Sorry but it did not work again set security zones security-zone trust address-book address ALTOS_SERVER 132.147.160.3/32
set applications application TELNET_DNAT protocol tcp set applications application TELNET_DNAT destination-port 3333 set security nat destination pool DNAT_POOL address 132.147.160.3/32 set security nat destination pool DNAT_POOL address port 23 set security nat destination rule-set DNAT_RULE from zone untrust set security nat destination rule-set DNAT_RULE rule rule1 match destination-address 24.173.164.162/32 set security nat destination rule-set DNAT_RULE rule rule1 match destination-port 3333 set security nat destination rule-set DNAT_RULE rule rule1 then destination-nat pool DNAT_POOL set security policies from-zone untrust to-zone trust policy DNAT_ALTOS_POLICY match source-address any set security policies from-zone untrust to-zone trust policy DNAT_ALTOS_POLICY match destination-address ALTOS_SERVER set security policies from-zone untrust to-zone trust policy DNAT_ALTOS_POLICY match application TELNET_DNAT set security policies from-zone untrust to-zone trust policy DNAT_ALTOS_POLICY then permit On Thu, Nov 28, 2013 at 11:56 AM, Per Westerlund <p...@westerlund.se> wrote: > I am sorry to say that I think it is almost correct. The policy rules are > evaluated after destination NAT handling, where the destination port has > already been translated. You should probably exchange: > > set security policies from-zone untrust to-zone trust policy > DNAT_POLICY match application TELNET_DNAT > > > for: > > set security policies from-zone untrust to-zone trust policy > DNAT_POLICY match application junos-telnet > > /Per > > > 28 nov 2013 kl. 09:48 skrev Asad Raza <asadgard...@gmail.com>: > > Actually your NAT pool config need changes as well. Following is the > correct config with changes highlighted: > > Assumption: > > Real (private) IP of server: x.x.x.x:23 > Public (NAT) IP of server : y.y.y.y:3333 > > set security zones security-zone trust address-book address SERVER > x.x.x.x/32 > > set applications application TELNET_DNAT protocol tcp > set applications application TELNET_DNAT destination-port 3333 > > set security nat destination pool DNAT_POOL address x.x.x.x/32 > set security nat destination pool DNAT_POOL address port 23 > > set security nat destination rule-set DNAT_RULE from zone untrust > > set security nat destination rule-set DNAT_RULE rule rule1 match > destination-address y.y.y.y/32 > set security nat destination rule-set DNAT_RULE rule rule1 match > destination-port 3333 > set security nat destination rule-set DNAT_RULE rule rule1 then > destination-nat pool DNAT_POOL > > set security policies from-zone untrust to-zone trust policy DNAT_POLICY > match source-address any > set security policies from-zone untrust to-zone trust policy DNAT_POLICY > match destination-address SERVER > set security policies from-zone untrust to-zone trust policy DNAT_POLICY > match application TELNET_DNAT > set security policies from-zone untrust to-zone trust policy DNAT_POLICY > then permit > > Hope it works now :) > > Regards, > > Asad > > > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
