Port Forwarding on Juniper SRX 210



Ok, so let's create a small lab to realize Port Forwarding feature in Junos. My public IP address will be 192.168.1.10/24, ISP's default gateway is 192.168.1.1/24, the goal is to reach the OpManager Server in Trust Zone with private IP address 172.16.1.34/24.SRX210 runs DHCP service, all interfaces are in the routed vlan with IP address 172.16.1.1/24.To get the OpManager Server from the Internet we need to apply Destination NAT as Port Forwarding. Destination NAT works by specifying NAT rules based upon a packet’s destination address (and port). By configuring NAT rules based on the destination address of your public IP address you’re able to to redirect a certain address or port to a private internal address of your choosing. Configuration of Destination NAT is also relatively simple; it only requires a destination pool for your internal server(s), NAT rules, and a security policy to allow traffic to flow between the zones.   

1) DHCP configuration 
set system name-server 8.8.8.8
set system services dhcp pool 172.16.1.0/24 address-range low 172.16.1.33
set system services dhcp pool 172.16.1.0/24 address-range high 172.16.1.64
set system services dhcp pool 172.16.1.0/24 default-lease-time 3600
set system services dhcp pool 172.16.1.0/24 domain-name juniperlab.info
set system services dhcp pool 172.16.1.0/24 name-server 8.8.8.8
set system services dhcp pool 172.16.1.0/24 router 172.16.1.1
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.10/24  

2) VLAN configuration  
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members dhcp
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members dhcp
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members dhcp
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members dhcp
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members dhcp
set interfaces vlan unit 111 family inet address 172.16.1.1/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1
set vlans dhcp vlan-id 111           
set vlans dhcp l3-interface vlan.111 

 3) Source NAT configuration 
set security nat source rule-set interface-nat from zone trust
set security nat source rule-set interface-nat to zone untrust
set security nat source rule-set interface-nat rule rule1 match source-address 0.0.0.0/0
set security nat source rule-set interface-nat rule rule1 match destination-address 0.0.0.0/0
set security nat source rule-set interface-nat rule rule1 then source-nat interface

4) Destination NAT configuration 
set security nat destination pool pool_SRX2 address 172.16.1.34/32
set security nat destination pool pool_SRX2 address port 80
set security nat destination rule-set untrust from zone untrust
set security nat destination rule-set untrust rule SRX2_web match destination-address 0.0.0.0/0
set security nat destination rule-set untrust rule SRX2_web match destination-port 80
set security nat destination rule-set untrust rule SRX2_web then destination-nat pool pool_SRX2

5) Security Zones configuration 
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces fe-0/0/2.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/2.0 host-inbound-traffic protocols all
set security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic protocols all
set security zones security-zone trust interfaces fe-0/0/4.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/4.0 host-inbound-traffic protocols all
set security zones security-zone trust interfaces fe-0/0/5.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/5.0 host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.111 host-inbound-traffic system-services all
set security zones security-zone trust interfaces vlan.111 host-inbound-traffic protocols all
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols all

6) Security Policy Configuration 
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies default-policy permit-all

So far so good. Let's test it.). In browser just type: http://192.168.1.10:80 


You can obviously keep your security tighter by specifying an application instead of using ‘application any’.  The NAT is applied before the security policies are checked which is why the NAT rule’s destination address is your public IP address and the security policy’s destination address is the private internal IP address.





Comments

Post a Comment

Popular posts from this blog

Juniper SRX Routing Instances Configuration and Importing Routes to and from virtual routers

Image
Our goal is to configure routing instances on all devices and provide routing between all instances with ospf protocol. Configure routing instances on SRX1: We will be using a tagged interface ge-0/0/1 where vlan 10 is for vr10.10 routing instance and vlan 20 is for vr20.20: set interfaces ge-0/0/1 vlan-tagging set interfaces ge-0/0/1 unit 10 vlan-id 10 set interfaces ge-0/0/1 unit 10 family inet address 172.16.10.1/24 set interfaces ge-0/0/1 unit 20 vlan-id 20 set interfaces ge-0/0/1 unit 20 family inet address 172.16.20.1/24 Now create routing instances and assign interfaces to them: set routing-instances vr10.10 instance-type virtual-router set routing-instances vr10.10 interface ge-0/0/1.10 set routing-instances vr20.20 instance-type virtual-router set routing-instances vr20.20 interface ge-0/0/1.20 Configure rib-groups to import routes from one routing instance to another (Another alternative is to configure policy-options for importing): set routing-instances vr10.10 routing-opti
Read more

HPE MSR series router NAT, DHCP, SSH config

Image
1. NAT Configuration    1.1. Define Access List [Router] acl basic 2001  [Router] step 1 [Router] rule 0 permit [Router] rule 10 deny 2. Interfaces Configuration    2.1. External (WAN) interface configuration [Router] interface GigabitEthernet 0/0/0 [Router] ip address 10.163.195.2 255.255.255.0 [Router] nat outbound 2001     2.2. Internal (LAN) sub-interfaces configuration [Router] interface GigabitEthernet 0/0/1.2 [Router] ip address 192.168.1.2 255.255.255.0 [Router] vlan-type dot1q vid 2 [Router] interface GigabitEthernet 0/0/1.3 [Router] ip address 192.168.2.2 255.255.255.0 [Router] vlan-type dot1q vid 3 [Router] interface GigabitEthernet 0/0/1.4 [Router] ip address 192.168.3.2 255.255.255.0 [Router] vlan-type dot1q vid 4 3. DHCP Server Configuration     3.1. Enable DHCP service on router [Router] dhcp enable     3.2. Define dhcp settings for vlan 2 [Router] dhcp server ip-pool vlan 2 [Router] ne
Read more

Install Junos with USB

You discover that your Junos EX or SRX device does not complete normal boot up. The image seems to be corrupted for some reason, such as a continuous power failure. If this occurs, don’t worry, you can get it back up within few minutes using the USB port. Step 1. Get a USB flash drive. Copy the Junos image to the USB drive (without creating folders). Use FAT file format if the USB size is less than 2 GB. Use FAT32 if the USB size is greater than or equal to 4 GB. The example below uses the file image junos-srxsme-10.4R1.9-domestic .tgz. Step 2. Insert the flash into an EX/SRX USB port. Step 3. Reboot the device. When Junos boots up, you will see the message : Press Space to abort autoboot Do nothing. A little while later, you will see: Hit [Enter] to boot immediately, or space bar for command prompt. Press the space bar. You will be at loader mode; the prompt should be loader>. If the prompt is > , type >boot to make it loader>. Step 4. Now type the following command: lo
Read more