Knowledge Center Search


 

Configuration Example -- Configure Destination PAT (Port Address Translation) to Multiple Servers; includes Port Mapping/Port Forwarding

  [KB12652] Show KB Properties

  [KB12652] Hide KB Properties

Categories:
Knowledge Base ID: KB12652
Last Updated: 07 Jan 2009
Version: 6.0

Summary:
ScreenOS Recipe 8.7, copied from the ScreenOS Cookbook, documents how to configure Destination PAT (Port Address Translation) to a single server.  This article contains a configuration example of Destination PAT to multiple servers.
  • You want to configure a destination PAT (Policy NAT-Dst) to multiple servers.
  • You want external users to access internal servers using Port Mapping or Port Forwarding.

Problem or Goal:

Solution:
This solution shows how to configure destination PAT with Policy NAT-Dst or a VIP to multiple internal servers.
For more information on configuring destination PAT to a single internal server, refer to KB12608 - ScreenOS Cookbook Recipe 8.7.

Step 1.  Is your Server Public IP address on the same network as the firewall's external/public interface?  For example, in Figure 1, Server A Public IP (1.1.1.2) and Server B Public IP (1.1.1.2) belong to the same network segment as the Untrust IP (1.1.1.1).

  • Yes - Consult:  'Example 1 - Server Public IP address is on the same network as the Firewall's Untrust interface IP address' section below
  • No   -  Continue with Step 2
Step 2.  Is your Server Public IP address on a different network than the firewall's external/public interface?  For example, in Figure 2, Server A Public IP (2.2.2.2) and Server B Public IP (2.2.2.2) are on a different network segment than the Untrust IP (1.1.1.1).
  • Yes - Consult:  'Example 2 - Server Public IP address is on a different network than the Firewall's Untrust interface IP address' section below
  • No   - Continue with Step 3
Step 3.  Is your Server Public IP Address the same IP address as the firewall's external/public interface?  For example, in Figure 3, Server A Public IP (1.1.1.1) and Server B Public IP (1.1.1.1) below to the same network segment at the Untrust IP (1.1.1.1).



Example 1 - Server Public IP address is on the same network as the Firewall's Untrust interface IP address

Users on Internet in the Untrust zone will access the internal server 192.168.1.100, port 80 in the DMZ zone via the Server Public IP address 1.1.1.2, port 8080.  Also, users on Internet in the Untrust zone will access the internal server 192.168.1.101, port 80 in the DMZ zone via the Server Public IP address 1.1.1.2, port 8081.

Figure 1:
diagram
This can be accomplished with Policy NAT-Dst or a VIP.

To configure this with policy NAT-DST:
set interface ethernet0/2 zone dmz
set interface ethernet0/2 ip 192.168.1.1/24
set interface ethernet0/1 zone untrust
set interface ethernet0/1 ip 1.1.1.1/24
set service "http-inst-a" protocol tcp src-port 1024-65535 dst-port 8080-8080
set service "http-inst-b" protocol tcp src-port 1024-65535 dst-port 8081-8081
set arp NAT-DST
set address "Untrust" "server-pub" 1.1.1.2 255.255.255.255
set policy from untrust to untrust any server-pub http-inst-a nat dst ip 192.168.1.100 port 80 permit
set policy from untrust to untrust any server-pub http-inst-b nat dst ip 192.168.1.101 port 80 permit


Note that it is configured with intrazone policies (untrust to untrust); policies from untrust to dmz are not needed.  Refer to Recipe 8.6 (KB12631) for the explanation in the 'Discussion'.
OR to configure this with a VIP:
set interface ethernet0/1 zone Untrust
set interface ethernet0/1 ip 1.1.1.1/24
set interface ethernet0/2 zone dmz
set interface ethernet0/2 ip 192.168.1.1/24
set service "http-8080" protocol tcp src-port 1024-65535 dst-port 8080-8080
set service "http-8081" protocol tcp src-port 1024-65535 dst-port 8081-8081
set interface ethernet0/1 vip 1.1.1.2 8080 "HTTP" 192.168.1.100
set interface ethernet0/1 vip 1.1.1.2 8081 "HTTP" 192.168.1.101
set policy from untrust to dmz any vip(1.1.1.2) "http-8080" permit
set policy from untrust to dmz any vip(1.1.1.2) "http-8081" permit

NOTE: To enable the VIP to support multiple-port services, you must use enter the CLI
command set vip multi-port, save the configuration, and then reboot the device.
set vip multi-port
save
reset
System reset, are you sure? y/[n]

Additional reference example:
Concepts & Examples ScreenOS Reference Guide, Volume 8 - Address Translation

Example: VIP with Custom and Multiple-Port Services


Example 2 - Server Public IP address is on a different network than the Firewall's Untrust interface IP address

Users on Internet in the Untrust zone will access the internal server 192.168.1.100, port 80 in the DMZ zone via the Server Public IP address 2.2.2.2, port 8080.  Also, users on Internet in the Untrust zone will access the internal server 192.168.1.101, port 80 in the DMZ zone via the Server Public IP address 2.2.2.2, port 8081.

Figure 2:
diagram
To configure this with policy NAT-DST:
set interface ethernet0/2 zone dmz
set interface ethernet0/2 ip 192.168.1.1/24
set interface ethernet0/1 zone untrust
set interface ethernet0/1 ip 1.1.1.1/24
set address dmz server-pub 2.2.2.2/32
set service "http-inst-a" protocol tcp src-port 1024-65535 dst-port 8080-8080
set service "http-inst-b" protocol tcp src-port 1024-65535 dst-port 8081-8081
set route 2.2.2.2/32 int eth0/2
set policy from untrust to dmz any server-pub http-inst-a nat dst ip 192.168.1.100 port 80 permit
set policy from untrust to dmz any server-pub http-inst-b nat dst ip 192.168.1.101 port 80 permit
A VIP cannot be used for Example 2, because a VIP must be created in the same network as the interface.

Example 3 - Server Public IP address is the same IP address as the Firewall's Untrust interface IP address

Users on Internet in the Untrust zone will access the internal server 192.168.1.100, port 80 in the DMZ zone via the Server Public IP address 1.1.1.1, port 8080.  Also, users on Internet in the Untrust zone will access the internal server 192.168.1.101, port 80 in the DMZ zone via the Server Public IP address 1.1.1.1, port 8081.

Figure 3:
diagram
Policy NAT-DST does not allow the the firewall's own public IP address to be used for translation.  Therefore, this can be accomplished with a VIP.  For more information and caveats, refer to ScreenOS Recipe 8.7.

To configure it with a VIP:
set interface ethernet0/1 zone Untrust
set interface ethernet0/1 ip 1.1.1.1/24
set interface ethernet0/2 zone dmz
set interface ethernet0/2 ip 192.168.1.1/24
set service "http-8080" protocol tcp src-port 1024-65535 dst-port 8080-8080
set service "http-8081" protocol tcp src-port 1024-65535 dst-port 8081-8081
set interface ethernet0/1 vip untrust-ip 8080 "HTTP" 192.168.1.100
set interface ethernet0/1 vip untrust-ip 8081 "HTTP" 192.168.1.101
set policy from untrust to dmz any vip(ethernet0/1) "http-8080" permit
set policy from untrust to dmz any vip(ethernet0/1) "http-8081" permit

NOTE: To enable the VIP to support multiple-port services, you must use enter the CLI
command set vip multi-port, save the configuration, and then reboot the device.
set vip multi-port
save
reset
System reset, are you sure? y/[n]


Note:   "This exerpt is used by permission of the publisher, O'Reilly Media, ©2008. All rights reserved. Excerpted from ScreenOS Cookbook, by Stefan Brunner, Ken Draper, David Delcourt, Joe Kelley, Vik Drakar, & Sunil Wadhwa.  http://screenoscookbook.com  ISBN: 0596510039."

Purpose:
Configuration

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.