Port forwarding in SRX

In today’s post I would like to give an example on how to configure destination port forwarding in juniper srx. For this purpose I am using an ubuntu linux running web service at TCP 80 port and an SRX firewall in front of it. Our aim is to forward any request arriving SRX box at IP 192.168.250.2 port 8080 to 192.168.211.20 port 80. i.e
192.168.250.2:8080 –> 192.168.211.20:80


**I assume we already assigned the SRX interfaces to uplink and trust zones in this post to keep the post as short as possible.

1) Configure destination nat and pool

[edit security nat]
root@JGW1# show
destination {
    pool web_pool {
        address 192.168.211.20/32 port 80;
    }
    rule-set myrs1 {
        from zone uplink;
        rule http_8080_ubuntu3 {
            match {
                source-address 0.0.0.0/0;
                destination-address 192.168.250.2/32;
                destination-port 8080;
            }
            then {
                destination-nat pool web_pool;
            }
        }
    }
}

For this purpose we create a pool named web_pool and redirect any requests coming from 0.0.0.0/0 any address to 192.168.250.2 at port 8080 to this web_pool which has the translated IP address and port. I hope it is clear up to now.

2) Create security policy which allows this traffic

If you don’t permit this traffic, your nat is useless.

[edit security policies]
root@JGW1# show
from-zone uplink to-zone trust {
    policy allow-http {
        match {
            source-address any;
            destination-address ubuntu3;
            application junos-http;
        }
        then {
            permit;
        }
    }
}

When you create the policy allowing the HTTP traffic from uplink zone to trust zone with any source address,destination address *ubuntu3, application junos-http, your packets to

192.168.250.2:8080 should be redirected to 192.168.211.20:80
You might be asking why we are using destination address ubuntu3 (192.168.211.20) in the policy instead of 192.168.250.2 or junos-http (port 80) instead of 8080. Answer is in SRX packet flow diagram which I drew for the reader of this post once again;

When a packet enters SRX, it hits the D-NAT process which means, packet still has destination address 192.168.250.2 and port 8080. That is why we use the original destination address port in the D-NAT rule. Once the D-NAT is run, packet’s destination address is translated into 192.168.211.20 and port to 80. That means our packet is changed! When the packet reaches “Policy Check” process, you no longer have the original destination address and port because of which we have to use the translated destination address and port in the policy.

*ubuntu3 is an address entry in the associated trust zone with 192.168.211.20 IP address

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


One thought on “Port forwarding in SRX”

You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading