Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

ScreenOS Cookbook Recipe 8.7 - Configure Destination PAT (Port Address Translation)

0

0

Article ID: KB12608 KB Last Updated: 14 Dec 2017Version: 6.0
Summary:
ScreenOS Cookbook Recipe 8.7, copied from the ScreenOS Cookbook, documents how to configure Destination PAT (Port Address Translation).   It has been modified slightly for the NAT Resolution Guide.
Symptoms:
  • You want to configure a destination PAT. 
  • You want to configure Port Mapping or Port Translation.
  • You want external users to access an internal server using port mapping.
  • Users on Internet will access the internal server 192.168.1.100, port 8080 via the Server Public IP address 1.1.1.2, port 80
diagram

Note:  Recipe 8.7 address Destination PAT (port mapping) -- A Destination Public IP address and predetermined port are translated to a Private IP address and another predetermined port. 
Refer to Recipe 8.6 (KB12631) on how to configure Destination NAT (without port mapping) -- A Destination Public IP address is translated to a Private IP address.
 
Solution:
This solution shows how to configure destination PAT with a VIP or with Policy NAT-Dst.   (For more information on whether to configure using a VIP or Policy NAT-Dst, refer to Recipe 8.6.)
 
  • Is your Server Public IP address on the same network as the Firewall's external/public interface?  For example, in the network diagram above, the Server Public IP, 1.1.1.2, is on the same network as the firewall's Untrust interface IP, 1.1.1.1.  
    If so, follow the 'Server Public IP address is on the same network as the Firewall's Untrust interface IP address' section below. 

  • Is your Server Public IP address on a different network than the Firewall's external/public interface?  For example, if the Server Public IP address is 2.2.2.2, and the firewall's Untrust interface IP is 1.1.1.1, then they are on different networks.
    If so, follow the 'Server Public IP address is on a different network than the Firewall's Untrust interface IP address' section below.

  • Is the Server Public IP address the same IP Address as the Firewall's external/public interface? 
    If so, policy NAT-Dst cannot be used.   Instead, configure with a VIP.  Follow the 'Server Public IP Address is the same IP Address as the Firewall's Untrust interface IP address' below.

 

Server Public IP address is on the same network as the Firewall's Untrust interface IP address

To configure destination PAT with a VIP:

set interface ethernet0/1 zone Untrust
set interface ethernet0/1 ip 1.1.1.1/29
set service http-inst-a protocol tcp src 1024-65535 dst 8080-8080
set interface ethernet0/1 vip 1.1.1.2 80 http-inst-a 192.168.1.100
set policy id 1 from untrust to dmz any vip(1.1.1.2) http permit
OR

To configure it with policy NAT-DST (most common):
set interface ethernet0/0 zone trust
set arp NAT-DST      

set address untrust server-a-pub 1.1.1.2/32
set policy from untrust to untrust any server-a-pub http nat dst ip 192.168.1.100 port 8080 permit


Note that it is configured with an intrazone policy (untrust to untrust).  Refer to Recipe 8.6 (KB12631) for the explanation in the 'Discussion'.

 

Discussion

This shows how to translate the public IP 1.1.1.2 port 80 to the private IP 192.168.1.100 port 8080.  Table 8-8 details the destination PAT translation configuration.
Table 8-8. Destination PAT translation
Public or global portion Private or local portion
src-ip dst-ip src-port dst-port x-src-ip x-dst-ip x-src-port x-dst-port
Any 1.1.1.2 Any 80 Original 192.168.1.100 Original 8080

The original way (prior to ScreenOS 5.0) to configure this was via a VIP. The new way to configure this is with policy NAT-DST. This example assumes that the public IPs are in the same network with the IP of the ingress interface, which is a requirement for a VIP but not for policy NAT-DST, as previously mentioned.

 

Server Public IP address is on a different network than the Firewall's Untrust Interface IP address

To configure it with policy NAT-DST:
set address trust server-a-pub 1.1.1.2/32
set interface ethernet0/0 zone trust
set route 1.1.1.2/32 int eth0/0
set route 192.168.1.0/24 int eth0/0
set policy from untrust to dmz any server-a-pub http nat dst ip 192.168.1.100 port 8080 permit


Server Public IP address is the same IP address as the Firewall's Untrust interface IP address

VIPs come with many caveats. The most important is that VIPs before ScreenOS 6.1 can exist only on interfaces in the Untrust zone and must be in the same network with that interface. Policy NAT-DST offers much greater flexibility. But what a VIP can do and policy NAT-DST cannot do is to use the firewall’s own public IP address for translation.  This is shown with the following example:
set admin port 8080
set interface ethernet0/0 zone Untrust
set interface ethernet0/0 ip 1.1.1.1/29
set service "HTTP-8080" protocol tcp src-port 1024-65535 dst-port 8080-8080
set interface ethernet0/0 vip untrust-ip 80 "HTTP-8080" 192.168.1.100 
set policy id 1 from untrust to trust any vip(ethernet0/0) HTTP permit
In ScreenOS 6.1 and later, the syntax changed because VIPs are now supported on interfaces in any zone:
set interface ethernet0/0 vip interface-ip 80 "HTTP-8080" 192.168.1.100
Notice that the firewall also listens on port 80 for the WebUI and that this port needed to be moved. You can move all default sockets on the firewall:
set admin port <port>
set ssl port <port>
set admin telnet port <port>
set admin ssh port <port>
unset alg sip enable
Also note that when you want to translate many contiguous ports, such as the reverse-Telnet ports of a terminal server, a VIP has the multi-port feature, whereas policy NAT-DST does not. You would have to write a rule for each translated port with policy NAT-DST:
set vip multi-port
With both methods, you can perform many different combinations of translations between port and address translation. You can hide several servers behind a single global address, and you can simulate two servers on the public side and translate them to the same server on the local side, as shown earlier. You can even translate different global addresses to the same socket on the same server, which is sometimes done during server migrations. 



Note:   "This recipe/exerpt is used by permission of the publisher, O'Reilly Media, ©2008. All rights reserved. Excerpted from ScreenOS Cookbook, by Stefan Brunner, Ken Draper, David Delcourt, Joe Kelley, Vik Drakar, & Sunil Wadhwa.  http://screenoscookbook.com  ISBN: 0596510039."
Modification History:
2017-12-07: Article reviewed for accuracy. No changes made. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search