SRX

Hello everyone,

I'm trying to deploy a web server (port 80) from a public IP address on my LAN.

To do this, in the srx I configured:

set applications application CUS-HTTP-80 protocol tcp destination-port 80

set security nat destination pool WEB-192 address 192.X.x.6/32

set security nat destination rule-set DST-NAT-HTTP from zone Untrust

set security nat destination rule-set DST-NAT-HTTP rule R1 match destination-address 200.x.x.11/32
set security nat destination rule-set DST-NAT-HTTP rule R1 match destination-port 80
set security nat destination rule-set DST-NAT-HTTP rule R1 then destination-nat pool WEB-192

set security policies from-zone Untrust to-zone Trust policy ALLOW-HTTP match source-address any
set security policies from-zone Untrust to-zone Trust policy ALLOW-HTTP match destination-address 192.X.x.6/32
set security policies from-zone Untrust to-zone Trust policy ALLOW-HTTP match application CUS-HTTP-80
set security policies from-zone Untrust to-zone Trust policy ALLOW-HTTP match dynamic-application any
set security policies from-zone Untrust to-zone Trust policy ALLOW-HTTP then permit

I ran: run clear security flow session destination-prefix 200.x.x.11

And I get: 

In: 200.x.x.x/19975 --> 200.x.x.11/80;tcp, Conn Tag: 0x0, If: ge-0/0/4.0, Pkts: 2, Bytes: 104, 
Out: 192.X.x.6/80 --> 200.x.x.x/19975;tcp, Conn Tag: 0x0, If: ge-0/0/6.0, Pkts: 2, Bytes: 104,

Session ID: 171798769124, Policy name: pre-id-default-policy-logical-system-00/3, Timeout: 20, Session State: Valid 
In: 200.x.x.x/1519 --> 200.x.x.11/80;tcp, Conn Tag: 0x0, If: ge-0/0/4.0, Pkts: 2, Bytes: 104, 
Out: 192.X.x.6/80 --> 200.x.x.x/1519;tcp, Conn Tag: 0x0, If: ge-0/0/6.0, Pkts: 3, Bytes: 156,

Session ID: 90194614473, Policy name: pre-id-default-policy-logical-system-00/3, Timeout: 18, Session State: Valid 
In: 200.x.x.x/19794 --> 200.x.x.11/80;tcp, Conn Tag: 0x0, If: ge-0/0/4.0, Pkts: 2, Bytes: 104, 
Out: 192.X.x.6/80 --> 200.x.x.x/19794;tcp, Conn Tag: 0x0, If: ge-0/0/6.0, Pkts: 2, Bytes: 104,
Total sessions: 3
---(refreshed at 2026-05-20 16:50:04 VET)---
Session ID: 137438999133, Policy name: pre-id-default-policy-logical-system-00/3, Timeout: 16, Session State: Valid 
In: 200.x.x.x/19975 --> 200.x.x.11/80;tcp, Conn Tag: 0x0, If: ge-0/0/4.0, Pkts: 3, Bytes: 156, 
Out: 192.X.x.6/80 --> 200.x.x.x/19975;tcp, Conn Tag: 0x0, If: ge-0/0/6.0, Pkts: 4, Bytes: 208,

Session ID: 171798769124, Policy name: pre-id-default-policy-logical-system-00/3, Timeout: 18, Session State: Valid 
In: 200.x.x.x/1519 --> 200.x.x.11/80;tcp, Conn Tag: 0x0, If: ge-0/0/4.0, Pkts: 3, Bytes: 156, 
Out: 192.X.x.6/80 --> 200.x.x.x/1519;tcp, Conn Tag: 0x0, If: ge-0/0/6.0, Pkts: 4, Bytes: 208,

