Within this article destination NAT is configured to port forward traffic through to multiple servers based upon the destination port. This type of NAT configuration is equivalent to a ScreenOS VIP.
This example syntax is based upon the following setup :
172.16.1.2:2222 –> 192.168.1.5:22
172.16.1.2:3389 –> 192.168.1.6:3389
Configure Address Book
First the real addresses of the servers are configured using address-book entries.
set security zones security-zone trust address-book address Server1 192.168.1.5/32
set security zones security-zone trust address-book address Server2 192.168.1.6/32
Configure Ports
Next the pre-translated ports are defined.
set applications application SSH-DNAT protocol tcp
set applications application SSH-DNAT destination-port 2222
set applications application RDP protocol tcp
set applications application RDP destination-port 3389
Configure NAT Pool
Each server and port is defined. These settings relate to the real IP and port configured on the server.
set security nat destination pool dnat-192_168_1_5m32 address 192.168.1.5/32
set security nat destination pool dnat-192_168_1_5m32 address port 22
set security nat destination pool dnat-192_168_1_6m32 address 192.168.1.6/32
set security nat destination pool dnat-192_168_1_6m32 address port 3389
Configure NAT Policy
Next the NAT policy is configured which specifies the NAT pool that the traffic should be translated to. This defines both the destination IP and destination port address.
set security nat destination rule-set dst-nat from zone untrust
Server 1
set security nat destination rule-set dst-nat rule rule1 match destination-address 172.16.1.2/32
set security nat destination rule-set dst-nat rule rule1 match destination-port 2222
set security nat destination rule-set dst-nat rule rule1 then destination-nat pool dnat-192_168_1_5m32
Server 2
set security nat destination rule-set dst-nat rule rule2 match destination-address 172.16.1.2/32
set security nat destination rule-set dst-nat rule rule2 match destination-port 3389
set security nat destination rule-set dst-nat rule rule2 then destination-nat pool dnat-192_168_1_6m32
Configure Security Policy
Finally the security policy is configured. Note that the internal (real) IP address and port of the server is defined within the policy.
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 match destination-address server1
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 match application SSH
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 then permit
set security policies from-zone untrust to-zone trust policy untrust-to-trust2 match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust2 match destination-address server2
set security policies from-zone untrust to-zone trust policy untrust-to-trust2 match application RDP
set security policies from-zone untrust to-zone trust policy untrust-to-trust2 then permit
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial