Solved

Juniper SRX220 NAT assistance

Posted on 2016-09-27
6
32 Views
Last Modified: 2016-11-20
I am trying to port forward traffic coming into ports 8200-8203 to route to 10.0.0.250. I have tried using the web gui but get errors, must be missing a step. I then tried to connect with SSH via Putty but get the error "Command not found." when I attempt to type "configure" after entering the credentials. Insight on this would be nice...hopefully that is simple as a setting I can change via web gui or paste into the CLI Editor.  I'd rather not have to buy a serial adapter to connect to the console port (misplaced the one I had for setup) so I was hoping that I could get a response with the edited config file so I can paste into the CLI Editor.

My attempt at configuration...can't get in via SSH to apply/test:
set pool dst-nat-pool-1 address 10.0.0.250 port 8200
set pool dst-nat-pool-1 address 10.0.0.250 port 8201
set pool dst-nat-pool-1 address 10.0.0.250 port 8202
set pool dst-nat-pool-1 address 10.0.0.250 port 8203

set rule-set rs1 from zone untrust
set rule-set rs1 rule r1 match destination-address 150.205.189.126
set rule-set rs1 rule r1 match destination-port 8200
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1

set rule-set rs1 rule r1 match destination-address 150.205.189.126
set rule-set rs1 rule r1 match destination-port 8201
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1

set rule-set rs1 rule r1 match destination-address 150.205.189.126
set rule-set rs1 rule r1 match destination-port 8202
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1

set rule-set rs1 rule r1 match destination-address 150.205.189.126
set rule-set rs1 rule r1 match destination-port 8203
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1

Open in new window




Config copied from CLI Editor
## Last changed: 2016-09-28 14:41:31 GMT-6
version 12.1X44-D35.5;
system {
    host-name CorpGateway;
    time-zone GMT-6;
    root-authentication {
        encrypted-password "[omitted]";
    }
    name-server {
        75.75.75.75;
        75.75.76.76;
        8.8.8.8;
        8.8.4.4;
    }
    name-resolution {
        no-resolve-on-input;
    }
    login {
[omitted]
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface ge-0/0/1.0;
            }
            https {
                system-generated-certificate;
                interface ge-0/0/1.0;
            }
            session {
                idle-timeout 60;
            }
        }
        dhcp {
            maximum-lease-time 259200;
            default-lease-time 172800;
            domain-name [omitted];
            name-server {
                75.75.75.75;
                8.8.8.8;
                75.75.76.76;
                8.8.4.4;
            }
            router {
                10.0.0.1;
            }
            pool 10.0.0.1/8 {
                address-range low 10.0.0.2 high 10.10.10.254;
                exclude-address {
                    10.0.0.250;
                    10.0.0.251;
                    10.0.0.252;
                    10.0.0.253;
                    10.0.0.254;
                }
            }
[omitted]
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server us.ntp.pool.org;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 150.205.189.126/30;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.0.0.1/8;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 150.205.189.125;
    }
}
protocols {
    stp;
}
security {
    utm {
        [omitted]
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set nsw_srcnat {
                from zone Internal;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone Internal to-zone Internet {
            policy All_Internal_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internal {
            screen untrust-screen;
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                            http;
                            https;
                            ssh;
                            telnet;
                        }
                    }
                }
            }
        }
        security-zone Internet {
            interfaces {
                ge-0/0/0.0;
            }
        }
    }
}
wlan;

Open in new window

0
Comment
Question by:Stormageddon
  • 4
  • 2
6 Comments
 
LVL 27

Expert Comment

by:Predrag Jovic
ID: 41819130
security
nat {
        source {
            rule-set
nsw_srcnat {
                from zone Internal;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;

set rule-set rs1 rule r1 match destination-address 150.205.189.126
set rule-set rs1 rule r1 match destination-port 8201
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
follow the lines as they are written :

set security nat source rule-set rs1 rule r1 match destination-address 150.205.189.126
Otherwise you will first have to position under proper configuration mode for commands to be issued:
[edit security nat source]
set rule-set rs1 from zone untrust
set rule-set rs1 to zone untrust
set rule-set rs1 rule r1 match destination-address 150.205.189.126
set rule-set rs1 rule r1 match destination-port 8200
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1

In CLI after login:
user@hostname%
you need to issue cli
user@hostname% cli
than you can issue configure command
user@hostname> configure
[edit]
user@hostname# edit security nat source
[edit security nat source]
user@hostname#

Then you should be able to paste commands that you created
:)
0
 

Accepted Solution

by:
Stormageddon earned 0 total points
ID: 41830155
Thank you for your assistance, sorry for my delay on getting back to you. I was out of the office and unable to test. Thanks to your guidance I was able to get in and paste the commands but ended up getting errors and overwriting the r1 rule each time a new line was processed so I had to give each unique names. Just in case anyone else reads this who is not familiar with the command line, after "edit security nat source" I had to enter "load set terminal" then I could paste the command in (Ctrl + D to end). I ended up calling Juniper support because traffic still did not flow. The support tech suggested that I reissue my commands as below (I added a few more ports to forward) but traffic is still not flowing:

set security nat destination pool dst-nat-pool-8016 address 10.0.0.250 port 8016
set security nat destination pool dst-nat-pool-8200 address 10.0.0.250 port 8200
set security nat destination pool dst-nat-pool-8201 address 10.0.0.250 port 8201
set security nat destination pool dst-nat-pool-8202 address 10.0.0.250 port 8202
set security nat destination pool dst-nat-pool-8203 address 10.0.0.250 port 8203
set security nat destination pool dst-nat-pool-8204 address 10.0.0.250 port 8204
set security nat destination pool dst-nat-pool-10088 address 10.0.0.250 port 10088
set security nat destination pool dst-nat-pool-12088 address 10.0.0.250 port 12088

set security nat destination rule-set rs1 from zone Internet

set security nat destination rule-set rs1 rule r8016 match destination-address 150.205.189.126
set security nat destination rule-set rs1 rule r8016 match destination-port 8016
set security nat destination rule-set rs1 rule r8016 then destination-nat pool dst-nat-pool-8016

set security nat destination rule-set rs1 rule r8200 match destination-address 150.205.189.126
set security nat destination rule-set rs1 rule r8200 match destination-port 8200
set security nat destination rule-set rs1 rule r8200 then destination-nat pool dst-nat-pool-8200

set security nat destination rule-set rs1 rule r8201 match destination-address 150.205.189.126
set security nat destination rule-set rs1 rule r8201 match destination-port 8201
set security nat destination rule-set rs1 rule r8201 then destination-nat pool dst-nat-pool-8201

set security nat destination rule-set rs1 rule r8202 match destination-address 150.205.189.126
set security nat destination rule-set rs1 rule r8202 match destination-port 8202
set security nat destination rule-set rs1 rule r8202 then destination-nat pool dst-nat-pool-8202

set security nat destination rule-set rs1 rule r8203 match destination-address 150.205.189.126
set security nat destination rule-set rs1 rule r8203 match destination-port 8203
set security nat destination rule-set rs1 rule r8203 then destination-nat pool dst-nat-pool-8203

set security nat destination rule-set rs1 rule r8204 match destination-address 150.205.189.126
set security nat destination rule-set rs1 rule r8204 match destination-port 8204
set security nat destination rule-set rs1 rule r8204 then destination-nat pool dst-nat-pool-8204

set security nat destination rule-set rs1 rule r10088 match destination-address 150.205.189.126
set security nat destination rule-set rs1 rule r10088 match destination-port 10088
set security nat destination rule-set rs1 rule r10088 then destination-nat pool dst-nat-pool-10088

set security nat destination rule-set rs1 rule r12088 match destination-address 150.205.189.126
set security nat destination rule-set rs1 rule r12088 match destination-port 12088
set security nat destination rule-set rs1 rule r12088 then destination-nat pool dst-nat-pool-12088

Open in new window


Edit: I just noticed I may have forgot your line "set security nat source rule-set rs1 rule r1 match destination-address 150.205.189.126" But now with the rule name changes I dont have r1 but rather 8x rule names. Do I need to issue that command once with each rule name?
0
 
LVL 27

Expert Comment

by:Predrag Jovic
ID: 41830188
I don't know what is you actual physical topology and without those details and i don't know what you want to achieve so I did not even try to see what is actually configure in firewall filter.

I was protected by SEP field in this matter.
;)
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Stormageddon
ID: 41830193
In case you want to see what is now showing under NAT in the CLI Editor:

    nat {
        source {
            rule-set nsw_srcnat {
                from zone Internal;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool dst-nat-pool-8016 {
                address 10.0.0.250/32 port 8016;
            }
            pool dst-nat-pool-8200 {
                address 10.0.0.250/32 port 8200;
            }
            pool dst-nat-pool-8201 {
                address 10.0.0.250/32 port 8201;
            }
            pool dst-nat-pool-8202 {
                address 10.0.0.250/32 port 8202;
            }
            pool dst-nat-pool-8203 {
                address 10.0.0.250/32 port 8203;
            }
            pool dst-nat-pool-8204 {
                address 10.0.0.250/32 port 8204;
            }
            pool dst-nat-pool-10088 {
                address 10.0.0.250/32 port 10088;
            }
            pool dst-nat-pool-12088 {
                address 10.0.0.250/32 port 12088;
            }
            rule-set rs1 {
                from zone Internet;
                rule r8016 {
                    match {
                        destination-address 150.205.189.126/32;
                        destination-port 8016;
                    }
                    then {
                        destination-nat pool dst-nat-pool-8016;
                    }
                }
                rule r8200 {
                    match {
                        destination-address 150.205.189.126/32;
                        destination-port 8200;
                    }
                    then {
                        destination-nat pool dst-nat-pool-8200;
                    }
                }
                rule r8201 {
                    match {
                        destination-address 150.205.189.126/32;
                        destination-port 8201;
                    }
                    then {
                        destination-nat pool dst-nat-pool-8201;
                    }
                }
                rule r8202 {
                    match {
                        destination-address 150.205.189.126/32;
                        destination-port 8202;
                    }
                    then {
                        destination-nat pool dst-nat-pool-8202;
                    }
                }
                rule r8203 {
                    match {
                        destination-address 150.205.189.126/32;
                        destination-port 8203;
                    }
                    then {
                        destination-nat pool dst-nat-pool-8203;
                    }
                }
                rule r8204 {
                    match {
                        destination-address 150.205.189.126/32;
                        destination-port 8204;
                    }
                    then {
                        destination-nat pool dst-nat-pool-8204;
                    }
                }
                rule r10088 {
                    match {
                        destination-address 150.205.189.126/32;
                        destination-port 10088;
                    }
                    then {
                        destination-nat pool dst-nat-pool-10088;
                    }
                }
                rule r12088 {
                    match {
                        destination-address 150.205.189.126/32;
                        destination-port 12088;
                    }
                    then {
                        destination-nat pool dst-nat-pool-12088;
                    }
                }
            }
        }
    }

Open in new window

0
 

Author Comment

by:Stormageddon
ID: 41830215
In regards to your comment. This is a flat network that has a machine on it that I can connect to internally via the ports listed above but I need it to access it from outside our network. I was trying to do port forwarding rather than a VPN because some of the devices that will be initiating communication with it are mobile phones and I would have to set up the VPN on each of those. If I went that route I would still need to configure the VPN as well.
0
 

Author Closing Comment

by:Stormageddon
ID: 41894639
Worked for me, cc on file expired so I was not able to get back in to close question
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now