In today’s post I would like to give an example on how to configure destination port forwarding in juniper srx. For this purpose I am using an ubuntu linux running web service at TCP 80 port and an SRX firewall in front of it. Our aim is to forward any request arriving SRX box at IP 192.168.250.2 port 8080 to 192.168.211.20 port 80. i.e
192.168.250.2:8080 –> 192.168.211.20:80
1) Configure destination nat and pool
For this purpose we create a pool named web_pool and redirect any requests coming from 0.0.0.0/0 any address to 192.168.250.2 at port 8080 to this web_pool which has the translated IP address and port. I hope it is clear up to now.
2) Create security policy which allows this traffic
If you don’t permit this traffic, your nat is useless.
When you create the policy allowing the HTTP traffic from uplink zone to trust zone with any source address,destination address *ubuntu3, application junos-http, your packets to
192.168.250.2:8080 should be redirected to 192.168.211.20:80
You might be asking why we are using destination address ubuntu3 (192.168.211.20) in the policy instead of 192.168.250.2 or junos-http (port 80) instead of 8080. Answer is in SRX packet flow diagram which I drew for the reader of this post once again;
When a packet enters SRX, it hits the D-NAT process which means, packet still has destination address 192.168.250.2 and port 8080. That is why we use the original destination address port in the D-NAT rule. Once the D-NAT is run, packet’s destination address is translated into 192.168.211.20 and port to 80. That means our packet is changed! When the packet reaches “Policy Check” process, you no longer have the original destination address and port because of which we have to use the translated destination address and port in the policy.
*ubuntu3 is an address entry in the associated trust zone with 192.168.211.20 IP address