Port Forwarding on Juniper SRX 210
Ok, so let's create a small lab to realize Port Forwarding feature in Junos. My public IP address will be 192.168.1.10/24, ISP's default gateway is 192.168.1.1/24, the goal is to reach the OpManager Server in Trust Zone with private IP address 172.16.1.34/24.SRX210 runs DHCP service, all interfaces are in the routed vlan with IP address 172.16.1.1/24.To get the OpManager Server from the Internet we need to apply Destination NAT as Port Forwarding. Destination NAT works by specifying NAT rules based upon a packet’s destination address (and port). By configuring NAT rules based on the destination address of your public IP address you’re able to to redirect a certain address or port to a private internal address of your choosing. Configuration of Destination NAT is also relatively simple; it only requires a destination pool for your internal server(s), NAT rules, and a security policy to allow traffic to flow between the zones.
1) DHCP configuration
set system name-server 8.8.8.8
set system services dhcp pool 172.16.1.0/24 address-range low 172.16.1.33
set system services dhcp pool 172.16.1.0/24 address-range high 172.16.1.64
set system services dhcp pool 172.16.1.0/24 default-lease-time 3600
set system services dhcp pool 172.16.1.0/24 domain-name juniperlab.info
set system services dhcp pool 172.16.1.0/24 name-server 8.8.8.8
set system services dhcp pool 172.16.1.0/24 router 172.16.1.1
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.10/24
set system services dhcp pool 172.16.1.0/24 address-range low 172.16.1.33
set system services dhcp pool 172.16.1.0/24 address-range high 172.16.1.64
set system services dhcp pool 172.16.1.0/24 default-lease-time 3600
set system services dhcp pool 172.16.1.0/24 domain-name juniperlab.info
set system services dhcp pool 172.16.1.0/24 name-server 8.8.8.8
set system services dhcp pool 172.16.1.0/24 router 172.16.1.1
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.10/24
2) VLAN configuration
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members dhcp
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members dhcp
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members dhcp
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members dhcp
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members dhcp
set interfaces vlan unit 111 family inet address 172.16.1.1/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1
set vlans dhcp vlan-id 111
set vlans dhcp l3-interface vlan.111
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members dhcp
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members dhcp
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members dhcp
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members dhcp
set interfaces vlan unit 111 family inet address 172.16.1.1/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1
set vlans dhcp vlan-id 111
set vlans dhcp l3-interface vlan.111
3) Source NAT configuration
set security nat source rule-set interface-nat from zone trust
set security nat source rule-set interface-nat to zone untrust
set security nat source rule-set interface-nat rule rule1 match source-address 0.0.0.0/0
set security nat source rule-set interface-nat rule rule1 match destination-address 0.0.0.0/0
set security nat source rule-set interface-nat rule rule1 then source-nat interface
set security nat source rule-set interface-nat to zone untrust
set security nat source rule-set interface-nat rule rule1 match source-address 0.0.0.0/0
set security nat source rule-set interface-nat rule rule1 match destination-address 0.0.0.0/0
set security nat source rule-set interface-nat rule rule1 then source-nat interface
set security nat destination pool pool_SRX2 address 172.16.1.34/32
set security nat destination pool pool_SRX2 address port 80
set security nat destination rule-set untrust from zone untrust
set security nat destination rule-set untrust rule SRX2_web match destination-address 0.0.0.0/0
set security nat destination rule-set untrust rule SRX2_web match destination-port 80
set security nat destination rule-set untrust rule SRX2_web then destination-nat pool pool_SRX2
5) Security Zones configuration
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces fe-0/0/2.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/2.0 host-inbound-traffic protocols all
set security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic protocols all
set security zones security-zone trust interfaces fe-0/0/4.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/4.0 host-inbound-traffic protocols all
set security zones security-zone trust interfaces fe-0/0/5.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/5.0 host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.111 host-inbound-traffic system-services all
set security zones security-zone trust interfaces vlan.111 host-inbound-traffic protocols all
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols all
6) Security Policy Configuration
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies default-policy permit-all
So far so good. Let's test it.). In browser just type: http://192.168.1.10:80
You can obviously keep your security tighter by specifying an application instead of using ‘application any’. The NAT is applied before the security policies are checked which is why the NAT rule’s destination address is your public IP address and the security policy’s destination address is the private internal IP address.
Comments