Hi, DNAT is done before the policy match/route lookup. You need to allow x.x.x.x in the policy instead of y.y.y.y
Regards, Asad On Nov 28, 2013, at 11:00 AM, Mohammad Khalil <eng.m...@gmail.com> wrote: > Hi All > I have srx210h > I Have a server with an IP address x.x.x.x and want to allow telnet access > to it on different port (I chose 3333) , and assigned it the public IP > address y.y.y.y > But seems not working > set security zones security-zone trust address-book address SERVER > y.y.y.y/32 > > set applications application TELNET_DNAT protocol tcp > set applications application TELNET_DNAT destination-port 3333 > > set security nat destination pool DNAT_POOL address y.y.y.y/32 > set security nat destination pool DNAT_POOL address port 23 > > set security nat destination rule-set DNAT_RULE from zone untrust > > set security nat destination rule-set DNAT_RULE rule rule1 match > destination-address x.x.x.x/32 > set security nat destination rule-set DNAT_RULE rule rule1 match > destination-port 3333 > set security nat destination rule-set DNAT_RULE rule rule1 then > destination-nat pool DNAT_POOL > > set security policies from-zone untrust to-zone trust policy DNAT_POLICY > match source-address any > set security policies from-zone untrust to-zone trust policy DNAT_POLICY > match destination-address SERVER > set security policies from-zone untrust to-zone trust policy DNAT_POLICY > match application TELNET_DNAT > set security policies from-zone untrust to-zone trust policy DNAT_POLICY > then permit > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp