Port forwarding in SRX

In today’s post I would like to give an example on how to configure destination port forwarding in juniper srx. For this purpose I am using an ubuntu linux running web service at TCP 80 port and an SRX firewall in front of it. Our aim is to forward any request arriving SRX box at IP port 8080 to port 80. i.e –>

**I assume we already assigned the SRX interfaces to uplink and trust zones in this post to keep the post as short as possible.

1) Configure destination nat and pool

For this purpose we create a pool named web_pool and redirect any requests coming from any address to at port 8080 to this web_pool which has the translated IP address and port. I hope it is clear up to now.

2) Create security policy which allows this traffic

If you don’t permit this traffic, your nat is useless.

When you create the policy allowing the HTTP traffic from uplink zone to trust zone with any source address,destination address *ubuntu3, application junos-http, your packets to should be redirected to
You might be asking why we are using destination address ubuntu3 ( in the policy instead of or junos-http (port 80) instead of 8080. Answer is in SRX packet flow diagram which I drew for the reader of this post once again;

When a packet enters SRX, it hits the D-NAT process which means, packet still has destination address and port 8080. That is why we use the original destination address port in the D-NAT rule. Once the D-NAT is run, packet’s destination address is translated into and port to 80. That means our packet is changed! When the packet reaches “Policy Check” process, you no longer have the original destination address and port because of which we have to use the translated destination address and port in the policy.

*ubuntu3 is an address entry in the associated trust zone with IP address

You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.