Session ID: 90194614473, Policy name: pre-id-default-policy-logical-system-00/3, Timeout: 16, Session State: Valid 
In: 200.x.x.x/19794 --> 200.x.x.11/80;tcp, Conn Tag: 0x0, If: ge-0/0/4.0, Pkts: 3, Bytes: 156, 
Out: 192.X.x.6/80 --> 200.x.x.x/19794;tcp, Conn Tag: 0x0, If: ge-0/0/6.0, Pkts: 4, Bytes: 208,
Total sessions: 3
---(refreshed at 2026-05-20 16:50:06 VET)---
Session ID: 137438999133, Policy name: pre-id-default-policy-logical-system-00/3, Timeout: 14, Session State: Valid 
In: 200.x.x.x/19975 --> 200.x.x.11/80;tcp, Conn Tag: 0x0, If: ge-0/0/4.0, Pkts: 3, Bytes: 156, 
Out: 192.X.x.6/80 --> 200.x.x.x/19975;tcp, Conn Tag: 0x0, If: ge-0/0/6.0, Pkts: 5, Bytes: 260,

Session ID: 171798769124, Policy name: pre-id-default-policy-logical-system-00/3, Timeout: 16, Session State: Valid 
In: 200.x.x.x/1519 --> 200.x.x.11/80;tcp, Conn Tag: 0x0, If: ge-0/0/4.0, Pkts: 3, Bytes: 156, 
Out: 192.X.x.6/80 --> 200.x.x.x/1519;tcp, Conn Tag: 0x0, If: ge-0/0/6.0, Pkts: 5, Bytes: 260,

I'm trying to display http://200.x.x.x and it shows a timeout error.

Could someone please help me?

Thanks.

------------------------------
JOSE MARINO
------------------------------

You should confirm the SRX has a route to your web server in the routing instance of the external interface traffics comes in on. The return traffic shown almost looks like just the initial couple of packets that do AppID on the traffic.

In order to leave AppID out of it for troubleshooting, you can remove dynamic-application matching (and move the policy above any policy that does AppID). Then see what you get in the session output.

Also you can use the junos-http application instead of having to define CUS-HTTP-80.

------------------------------
Nikolay Semov
------------------------------

One thing not many will let on.

               rule IPV4-External-IP-24 {

                    match {

                        source-address [ 192.168.1.xx/24 192.168.1.0/24 ];

                        source-port {

                            0 to 22;

                            24 to 65535;

                        }

                        destination-address 96.120.86.241/29;

                        destination-port 0 to 65535;

                        protocol [ tcp udp icmp ];

                   }

The most important thing here is the

omission of port 23. You will have

to find which nat statements where

it isnt needed to do this.

Https also must be dealt with.

Drop?

------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)
------------------------------

What does source port 23 have to do with this? What do you mean by "commission of port 23"? What's commission of a port? Why would you want to exclude any source port?

------------------------------
Nikolay Semov
------------------------------

Original Message:
Sent: 05-21-2026 20:05
From: eugene1973
Subject: Issue Port forwarding on SRX345

One thing not many will let on.

               rule IPV4-External-IP-24 {

                    match {

                        source-address [ 192.168.1.xx/24 192.168.1.0/24 ];

                        source-port {

                            0 to 22;

                            24 to 65535;

                        }

                        destination-address 96.120.86.241/29;

                        destination-port 0 to 65535;

                        protocol [ tcp udp icmp ];

                   }

The most important thing here is the

commission of port 23. You will have

to find which nat statements where

it isnt needed to do this.

Https also must be dealt with.

Drop?

------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)
------------------------------

This port is responsible for proper web management operation in my configuration. Odd but true. It's a suggestion. Perhaps others don't have this criteria. Thx.

------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)
------------------------------

Original Message:
Sent: 05-21-2026 20:10
From: Nikolay Semov
Subject: Issue Port forwarding on SRX345

What does source port 23 have to do with this? What do you mean by "commission of port 23"? What's commission of a port? Why would you want to exclude any source port?

------------------------------
Nikolay Semov
------------------------------


Original Message:
Sent: 05-21-2026 20:05
From: eugene1973
Subject: Issue Port forwarding on SRX345

One thing not many will let on.

               rule IPV4-External-IP-24 {

                    match {

                        source-address [ 192.168.1.xx/24 192.168.1.0/24 ];

                        source-port {

                            0 to 22;

                            24 to 65535;

                        }

                        destination-address 96.120.86.241/29;

                        destination-port 0 to 65535;

                        protocol [ tcp udp icmp ];

                   }

The most important thing here is the

commission of port 23. You will have

to find which nat statements where

it isnt needed to do this.

Https also must be dealt with.

Drop?

------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)