emauduit
asked on
Juniper SRX and Port translation
My videocon system is connected is assigned a private IP in the DMZ (192.168.200.200)
My public IP for this videocon is known as 1.1.1.1 (for ie)
I want to open and redirect to 192.168.200.200:
ports tcp 3230 to 3231 udp 3230 to 3235 and port tcp/udp 1720
Can you give me the config in order to call outside and be called by Outside?
Thanks guys!
My public IP for this videocon is known as 1.1.1.1 (for ie)
I want to open and redirect to 192.168.200.200:
ports tcp 3230 to 3231 udp 3230 to 3235 and port tcp/udp 1720
Can you give me the config in order to call outside and be called by Outside?
Thanks guys!
ASKER
Good. Yes Mindwise, static nat would be great. How can i do that? Is it an addition or does it change what you suggest here?
Thanks M
Thanks M
Hi Emauduit,
it completely changes the above, if you entered all that you can delete with :
delete security nat destination rule-set to-videocon
You wil need more then 1 pub ip to really do static nat to your videocon ( i mean for other stuff like email etc.)....
in any case, the static nat would look like this:
set security nat static rule-set vidconf from zone untrust
set security nat static rule-set vidconf rule vc-1 match destination-address 1.1.1.1/32
set security nat static rule-set vidconf rule vc-1 then static-nat prefix 192.168.200.200/32
the security policy needed is the same as for the destination-nat example, assuming the VC is in the DMZ:
appication:
set applications application VideoConf-udp-1 protocol udp
set applications application VideoConf-udp-1 destination-port 3230-3235
set applications application VideoConf-udp-2 protocol udp
set applications application VideoConf-udp-2 destination-port 1720
set applications application VideoConf-tcp-1 protocol tcp
set applications application VideoConf-tcp-1 destination-port 3230-3231
set applications application VideoConf-tcp-2 protocol tcp
set applications application VideoConf-tcp-2 destination-port 1720
set applications application-set VideoConf application VideoConf-udp-1
set applications application-set VideoConf application VideoConf-udp-2
set applications application-set VideoConf application VideoConf-tcp-1
set applications application-set VideoConf application VideoConf-tcp-2
then the address for the policy:
set security zones security-zone dmz address-book address VC 192.168.200.200/32
and the policy itself:
set security policies from-zone untrust to-zone dmz policy to-VC match source-address any
set security policies from-zone untrust to-zone dmz policy to-VC match destination-address VC
set security policies from-zone untrust to-zone dmz policy to-VC match application VideoConf
set security policies from-zone untrust to-zone dmz policy to-VC then permit
set security policies from-zone untrust to-zone dmz policy to-VC then log session-init
please substitute my "dmz" with however you've named your DMZ to prevent 'commit errors'.
I hope this gets you underway... i did not include a policy to allow the VC server to initiate sessions to the outside AND
Please note that sometimes a VC server (or phone, whatever) will use it's internal ip in the SIP protocol... if it does not work, then perhaps in the config of the ip phone software you have to detail which NAT address you using (i am not sure about this)...
Kr,
M
it completely changes the above, if you entered all that you can delete with :
delete security nat destination rule-set to-videocon
You wil need more then 1 pub ip to really do static nat to your videocon ( i mean for other stuff like email etc.)....
in any case, the static nat would look like this:
set security nat static rule-set vidconf from zone untrust
set security nat static rule-set vidconf rule vc-1 match destination-address 1.1.1.1/32
set security nat static rule-set vidconf rule vc-1 then static-nat prefix 192.168.200.200/32
the security policy needed is the same as for the destination-nat example, assuming the VC is in the DMZ:
appication:
set applications application VideoConf-udp-1 protocol udp
set applications application VideoConf-udp-1 destination-port 3230-3235
set applications application VideoConf-udp-2 protocol udp
set applications application VideoConf-udp-2 destination-port 1720
set applications application VideoConf-tcp-1 protocol tcp
set applications application VideoConf-tcp-1 destination-port 3230-3231
set applications application VideoConf-tcp-2 protocol tcp
set applications application VideoConf-tcp-2 destination-port 1720
set applications application-set VideoConf application VideoConf-udp-1
set applications application-set VideoConf application VideoConf-udp-2
set applications application-set VideoConf application VideoConf-tcp-1
set applications application-set VideoConf application VideoConf-tcp-2
then the address for the policy:
set security zones security-zone dmz address-book address VC 192.168.200.200/32
and the policy itself:
set security policies from-zone untrust to-zone dmz policy to-VC match source-address any
set security policies from-zone untrust to-zone dmz policy to-VC match destination-address VC
set security policies from-zone untrust to-zone dmz policy to-VC match application VideoConf
set security policies from-zone untrust to-zone dmz policy to-VC then permit
set security policies from-zone untrust to-zone dmz policy to-VC then log session-init
please substitute my "dmz" with however you've named your DMZ to prevent 'commit errors'.
I hope this gets you underway... i did not include a policy to allow the VC server to initiate sessions to the outside AND
Please note that sometimes a VC server (or phone, whatever) will use it's internal ip in the SIP protocol... if it does not work, then perhaps in the config of the ip phone software you have to detail which NAT address you using (i am not sure about this)...
Kr,
M
ASKER
Thanks Mindwise! II will test this and let you know Monday or Thursday. Thanks!
To make it just great, do you know how to allow the VC to initiate calls to outside IP?
To make it just great, do you know how to allow the VC to initiate calls to outside IP?
