Port forwarding with new static nat feature

Starting with junos 11.4R5 (If I remember correctly), you can also forward ports by static nat  configuration. We were able to do this only by destination nat feature but it was a bit clunky in comparison to this feature. Configuration is pretty straight forward.  You redirect the port number
“80” in destination-port statement to the port 8080 in “mapped-port” statement.  If your security policies are in place and if needed proxy-arps are configured, this config should be sufficient for port forwarding.

When you are dealing with NAT in SRX, always keep in mind the order of NAT operations i.e 1) STATIC -> 2)  DESTINATION -> 3) SOURCE
Static is the first in the chain. You can for example change the destination IP address of a packet and just after that modify the source address of the very same packet.

If you want to have the SET commands of this configuration simply go to [edit security nat] config level of your device and then paste it as instructed below and press CRTL^D to load it. Once you type “show |display set” you will get the SET commands.

Happy port forwarding:)

4 thoughts on “Port forwarding with new static nat feature

  1. Joe

    Another awesome demo of the SRX capabilities. I’ve always used destination NAT because I wasn’t sure how static NAT would work with a single public WAN IP from my ISP on the internet facing port. I though static NAT needed additional WAN IPs to work, but this proves otherwise.

  2. Francis

    I’m a newbie with junOS and just starting to get a hands on on cli. I would greatly appreciate if you can post the cli commands to arrive at the above configuration. Thanks.

    1. rtoodtoo Post author

      Hi Francis,
      I have updated the post to show you how you can convert a configuration to SET based CLI commands. I think this will be more useful for you.



You have a feedback?