A friend of mine who was used to the legacy and EOL SSG/ScreenOS platform and he just jumped into the new world of SRX/JunOS gave me the motivation to write this article. As the syntax is quite different between the two platform, it may be harder to get at first and the following example should help you out!
This tutorial will show the various steps of he configuration. I have used as much as possible “intuitive names” for the various elements while this example is about port forwarding a non-standard RDP port to the server 192.168.15.15.
1. Define the target machine object name in the “address book” (this is a name alias for the target IP) :
set security zones security-zone LAN address-book address ip-lan_SERVERNAME description "Server Description" set security zones security-zone LAN address-book address ip-lan_SERVERNAME 192.168.15.15/32
2. Define the custom application protocol and port (this step is optional, to be used if your application isn’t listed in the default list) :
set applications application custapp-rdp-tcp-3399 protocol tcp set applications application custapp-rdp-tcp-3399 destination-port 3399 set applications application custapp-rdp-tcp-3399 description RDP
3. Define the destination NAT pool for the target machine :
set security nat destination pool dnat-pool_SERVERNAME address 192.168.15.15/32 set security nat destination pool dnat-pool_SERVERNAME address port 3399
4. Define the destination NAT rule for the target machine :
set security nat destination rule-set dnat_Internet-to-LAN rule dnat-rule_SERVERNAME_p3399 description RDP set security nat destination rule-set dnat_Internet-to-LAN rule dnat-rule_SERVERNAME_p3399 match destination-address 0.0.0.0/0 set security nat destination rule-set dnat_Internet-to-LAN rule dnat-rule_SERVERNAME_p3399 match destination-port 3399 set security nat destination rule-set dnat_Internet-to-LAN rule dnat-rule_SERVERNAME_p3399 match protocol tcp set security nat destination rule-set dnat_Internet-to-LAN rule dnat-rule_SERVERNAME_p3399 then destination-nat pool dnat-pool_SERVERNAME
5. Define the firewall policy for the target server :
set security policies from-zone Internet to-zone LAN policy All_WAN_RDP_SERVERNAME description RDP set security policies from-zone Internet to-zone LAN policy All_WAN_RDP_SERVERNAME match source-address any set security policies from-zone Internet to-zone LAN policy All_WAN_RDP_SERVERNAME match destination-address ip-lan_SERVERNAME set security policies from-zone Internet to-zone LAN policy All_WAN_RDP_SERVERNAME match application custapp-rdp-tcp-3399 set security policies from-zone Internet to-zone LAN policy All_WAN_RDP_SERVERNAME then permit
6. The configuration is now complete, you may now commit the change :
commit comment "add port forwarding for SERVERNAME"