Sure,
again replace my "dmz" with how you have it, you just reverse the policy direction as follows:
set security policies from-zone dmz to-zone untrust policy from-VC match source-address VC
set security policies from-zone dmz to-zone untrust policy from-VC match destination-address any
set security policies from-zone dmz to-zone untrust policy from-VC match application VideoConf
set security policies from-zone dmz to-zone untrust policy from-VC then permit
set security policies from-zone dmz to-zone untrust policy from-VC then log session-init
I hope this gets you underway, enjoy the remainder of the weekend.
again replace my "dmz" with how you have it, you just reverse the policy direction as follows:
set security policies from-zone dmz to-zone untrust policy from-VC match source-address VC
set security policies from-zone dmz to-zone untrust policy from-VC match destination-address any
set security policies from-zone dmz to-zone untrust policy from-VC match application VideoConf
set security policies from-zone dmz to-zone untrust policy from-VC then permit
set security policies from-zone dmz to-zone untrust policy from-VC then log session-init
I hope this gets you underway, enjoy the remainder of the weekend.
ASKER
Hi mindwise
I tested your config. But I got the following error on commit:
[edit security zones security-zone DMZ address-book]
'address VC'
Invalid address entry
error: configuration check-out failed
Here is the DMZ address-book. Any idea?
root@SRX210# show security zones security-zone DMZ address-book
address net_192-168-200-0--24 192.168.200.0/24;
address VC 192.168.200.200/24;
address-set DMZ_Net {
address net_192-168-200-0--24;
}
I tested your config. But I got the following error on commit:
[edit security zones security-zone DMZ address-book]
'address VC'
Invalid address entry
error: configuration check-out failed
Here is the DMZ address-book. Any idea?
root@SRX210# show security zones security-zone DMZ address-book
address net_192-168-200-0--24 192.168.200.0/24;
address VC 192.168.200.200/24;
address-set DMZ_Net {
address net_192-168-200-0--24;
}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
O btw, the next commit error, please add the output of "show | compare" then we can see the syntax better ( though since you pasted the syntax, i'm sure it's immaculate ;p )
/M
/M
The inbound nat config could look like this:
set security nat destination pool videocon address 192.168.200.200/32
set security nat destination rule-set to-videocon from zone untrust
set security nat destination rule-set to-videocon rule vcu-1 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vcu-1 match destination-port 3230
set security nat destination rule-set to-videocon rule vcu-1 match protocol udp
set security nat destination rule-set to-videocon rule vcu-1 then destination-nat pool videocon
set security nat destination rule-set to-videocon rule vcu-2 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vcu-2 match destination-port 3231
set security nat destination rule-set to-videocon rule vcu-2 match protocol udp
set security nat destination rule-set to-videocon rule vcu-2 then destination-nat pool videocon
set security nat destination rule-set to-videocon rule vcu-3 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vcu-3 match destination-port 3232
set security nat destination rule-set to-videocon rule vcu-3 match protocol udp
set security nat destination rule-set to-videocon rule vcu-3 then destination-nat pool videocon
set security nat destination rule-set to-videocon rule vcu-4 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vcu-4 match destination-port 3233
set security nat destination rule-set to-videocon rule vcu-4 match protocol udp
set security nat destination rule-set to-videocon rule vcu-4 then destination-nat pool videocon
set security nat destination rule-set to-videocon rule vcu-5 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vcu-5 match destination-port 3234
set security nat destination rule-set to-videocon rule vcu-5 match protocol udp
set security nat destination rule-set to-videocon rule vcu-5 then destination-nat pool videocon
set security nat destination rule-set to-videocon rule vcu-6 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vcu-6 match destination-port 3235
set security nat destination rule-set to-videocon rule vcu-6 match protocol udp
set security nat destination rule-set to-videocon rule vcu-6 then destination-nat pool videocon
set security nat destination rule-set to-videocon rule vcu-7 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vcu-7 match destination-port 3231
set security nat destination rule-set to-videocon rule vcu-7 match protocol udp
set security nat destination rule-set to-videocon rule vcu-7 then destination-nat pool videocon
set security nat destination rule-set to-videocon rule vct-1 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vct-1 match destination-port 3230
set security nat destination rule-set to-videocon rule vct-1 match protocol tcp
set security nat destination rule-set to-videocon rule vct-1 then destination-nat pool videocon
set security nat destination rule-set to-videocon rule vct-2 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vct-2 match destination-port 3231
set security nat destination rule-set to-videocon rule vct-2 match protocol tcp
set security nat destination rule-set to-videocon rule vct-2 then destination-nat pool videocon
set security nat destination rule-set to-videocon rule vcu-8 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vcu-8 match destination-port 1720
set security nat destination rule-set to-videocon rule vcu-8 match protocol udp
set security nat destination rule-set to-videocon rule vcu-8 then destination-nat pool videocon
set security nat destination rule-set to-videocon rule vct-3 match destination-address 1.1.1.1/32
set security nat destination rule-set to-videocon rule vct-3 match destination-port 1720
set security nat destination rule-set to-videocon rule vct-3 match protocol tcp
set security nat destination rule-set to-videocon rule vct-3 then destination-nat pool videocon
that is, presuming are using an untrust zone....
you'd stil need a policy to allow traffic to 192.168.200.200 on the ports you've given... !!
And outbound, i think by default the 192.168.200.200 will be "pat-ed" (source port translation) ... i'm not sure if that will break the calls or not...
depending on the amount of Public IP addresses you have you might want to consider doing static nat.
I hope this helps....
/M