set security policies from-zone untrust to-zone trust policy DNAT_POLICY match application junos-telnet
But am already using 3333 right ? and junos-telnet is supposed to work in 23 ? On Thu, Nov 28, 2013 at 12:04 PM, Mohammad Khalil <eng.m...@gmail.com>wrote: > Sorry but it did not work again > set security zones security-zone trust address-book address ALTOS_SERVER > 132.147.160.3/32 > > > set applications application TELNET_DNAT protocol tcp > set applications application TELNET_DNAT destination-port 3333 > > set security nat destination pool DNAT_POOL address 132.147.160.3/32 > > set security nat destination pool DNAT_POOL address port 23 > > set security nat destination rule-set DNAT_RULE from zone untrust > > set security nat destination rule-set DNAT_RULE rule rule1 match > destination-address 24.173.164.162/32 > > set security nat destination rule-set DNAT_RULE rule rule1 match > destination-port 3333 > set security nat destination rule-set DNAT_RULE rule rule1 then > destination-nat pool DNAT_POOL > > set security policies from-zone untrust to-zone trust policy > DNAT_ALTOS_POLICY match source-address any > set security policies from-zone untrust to-zone trust policy > DNAT_ALTOS_POLICY match destination-address ALTOS_SERVER > set security policies from-zone untrust to-zone trust policy > DNAT_ALTOS_POLICY match application TELNET_DNAT > set security policies from-zone untrust to-zone trust policy > DNAT_ALTOS_POLICY then permit > > > On Thu, Nov 28, 2013 at 11:56 AM, Per Westerlund <p...@westerlund.se> wrote: > >> I am sorry to say that I think it is almost correct. The policy rules are >> evaluated after destination NAT handling, where the destination port has >> already been translated. You should probably exchange: >> >> set security policies from-zone untrust to-zone trust policy >> DNAT_POLICY match application TELNET_DNAT >> >> >> for: >> >> set security policies from-zone untrust to-zone trust policy >> DNAT_POLICY match application junos-telnet >> >> /Per >> >> >> 28 nov 2013 kl. 09:48 skrev Asad Raza <asadgard...@gmail.com>: >> >> Actually your NAT pool config need changes as well. Following is the >> correct config with changes highlighted: >> >> Assumption: >> >> Real (private) IP of server: x.x.x.x:23 >> Public (NAT) IP of server : y.y.y.y:3333 >> >> set security zones security-zone trust address-book address SERVER >> x.x.x.x/32 >> >> set applications application TELNET_DNAT protocol tcp >> set applications application TELNET_DNAT destination-port 3333 >> >> set security nat destination pool DNAT_POOL address x.x.x.x/32 >> set security nat destination pool DNAT_POOL address port 23 >> >> set security nat destination rule-set DNAT_RULE from zone untrust >> >> set security nat destination rule-set DNAT_RULE rule rule1 match >> destination-address y.y.y.y/32 >> set security nat destination rule-set DNAT_RULE rule rule1 match >> destination-port 3333 >> set security nat destination rule-set DNAT_RULE rule rule1 then >> destination-nat pool DNAT_POOL >> >> set security policies from-zone untrust to-zone trust policy DNAT_POLICY >> match source-address any >> set security policies from-zone untrust to-zone trust policy DNAT_POLICY >> match destination-address SERVER >> set security policies from-zone untrust to-zone trust policy DNAT_POLICY >> match application TELNET_DNAT >> set security policies from-zone untrust to-zone trust policy DNAT_POLICY >> then permit >> >> Hope it works now :) >> >> Regards, >> >> Asad >> >> >> > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp