Hi All
I have srx210h
I Have a server with an IP address x.x.x.x and want to allow telnet access
to it on different port (I chose ) , and assigned it the public IP
address y.y.y.y
But seems not working
set security zones security-zone trust address-book address SERVER
y.y.y.y/32
set
Hi,
DNAT is done before the policy match/route lookup. You need to allow x.x.x.x in
the policy instead of y.y.y.y
Regards,
Asad
On Nov 28, 2013, at 11:00 AM, Mohammad Khalil eng.m...@gmail.com wrote:
Hi All
I have srx210h
I Have a server with an IP address x.x.x.x and want to allow telnet
But I already configured set security zones security-zone trust
address-book address SERVER y.y.y.y/32
Which will contain the real IP address right ?
I followed the link below
http://www.fir3net.com/Juniper-SRX-Series-Gateway/juniper-srx-destination-nat-port-forwarding.html
On Thu, Nov 28, 2013
Again,
Your config says that x.x.x.x is the physical IP address of the server and
y.y.y.y is the NAT pool IP.
So, in the security policy, you will allow the physical IP address (x.x.x.x) in
the destination address INSTEAD of y.y.y.y.
it should be like following:
set security zones
Actually your NAT pool config need changes as well. Following is the correct
config with changes highlighted:
Assumption:
Real (private) IP of server: x.x.x.x:23
Public (NAT) IP of server : y.y.y.y:
set security zones security-zone trust address-book address SERVER
x.x.x.x/32
set
I am sorry to say that I think it is almost correct. The policy rules are
evaluated after destination NAT handling, where the destination port has
already been translated. You should probably exchange:
set security policies from-zone untrust to-zone trust policy DNAT_POLICY
match application
set security policies from-zone untrust to-zone trust policy
DNAT_POLICY match application junos-telnet
But am already using right ? and junos-telnet is supposed to work in
23 ?
On Thu, Nov 28, 2013 at 12:04 PM, Mohammad Khalil eng.m...@gmail.comwrote:
Sorry but it did not work again
Sorry but it did not work again
set security zones security-zone trust address-book address ALTOS_SERVER
132.147.160.3/32
set applications application TELNET_DNAT protocol tcp
set applications application TELNET_DNAT destination-port
set security nat destination pool DNAT_POOL address
Below is what I believe is a working solution.
First, with destination nat, matching on public IP/port, the destination
IP/port is translated from 24.173.164.162 : to 132.147.160.3:23.
Next, the policy match statement has to allow just that, after the translation:
132.147.160.3:23.
Have you set up proxy-arp for the DNAT address? It does not work by itself, has
to be manually if it is an address on the external (untrust) network.
/Per
28 nov 2013 kl. 10:32 skrev Mohammad Khalil eng.m...@gmail.com:
set security policies from-zone untrust to-zone trust policy
No, those source nat rules should have no effect on you problem. When the
inbound traffic matches (hopefully) the requirements, a complete flow is set
up. The return traffic automatically gets the proper nat handling to match the
inbound traffic. The outbound traffic will use source NAT that
Yes , it's in place with no luck
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule nonat match
source-address 132.147.160.0/24
set security nat source rule-set
No the session is not up , and I have changed the port to be 23 on both
sides (junos-telnet) and still not working ?
On Thu, Nov 28, 2013 at 1:04 PM, Per Westerlund p...@westerlund.se wrote:
No, those source nat rules should have no effect on you problem. When the
inbound traffic matches
set security nat proxy-arp interface ge-0/0/0.0 address 24.173.164.162/32 ?
On Thu, Nov 28, 2013 at 12:36 PM, Per Westerlund p...@westerlund.se wrote:
Have you set up proxy-arp for the DNAT address? It does not work by
itself, has to be manually if it is an address on the external (untrust)
Try to add this to your configuration:
[edit security flow]
perw@srx1# show
traceoptions {
file dnat-telnet-debug;
flag basic-datapath;
packet-filter dnat-telnet-in {
protocol tcp;
destination-prefix 24.173.164.162/32;
destination-port ;
}
Ok i will give it a shot , but before that I have tried something different
, I just want to configure static NAT (one to one)
set security nat static rule-set static-nat from zone untrust
set security nat static rule-set static-nat rule ALTOS_STATIC match
destination-address 24.173.164.162/32
set
Problem resolved.
/Per
Vidarebefordrat brev:
Från: Mohammad Khalil eng.m...@gmail.com
Ämne: Re: [j-nsp] Destination NAT
Datum: 28 november 2013 12:23:49 CET
Till: Per Westerlund p...@westerlund.se
All the problem was from the public IP address , seems it was used somewhere
else
I do
Ok I have changed the static IP address to 164 and the static NAT worked ,
I will try the destination port again
On Thu, Nov 28, 2013 at 2:04 PM, Mohammad Khalil eng.m...@gmail.com wrote:
Ok i will give it a shot , but before that I have tried something
different , I just want to configure
Is the dst ip pingabl drom the fw? I thought the system auto monitors to see if
the dnat dst responds to icmp packets and if not, will not work
?
--
Payam Chychi
Network Engineer / Security Specialist
On Thursday, November 28, 2013 at 3:08 AM, Mohammad Khalil wrote:
Ok I have changed
19 matches
Mail list logo
