.10.

    The Juniper SRX has a private IP of 192.168.1.1 on fe-0/0/1.0 and a public IP of 222.222.222.222 on fe-0/0/0.0.

     

    I want to forward ports used for VPN PPTP, L2TP, and IPSec from the Juniper box to the VPN server.

    These are ports 500, 1701, 1723, 4500 on UDP and TCP.

     

    What configuration should I use for this destination nat? I have tried for hours and been having trouble getting this working.

     

     

     



  • 2.  RE: Destination NAT (Port Forwarding) Passthrough for VPN

     
    Posted 11-17-2014 00:18

    Here you go..


    root@SRX# show security nat destination                 
    pool Pool1 {
        address 192.168.1.10/32 port 500;
    }
    pool Pool2 {
        address 192.168.1.10/32 port 1701;
    }
    pool Pool3 {
        address 192.168.1.10/32 port 1723;
    }
    pool Pool4 {
        address 192.168.1.10/32 port 4500;
    }
    rule-set 1 {
        from interface fe-0/0/0.0;
        rule 1 {
            match {
                destination-address 222.222.222.222/32;
                destination-port 500;
            }
            then {
                destination-nat pool Pool1;
            }
        }
        rule 2 {
            match {
                destination-address 222.222.222.222/32;
                destination-port 1701;
            }
            then {
                destination-nat pool Pool2;
            }
        }
        rule 3 {
            match {
                destination-address 222.222.222.222/32;
                destination-port 1723;
            }
            then {
                destination-nat pool Pool3;
            }
        }
        rule 4 {
            match {
                destination-address 222.222.222.222/32;
                destination-port 4500;
            }
            then {
                destination-nat pool Pool4;
            }
        }
    }



    SET COMMANDS:

    root@SRX# show security nat destination | display set
    set security nat destination pool Pool1 address 192.168.1.10/32
    set security nat destination pool Pool1 address port 500
    set security nat destination pool Pool2 address 192.168.1.10/32
    set security nat destination pool Pool2 address port 1701
    set security nat destination pool Pool3 address 192.168.1.10/32
    set security nat destination pool Pool3 address port 1723
    set security nat destination pool Pool4 address 192.168.1.10/32
    set security nat destination pool Pool4 address port 4500
    set security nat destination rule-set 1 from interface fe-0/0/0.0
    set security nat destination rule-set 1 rule 1 match destination-address 222.222.222.222/32
    set security nat destination rule-set 1 rule 1 match destination-port 500
    set security nat destination rule-set 1 rule 1 then destination-nat pool Pool1
    set security nat destination rule-set 1 rule 2 match destination-address 222.222.222.222/32
    set security nat destination rule-set 1 rule 2 match destination-port 1701
    set security nat destination rule-set 1 rule 2 then destination-nat pool Pool2
    set security nat destination rule-set 1 rule 3 match destination-address 222.222.222.222/32
    set security nat destination rule-set 1 rule 3 match destination-port 1723
    set security nat destination rule-set 1 rule 3 then destination-nat pool Pool3
    set security nat destination rule-set 1 rule 4 match destination-address 222.222.222.222/32
    set security nat destination rule-set 1 rule 4 match destination-port 4500
    set security nat destination rule-set 1 rule 4 then destination-nat pool Pool4

     

    Thanks,

    Suraj

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

     

     



  • 3.  RE: Destination NAT (Port Forwarding) Passthrough for VPN

    Posted 11-17-2014 19:44

    I'm still having an issue.

     

    The packets seem to hit the SRX box and then are dropped.

    1. How can I troubleshoot this? Is there a way I can see why the SRX box is dropping the packets?

     

    2. Do I need to define a from-zone to-zone security policy to permit the ports for traffic to flow from the Internet zone to the Internal zone?

     

    3. Do I need to define a "host-inbound-traffic" section within the Internet zone to allow the traffic in?

     

    4. What is Proxy ARP, and do I need it for this NAT?

     



  • 4.  RE: Destination NAT (Port Forwarding) Passthrough for VPN

     
    Posted 11-17-2014 19:46

    Yes, you need a security policy.

     

    Thanks,

    Suraj

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

     



  • 5.  RE: Destination NAT (Port Forwarding) Passthrough for VPN

    Posted 11-17-2014 20:00

    Is there anything missing/is this correct?

     

      from-zone Internet to-zone Internal {

                policy allowVPNaccess {

                    match {

                        source-address any;

                        destination-address 192.168.1.10;

                    }

                    then {

                        permit;

                    }

                }

            }



  • 6.  RE: Destination NAT (Port Forwarding) Passthrough for VPN
    Best Answer

     
    Posted 11-17-2014 20:17

    "match application " is missing.

     

    you can use "match application any"

     

    Thanks,

    Suraj

     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too