RtoDto.net
Network/Security/Programming

Port forwarding with new static nat feature

rtoodtoo nat May 1, 2013

Starting with junos 11.4R5 (If I remember correctly), you can also forward ports by static nat  configuration. We were able to do this only by destination nat feature but it was a bit clunky in comparison to this feature. Configuration is pretty straight forward.  You redirect the port number
“80” in destination-port statement to the port 8080 in “mapped-port” statement.  If your security policies are in place and if needed proxy-arps are configured, this config should be sufficient for port forwarding.

root@srx# show security nat
static {
    rule-set rs1 {
        from interface reth0.0;
        rule rl1 {
            match {
                destination-address 144.122.211.3/32;
                destination-port 80;
            }
            then {
                static-nat {
                    prefix {
                        172.17.11.5/32;
                        mapped-port 8080;
                    }
                }
            }
        }
    }
}

When you are dealing with NAT in SRX, always keep in mind the order of NAT operations i.e 1) STATIC -> 2)  DESTINATION -> 3) SOURCE
Static is the first in the chain. You can for example change the destination IP address of a packet and just after that modify the source address of the very same packet.

If you want to have the SET commands of this configuration simply go to [edit security nat] config level of your device and then paste it as instructed below and press CRTL^D to load it. Once you type “show |display set” you will get the SET commands.


[edit security nat]
root@branchC# load merge relative terminal 
[Type ^D at a new line to end input]
static {
    rule-set rs1 {
        from interface reth0.0;
        rule rl1 {
            match {
                destination-address 144.122.211.3/32;
                destination-port 80;
            }
            then {
                static-nat {
                    prefix {
                        172.17.11.5/32;
                        mapped-port 8080;
                    }
                }
            }
        }
    }
}
load complete

[edit security nat]
root@branchC# show | display set 
set security nat static rule-set rs1 from interface reth0.0
set security nat static rule-set rs1 rule rl1 match destination-address 144.122.211.3/32
set security nat static rule-set rs1 rule rl1 match destination-port 80
set security nat static rule-set rs1 rule rl1 then static-nat prefix 172.17.11.5/32
set security nat static rule-set rs1 rule rl1 then static-nat prefix mapped-port 8080

Happy port forwarding:)

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE

4 thoughts on “Port forwarding with new static nat feature”

  1. Another awesome demo of the SRX capabilities. I’ve always used destination NAT because I wasn’t sure how static NAT would work with a single public WAN IP from my ISP on the internet facing port. I though static NAT needed additional WAN IPs to work, but this proves otherwise.

    Reply

  2. I’m a newbie with junOS and just starting to get a hands on on cli. I would greatly appreciate if you can post the cli commands to arrive at the above configuration. Thanks.

    Reply

    1. Hi Francis,
      I have updated the post to show you how you can convert a configuration to SET based CLI commands. I think this will be more useful for you.

      Cheers
      Genco.

      Reply

  3. Hello Genco,

    Thank you for updating the post. It worked like a charm.

    Gracias!

    Francis

    Reply

Leave a Reply to JoeCancel reply

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading