Juniper SRX – Destination NAT / Port Forwarding

Within this article destination NAT is configured to port forward traffic through to multiple servers based upon the destination port. This type of NAT configuration is equivalent to a ScreenOS VIP. 

This example syntax is based upon the following setup :

172.16.1.2:2222    –> 192.168.1.5:22
172.16.1.2:3389 –> 192.168.1.6:3389
 

Configure Address Book

First the real addresses of the servers are configured using address-book entries.

set security zones security-zone trust address-book address Server1 192.168.1.5/32
set security zones security-zone trust address-book address Server2 192.168.1.6/32

Configure Ports

Next the pre-translated ports are defined.

set applications application SSH-DNAT protocol tcp
set applications application SSH-DNAT destination-port 2222
set applications application RDP protocol tcp
set applications application RDP destination-port 3389

Configure NAT Pool

Each server and port is defined. These settings relate to the real IP and port configured on the server.

set security nat destination pool dnat-192_168_1_5m32 address 192.168.1.5/32
set security nat destination pool dnat-192_168_1_5m32 address port 22
set security nat destination pool dnat-192_168_1_6m32 address 192.168.1.6/32
set security nat destination pool dnat-192_168_1_6m32 address port 3389

Configure NAT Policy

Next the NAT policy is configured which specifies the NAT pool that the traffic should be translated to. This defines both the destination IP and destination port address.

set security nat destination rule-set dst-nat from zone untrust

Server 1

set security nat destination rule-set dst-nat rule rule1 match destination-address 172.16.1.2/32
set security nat destination rule-set dst-nat rule rule1 match destination-port 2222
set security nat destination rule-set dst-nat rule rule1 then destination-nat pool dnat-192_168_1_5m32

Server 2

set security nat destination rule-set dst-nat rule rule2 match destination-address 172.16.1.2/32
set security nat destination rule-set dst-nat rule rule2 match destination-port 3389
set security nat destination rule-set dst-nat rule rule2 then destination-nat pool dnat-192_168_1_6m32

Configure Security Policy

 Finally the security policy is configured. Note that the internal (real) IP address and port of the server is defined within the policy.

set security policies from-zone untrust to-zone trust policy untrust-to-trust1 match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 match destination-address server1
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 match application SSH
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 then permit
set security policies from-zone untrust to-zone trust policy untrust-to-trust2 match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust2 match destination-address server2
set security policies from-zone untrust to-zone trust policy untrust-to-trust2 match application RDP
set security policies from-zone untrust to-zone trust policy untrust-to-trust2 then permit

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial