Solved

Juniper SRX220 NAT assistance

Posted on 2016-09-27
6
26 Views
Last Modified: 2016-11-20
I am trying to port forward traffic coming into ports 8200-8203 to route to 10.0.0.250. I have tried using the web gui but get errors, must be missing a step. I then tried to connect with SSH via Putty but get the error "Command not found." when I attempt to type "configure" after entering the credentials. Insight on this would be nice...hopefully that is simple as a setting I can change via web gui or paste into the CLI Editor.  I'd rather not have to buy a serial adapter to connect to the console port (misplaced the one I had for setup) so I was hoping that I could get a response with the edited config file so I can paste into the CLI Editor.

My attempt at configuration...can't get in via SSH to apply/test:
set pool dst-nat-pool-1 address 10.0.0.250 port 8200
set pool dst-nat-pool-1 address 10.0.0.250 port 8201
set pool dst-nat-pool-1 address 10.0.0.250 port 8202
set pool dst-nat-pool-1 address 10.0.0.250 port 8203

set rule-set rs1 from zone untrust
set rule-set rs1 rule r1 match destination-address 150.205.189.126
set rule-set rs1 rule r1 match destination-port 8200
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1

set rule-set rs1 rule r1 match destination-address 150.205.189.126
set rule-set rs1 rule r1 match destination-port 8201
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1

set rule-set rs1 rule r1 match destination-address 150.205.189.126
set rule-set rs1 rule r1 match destination-port 8202
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1

set rule-set rs1 rule r1 match destination-address 150.205.189.126
set rule-set rs1 rule r1 match destination-port 8203
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1

Open in new window




Config copied from CLI Editor
## Last changed: 2016-09-28 14:41:31 GMT-6
version 12.1X44-D35.5;
system {
    host-name CorpGateway;
    time-zone GMT-6;
    root-authentication {
        encrypted-password "[omitted]";
    }
    name-server {
        75.75.75.75;
        75.75.76.76;
        8.8.8.8;
        8.8.4.4;
    }
    name-resolution {
        no-resolve-on-input;
    }
    login {
[omitted]
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface ge-0/0/1.0;
            }
            https {
                system-generated-certificate;
                interface ge-0/0/1.0;
            }
            session {
                idle-timeout 60;
            }
        }
        dhcp {
            maximum-lease-time 259200;
            default-lease-time 172800;
            domain-name [omitted];
            name-server {
                75.75.75.75;
                8.8.8.8;
                75.75.76.76;
                8.8.4.4;
            }
            router {
                10.0.0.1;
            }
            pool 10.0.0.1/8 {
                address-range low 10.0.0.2 high 10.10.10.254;
                exclude-address {
                    10.0.0.250;
                    10.0.0.251;
                    10.0.0.252;
                    10.0.0.253;
                    10.0.0.254;
                }
            }
[omitted]
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server us.ntp.pool.org;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 150.205.189.126/30;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.0.0.1/8;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 150.205.189.125;
    }
}
protocols {
    stp;
}
security {
    utm {
        [omitted]
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set nsw_srcnat {
                from zone Internal;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone Internal to-zone Internet {
            policy All_Internal_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internal {
            screen untrust-screen;
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                            http;
                            https;
                            ssh;
                            telnet;
                        }
                    }
                }
            }
        }
        security-zone Internet {
            interfaces {
                ge-0/0/0.0;
            }
        }
    }
}
wlan;

Open in new window

0
Comment
Question by:Stormageddon
  • 4
  • 2
6 Comments
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 41819130
security
nat {
        source {
            rule-set
nsw_srcnat {
                from zone Internal;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;

set rule-set rs1 rule r1 match destination-address 150.205.189.126
set rule-set rs1 rule r1 match destination-port 8201
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
follow the lines as they are written :

set security nat source rule-set rs1 rule r1 match destination-address 150.205.189.126
Otherwise you will first have to position under proper configuration mode for commands to be issued:
[edit security nat source]
set rule-set rs1 from zone untrust
set rule-set rs1 to zone untrust
set rule-set rs1 rule r1 match destination-address 150.205.189.126
set rule-set rs1 rule r1 match destination-port 8200
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1

In CLI after login:
user@hostname%
you need to issue cli
user@hostname% cli
than you can issue configure command
user@hostname> configure
[edit]
user@hostname# edit security nat source
[edit security nat source]
user@hostname#

Then you should be able to paste commands that you created
:)
0
 

Accepted Solution

by:
Stormageddon earned 0 total points
ID: 41830155
Thank you for your assistance, sorry for my delay on getting back to you. I was out of the office and unable to test. Thanks to your guidance I was able to get in and paste the commands but ended up getting errors and overwriting the r1 rule each time a new line was processed so I had to give each unique names. Just in case anyone else reads this who is not familiar with the command line, after "edit security nat source" I had to enter "load set terminal" then I could paste the command in (Ctrl + D to end). I ended up calling Juniper support because traffic still did not flow. The support tech suggested that I reissue my commands as below (I added a few more ports to forward) but traffic is still not flowing:

set security nat destination pool dst-nat-pool-8016 address 10.0.0.250 port 8016
set security nat destination pool dst-nat-pool-8200 address 10.0.0.250 port 8200
set security nat destination pool dst-nat-pool-8201 address 10.0.0.250 port 8201
set security nat destination pool dst-nat-pool-8202 address 10.0.0.250 port 8202
set security nat destination pool dst-nat-pool-8203 address 10.0.0.250 port 8203
set security nat destination pool dst-nat-pool-8204 address 10.0.0.250 port 8204
set security nat destination pool dst-nat-pool-10088 address 10.0.0.250 port 10088
set security nat destination pool dst-nat-pool-12088 address 10.0.0.250 port 12088

set security nat destination rule-set rs1 from zone Internet

set security nat destination rule-set rs1 rule r8016 match destination-address 150.205.189.126
set security nat destination rule-set rs1 rule r8016 match destination-port 8016
set security nat destination rule-set rs1 rule r8016 then destination-nat pool dst-nat-pool-8016

set security nat destination rule-set rs1 rule r8200 match destination-address 150.205.189.126
set security nat destination rule-set rs1 rule r8200 match destination-port 8200
set security nat destination rule-set rs1 rule r8200 then destination-nat pool dst-nat-pool-8200

set security nat destination rule-set rs1 rule r8201 match destination-address 150.205.189.126
set security nat destination rule-set rs1 rule r8201 match destination-port 8201
set security nat destination rule-set rs1 rule r8201 then destination-nat pool dst-nat-pool-8201

set security nat destination rule-set rs1 rule r8202 match destination-address 150.205.189.126
set security nat destination rule-set rs1 rule r8202 match destination-port 8202
set security nat destination rule-set rs1 rule r8202 then destination-nat pool dst-nat-pool-8202

set security nat destination rule-set rs1 rule r8203 match destination-address 150.205.189.126
set security nat destination rule-set rs1 rule r8203 match destination-port 8203
set security nat destination rule-set rs1 rule r8203 then destination-nat pool dst-nat-pool-8203

set security nat destination rule-set rs1 rule r8204 match destination-address 150.205.189.126
set security nat destination rule-set rs1 rule r8204 match destination-port 8204
set security nat destination rule-set rs1 rule r8204 then destination-nat pool dst-nat-pool-8204

set security nat destination rule-set rs1 rule r10088 match destination-address 150.205.189.126
set security nat destination rule-set rs1 rule r10088 match destination-port 10088
set security nat destination rule-set rs1 rule r10088 then destination-nat pool dst-nat-pool-10088

set security nat destination rule-set rs1 rule r12088 match destination-address 150.205.189.126
set security nat destination rule-set rs1 rule r12088 match destination-port 12088
set security nat destination rule-set rs1 rule r12088 then destination-nat pool dst-nat-pool-12088

Open in new window


Edit: I just noticed I may have forgot your line "set security nat source rule-set rs1 rule r1 match destination-address 150.205.189.126" But now with the rule name changes I dont have r1 but rather 8x rule names. Do I need to issue that command once with each rule name?
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 41830188
I don't know what is you actual physical topology and without those details and i don't know what you want to achieve so I did not even try to see what is actually configure in firewall filter.

I was protected by SEP field in this matter.
;)
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Stormageddon
ID: 41830193
In case you want to see what is now showing under NAT in the CLI Editor:

    nat {
        source {
            rule-set nsw_srcnat {
                from zone Internal;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool dst-nat-pool-8016 {
                address 10.0.0.250/32 port 8016;
            }
            pool dst-nat-pool-8200 {
                address 10.0.0.250/32 port 8200;
            }
            pool dst-nat-pool-8201 {
                address 10.0.0.250/32 port 8201;
            }
            pool dst-nat-pool-8202 {
                address 10.0.0.250/32 port 8202;
            }
            pool dst-nat-pool-8203 {
                address 10.0.0.250/32 port 8203;
            }
            pool dst-nat-pool-8204 {
                address 10.0.0.250/32 port 8204;
            }
            pool dst-nat-pool-10088 {
                address 10.0.0.250/32 port 10088;
            }
            pool dst-nat-pool-12088 {
                address 10.0.0.250/32 port 12088;
            }
            rule-set rs1 {
                from zone Internet;
                rule r8016 {
                    match {
                        destination-address 150.205.189.126/32;
                        destination-port 8016;
                    }
                    then {
                        destination-nat pool dst-nat-pool-8016;
                    }
                }
                rule r8200 {
                    match {
                        destination-address 150.205.189.126/32;
                        destination-port 8200;
                    }
                    then {
                        destination-nat pool dst-nat-pool-8200;
                    }
                }
                rule r8201 {
                    match {
                        destination-address 150.205.189.126/32;
                        destination-port 8201;
                    }
                    then {
                        destination-nat pool dst-nat-pool-8201;
                    }
                }
                rule r8202 {
                    match {
                        destination-address 150.205.189.126/32;
                        destination-port 8202;
                    }
                    then {
                        destination-nat pool dst-nat-pool-8202;
                    }
                }
                rule r8203 {
                    match {
                        destination-address 150.205.189.126/32;
                        destination-port 8203;
                    }
                    then {
                        destination-nat pool dst-nat-pool-8203;
                    }
                }
                rule r8204 {
                    match {
                        destination-address 150.205.189.126/32;
                        destination-port 8204;
                    }
                    then {
                        destination-nat pool dst-nat-pool-8204;
                    }
                }
                rule r10088 {
                    match {
                        destination-address 150.205.189.126/32;
                        destination-port 10088;
                    }
                    then {
                        destination-nat pool dst-nat-pool-10088;
                    }
                }
                rule r12088 {
                    match {
                        destination-address 150.205.189.126/32;
                        destination-port 12088;
                    }
                    then {
                        destination-nat pool dst-nat-pool-12088;
                    }
                }
            }
        }
    }

Open in new window

0
 

Author Comment

by:Stormageddon
ID: 41830215
In regards to your comment. This is a flat network that has a machine on it that I can connect to internally via the ports listed above but I need it to access it from outside our network. I was trying to do port forwarding rather than a VPN because some of the devices that will be initiating communication with it are mobile phones and I would have to set up the VPN on each of those. If I went that route I would still need to configure the VPN as well.
0
 

Author Closing Comment

by:Stormageddon
ID: 41894639
Worked for me, cc on file expired so I was not able to get back in to close question
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Is your computer hacked? learn how to detect and delete malware in your PC
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now