Stormageddon
asked on
Juniper SRX220 NAT assistance
I am trying to port forward traffic coming into ports 8200-8203 to route to 10.0.0.250. I have tried using the web gui but get errors, must be missing a step. I then tried to connect with SSH via Putty but get the error "Command not found." when I attempt to type "configure" after entering the credentials. Insight on this would be nice...hopefully that is simple as a setting I can change via web gui or paste into the CLI Editor. I'd rather not have to buy a serial adapter to connect to the console port (misplaced the one I had for setup) so I was hoping that I could get a response with the edited config file so I can paste into the CLI Editor.
My attempt at configuration...can't get in via SSH to apply/test:
Config copied from CLI Editor
My attempt at configuration...can't get in via SSH to apply/test:
set pool dst-nat-pool-1 address 10.0.0.250 port 8200
set pool dst-nat-pool-1 address 10.0.0.250 port 8201
set pool dst-nat-pool-1 address 10.0.0.250 port 8202
set pool dst-nat-pool-1 address 10.0.0.250 port 8203
set rule-set rs1 from zone untrust
set rule-set rs1 rule r1 match destination-address 150.205.189.126
set rule-set rs1 rule r1 match destination-port 8200
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
set rule-set rs1 rule r1 match destination-address 150.205.189.126
set rule-set rs1 rule r1 match destination-port 8201
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
set rule-set rs1 rule r1 match destination-address 150.205.189.126
set rule-set rs1 rule r1 match destination-port 8202
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
set rule-set rs1 rule r1 match destination-address 150.205.189.126
set rule-set rs1 rule r1 match destination-port 8203
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1Config copied from CLI Editor
## Last changed: 2016-09-28 14:41:31 GMT-6
version 12.1X44-D35.5;
system {
host-name CorpGateway;
time-zone GMT-6;
root-authentication {
encrypted-password "[omitted]";
}
name-server {
75.75.75.75;
75.75.76.76;
8.8.8.8;
8.8.4.4;
}
name-resolution {
no-resolve-on-input;
}
login {
[omitted]
}
services {
ssh;
telnet;
web-management {
http {
interface ge-0/0/1.0;
}
https {
system-generated-certificate;
interface ge-0/0/1.0;
}
session {
idle-timeout 60;
}
}
dhcp {
maximum-lease-time 259200;
default-lease-time 172800;
domain-name [omitted];
name-server {
75.75.75.75;
8.8.8.8;
75.75.76.76;
8.8.4.4;
}
router {
10.0.0.1;
}
pool 10.0.0.1/8 {
address-range low 10.0.0.2 high 10.10.10.254;
exclude-address {
10.0.0.250;
10.0.0.251;
10.0.0.252;
10.0.0.253;
10.0.0.254;
}
}
[omitted]
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 150.205.189.126/30;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.0.0.1/8;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 150.205.189.125;
}
}
protocols {
stp;
}
security {
utm {
[omitted]
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone Internal {
screen untrust-screen;
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
dhcp;
http;
https;
ssh;
telnet;
}
}
}
}
}
security-zone Internet {
interfaces {
ge-0/0/0.0;
}
}
}
}
wlan;ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I don't know what is you actual physical topology and without those details and i don't know what you want to achieve so I did not even try to see what is actually configure in firewall filter.
I was protected by SEP field in this matter.
;)
I was protected by SEP field in this matter.
;)
ASKER
In case you want to see what is now showing under NAT in the CLI Editor:
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool dst-nat-pool-8016 {
address 10.0.0.250/32 port 8016;
}
pool dst-nat-pool-8200 {
address 10.0.0.250/32 port 8200;
}
pool dst-nat-pool-8201 {
address 10.0.0.250/32 port 8201;
}
pool dst-nat-pool-8202 {
address 10.0.0.250/32 port 8202;
}
pool dst-nat-pool-8203 {
address 10.0.0.250/32 port 8203;
}
pool dst-nat-pool-8204 {
address 10.0.0.250/32 port 8204;
}
pool dst-nat-pool-10088 {
address 10.0.0.250/32 port 10088;
}
pool dst-nat-pool-12088 {
address 10.0.0.250/32 port 12088;
}
rule-set rs1 {
from zone Internet;
rule r8016 {
match {
destination-address 150.205.189.126/32;
destination-port 8016;
}
then {
destination-nat pool dst-nat-pool-8016;
}
}
rule r8200 {
match {
destination-address 150.205.189.126/32;
destination-port 8200;
}
then {
destination-nat pool dst-nat-pool-8200;
}
}
rule r8201 {
match {
destination-address 150.205.189.126/32;
destination-port 8201;
}
then {
destination-nat pool dst-nat-pool-8201;
}
}
rule r8202 {
match {
destination-address 150.205.189.126/32;
destination-port 8202;
}
then {
destination-nat pool dst-nat-pool-8202;
}
}
rule r8203 {
match {
destination-address 150.205.189.126/32;
destination-port 8203;
}
then {
destination-nat pool dst-nat-pool-8203;
}
}
rule r8204 {
match {
destination-address 150.205.189.126/32;
destination-port 8204;
}
then {
destination-nat pool dst-nat-pool-8204;
}
}
rule r10088 {
match {
destination-address 150.205.189.126/32;
destination-port 10088;
}
then {
destination-nat pool dst-nat-pool-10088;
}
}
rule r12088 {
match {
destination-address 150.205.189.126/32;
destination-port 12088;
}
then {
destination-nat pool dst-nat-pool-12088;
}
}
}
}
}ASKER
In regards to your comment. This is a flat network that has a machine on it that I can connect to internally via the ports listed above but I need it to access it from outside our network. I was trying to do port forwarding rather than a VPN because some of the devices that will be initiating communication with it are mobile phones and I would have to set up the VPN on each of those. If I went that route I would still need to configure the VPN as well.
ASKER
Worked for me, cc on file expired so I was not able to get back in to close question
set security nat source rule-set rs1 rule r1 match destination-address 150.205.189.126
Otherwise you will first have to position under proper configuration mode for commands to be issued:
[edit security nat source]
set rule-set rs1 from zone untrust
set rule-set rs1 to zone untrust
set rule-set rs1 rule r1 match destination-address 150.205.189.126
set rule-set rs1 rule r1 match destination-port 8200
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
In CLI after login:
user@hostname%
you need to issue cli
user@hostname% cli
than you can issue configure command
user@hostname> configure
[edit]
user@hostname# edit security nat source
[edit security nat source]
user@hostname#
Then you should be able to paste commands that you created
:)