• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2503
  • Last Modified:

Juniper SRX and Port translation

My videocon system is connected is assigned a private IP in the DMZ (192.168.200.200)
My public IP for this videocon is known as 1.1.1.1 (for ie)

I want to open and redirect to 192.168.200.200:
 ports tcp 3230 to 3231 udp 3230 to 3235 and port tcp/udp 1720

Can you give me the config in order to call outside and be called by Outside?

Thanks guys!
0
emauduit
Asked:
emauduit
  • 5
  • 3
1 Solution
 
mindwiseCommented:
Hi Ema,

The inbound nat config could look like this:


set security nat destination pool videocon address 192.168.200.200/32
set security nat destination rule-set to-videocon from zone untrust
set security nat destination rule-set to-videocon rule vcu-1 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vcu-1 match destination-port 3230
set security nat destination rule-set to-videocon rule vcu-1 match protocol udp
set security nat destination rule-set to-videocon rule vcu-1 then destination-nat pool videocon
set security nat destination rule-set to-videocon rule vcu-2 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vcu-2 match destination-port 3231
set security nat destination rule-set to-videocon rule vcu-2 match protocol udp
set security nat destination rule-set to-videocon rule vcu-2 then destination-nat pool videocon
set security nat destination rule-set to-videocon rule vcu-3 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vcu-3 match destination-port 3232
set security nat destination rule-set to-videocon rule vcu-3 match protocol udp
set security nat destination rule-set to-videocon rule vcu-3 then destination-nat pool videocon
set security nat destination rule-set to-videocon rule vcu-4 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vcu-4 match destination-port 3233
set security nat destination rule-set to-videocon rule vcu-4 match protocol udp
set security nat destination rule-set to-videocon rule vcu-4 then destination-nat pool videocon
set security nat destination rule-set to-videocon rule vcu-5 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vcu-5 match destination-port 3234
set security nat destination rule-set to-videocon rule vcu-5 match protocol udp
set security nat destination rule-set to-videocon rule vcu-5 then destination-nat pool videocon
set security nat destination rule-set to-videocon rule vcu-6 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vcu-6 match destination-port 3235
set security nat destination rule-set to-videocon rule vcu-6 match protocol udp
set security nat destination rule-set to-videocon rule vcu-6 then destination-nat pool videocon
set security nat destination rule-set to-videocon rule vcu-7 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vcu-7 match destination-port 3231
set security nat destination rule-set to-videocon rule vcu-7 match protocol udp
set security nat destination rule-set to-videocon rule vcu-7 then destination-nat pool videocon
set security nat destination rule-set to-videocon rule vct-1 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vct-1 match destination-port 3230
set security nat destination rule-set to-videocon rule vct-1 match protocol tcp
set security nat destination rule-set to-videocon rule vct-1 then destination-nat pool videocon
set security nat destination rule-set to-videocon rule vct-2 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vct-2 match destination-port 3231
set security nat destination rule-set to-videocon rule vct-2 match protocol tcp
set security nat destination rule-set to-videocon rule vct-2 then destination-nat pool videocon
set security nat destination rule-set to-videocon rule vcu-8 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vcu-8 match destination-port 1720
set security nat destination rule-set to-videocon rule vcu-8 match protocol udp
set security nat destination rule-set to-videocon rule vcu-8 then destination-nat pool videocon
set security nat destination rule-set to-videocon rule vct-3 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vct-3 match destination-port 1720
set security nat destination rule-set to-videocon rule vct-3 match protocol tcp
set security nat destination rule-set to-videocon rule vct-3 then destination-nat pool videocon


that is, presuming are using an untrust zone....

you'd stil need a policy to allow traffic to 192.168.200.200 on the ports you've given... !!

And outbound, i think by default the 192.168.200.200 will be "pat-ed" (source port translation) ... i'm not  sure if that will break the calls or not...

depending on the amount of Public IP addresses you have you might want to consider doing static nat.

I hope this helps....

