Configure port forwarding on Juniper routers and ScreenOS
Juniper Networks - ScreenOS Cookbook Recipe 8.7 - Configure Destination PAT (Port Address Translation) - Knowledge Base
There is no easy way to say this but if you are used to dealing with Cisco devices over the years and are suddenly thrust in front of a Juniper device - you will think that Juniper is very weird. I am sure there are folks who absolutely love Juniper but for me I personally don't like dealing with them. In any event, if a client has a Juniper device and you need to configure it, you dive right in and make the best of it.
One of the things that I find odd is the way that port forwarding works on the device. Once you see it you will think it makes perfect sense but unfortunately the documentation on the subject is lacking.
For example, lets assume your firewall has an external interface on 1.1.1.1 and you have 4 usable IP addresses. You want to host an internal WWW server on 192.168.1.10 that is connected to the internal LAN. Here is the syntax to make this work:
set arp NAT-DST
set address untrust server-www-public 1.1.1.1/32
set policy from untrust to untrust any server-www-public http nat dst ip 192.168.1.10 port 80 permit
The weird part for me was the untrust to untrust which didn't make a whole lot of sense. In any event, that will work.
Now, what if you wanted to host something via NAT that came through the external IP of the firewall interface?
In this case, we need to change the admin port of the firewall to something different if we want to host WWW traffic and then do the NAT'ing:
set admin port 8080
set service "HTTP-8080" protocol tcp src-port 1024-65535 dst-port 8080-8080
set interface ethernet0/0 vip untrust-ip 80 "HTTP-8080" 192.168.1.10
set policy id 1 from untrust to trust any vip(ethernet0/0) HTTP permit
A bit odd but gets the job done. Good luck.
There is no easy way to say this but if you are used to dealing with Cisco devices over the years and are suddenly thrust in front of a Juniper device - you will think that Juniper is very weird. I am sure there are folks who absolutely love Juniper but for me I personally don't like dealing with them. In any event, if a client has a Juniper device and you need to configure it, you dive right in and make the best of it.
One of the things that I find odd is the way that port forwarding works on the device. Once you see it you will think it makes perfect sense but unfortunately the documentation on the subject is lacking.
For example, lets assume your firewall has an external interface on 1.1.1.1 and you have 4 usable IP addresses. You want to host an internal WWW server on 192.168.1.10 that is connected to the internal LAN. Here is the syntax to make this work:
set arp NAT-DST
set address untrust server-www-public 1.1.1.1/32
set policy from untrust to untrust any server-www-public http nat dst ip 192.168.1.10 port 80 permit
The weird part for me was the untrust to untrust which didn't make a whole lot of sense. In any event, that will work.
Now, what if you wanted to host something via NAT that came through the external IP of the firewall interface?
In this case, we need to change the admin port of the firewall to something different if we want to host WWW traffic and then do the NAT'ing:
set admin port 8080
set service "HTTP-8080" protocol tcp src-port 1024-65535 dst-port 8080-8080
set interface ethernet0/0 vip untrust-ip 80 "HTTP-8080" 192.168.1.10
set policy id 1 from untrust to trust any vip(ethernet0/0) HTTP permit
A bit odd but gets the job done. Good luck.
posted by Rick Mitchell Solutions @ 8:58 AM
0 Comments:
Post a Comment
Links to this post:
Create a Link
<< Home