/M
0
 
emauduitAuthor Commented:
Good. Yes Mindwise, static nat would be great. How can i do that? Is it an addition or does it change what you suggest here?
Thanks M
0
 
mindwiseCommented:
Hi Emauduit,

it completely changes the above, if you entered all that you can delete with :

delete security nat destination rule-set to-videocon

You wil need more then 1 pub ip to really do static nat to your videocon ( i mean for other stuff like email etc.)....

in any case, the static nat would look like this:


set security nat static rule-set vidconf from zone untrust
set security nat static rule-set vidconf rule vc-1 match destination-address 1.1.1.1/32
set security nat static rule-set vidconf rule vc-1 then static-nat prefix 192.168.200.200/32

the security policy needed is the same as for the destination-nat example, assuming the VC is in the DMZ:

appication:

set applications application VideoConf-udp-1 protocol udp
set applications application VideoConf-udp-1 destination-port 3230-3235
set applications application VideoConf-udp-2 protocol udp
set applications application VideoConf-udp-2 destination-port 1720
set applications application VideoConf-tcp-1 protocol tcp
set applications application VideoConf-tcp-1 destination-port 3230-3231
set applications application VideoConf-tcp-2 protocol tcp
set applications application VideoConf-tcp-2 destination-port 1720
set applications application-set VideoConf application VideoConf-udp-1
set applications application-set VideoConf application VideoConf-udp-2
set applications application-set VideoConf application VideoConf-tcp-1
set applications application-set VideoConf application VideoConf-tcp-2


then the address for the policy:

set security zones security-zone dmz address-book address VC 192.168.200.200/32

and the policy itself:

set security policies from-zone untrust to-zone dmz policy to-VC match source-address any
set security policies from-zone untrust to-zone dmz policy to-VC match destination-address VC
set security policies from-zone untrust to-zone dmz policy to-VC match application VideoConf
set security policies from-zone untrust to-zone dmz policy to-VC then permit
set security policies from-zone untrust to-zone dmz policy to-VC then log session-init



please substitute my "dmz" with however you've named your DMZ to prevent 'commit errors'.

I hope this gets you underway... i did not include a policy to allow the VC server to initiate sessions to the outside AND

Please note that sometimes a VC server (or phone, whatever)  will use it's internal ip in the SIP protocol... if it does not work, then perhaps in the config of the ip phone software you have to detail which NAT address you using (i am not sure about this)...

Kr,

M






0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
emauduitAuthor Commented:
Thanks Mindwise! II will test this and let you know Monday or Thursday. Thanks!

To make it just great, do you know how to allow the VC to initiate calls  to outside IP?
0
 
mindwiseCommented:
Sure,

again replace my "dmz" with how you have it, you just reverse the policy direction as follows:

set security policies from-zone dmz to-zone untrust policy from-VC match source-address VC
set security policies from-zone dmz to-zone untrust policy from-VC match destination-address any
set security policies from-zone dmz to-zone untrust policy from-VC match application VideoConf
set security policies from-zone dmz to-zone untrust policy from-VC then permit
set security policies from-zone dmz to-zone untrust policy from-VC then log session-init


I hope this gets you underway, enjoy the remainder of the weekend.
0
 
emauduitAuthor Commented:
Hi mindwise

I tested your config. But I got the following error on commit:

[edit security zones security-zone DMZ address-book]
  'address VC'
    Invalid address entry
error: configuration check-out failed

Here is the DMZ address-book. Any idea?

root@SRX210# show security zones security-zone DMZ address-book
address net_192-168-200-0--24 192.168.200.0/24;
address VC 192.168.200.200/24;
address-set DMZ_Net {
    address net_192-168-200-0--24;
}
0
 
mindwiseCommented:
hmm, i'm not sure... i posted the set commands from  comitted config ;s

i take it in you changed my 'dmz' to the upper case DMZ you've got configured?

In any case, i see you've already got some entries in the DMZ address book,  so just add an address for the 192.168.200.200 host ( so with a /32 , not the /24 it's somehow using now)

No need to follow my example to the letter, you may of course use definitions that make sense to you... i'm sure you'll get it sorted  and else there's always the Web UI :)

Keep us posted, thanks.
0
 
mindwiseCommented:
O btw, the next commit error, please add the output of "show | compare" then we can see the syntax better ( though since you pasted the syntax, i'm sure it's immaculate ;p   )

/M
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now