Model: srx210h
JUNOS Software Release [10.4R4.5] (can't get newer software sadly)
Hey all, I am having an issue that is upsetting me.. as I have spent a lot of time trying to figure it out. I am attempting to forward a couple of ports to a host. I am attempting to translate them. One is 2222 to 22. This seems to work JUST fine. I can see the session when using
show security flow session destination-port 2222
but... I am also attempting to forward 32323 to 30003.
no sessions.. no bueno.
I have confirmed that the port is open on the server, as I am using it locally. in fact, I am using it from the trusted zone, as you can see from the config, the server is in the neutral_zone.
Any help, comments, suggestions would be appreciated. Thank you.
There is some extra config in there right now 'cause of troubleshooting, but nothing besides the SSH translation works.. or has ever worked.
I'm stumped.
Oh, I have also tested with that deny policy in untrust deactivated JUST in case, still to no avail.
Thanks in advance, Champions!
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set neutral_zone-to-untrust {
from zone neutral_zone;
to zone untrust;
rule source-nat-rule2 {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool dnat-192_168_30_75_ssh {
address 192.168.30.75/32 port 22;
}
pool dnat-192_168_30_75_minecraft {
address 192.168.30.75/32 port 25565;
}
pool dnat-192_168_30_75_plex {
address 192.168.30.75/32 port 32400;
}
pool dnat-192_168_30_75_minecraftsb2 {
address 192.168.30.75/32 port 25571;
}
pool dnat-192_168_30_75_MC_SF3 {
address 192.168.30.75/32 port 30003;
}
rule-set dst-nat {
from zone untrust;
rule rule1 {
match {
destination-address WAN ADDRESS/32;
destination-port 2222;
}
then {
destination-nat pool dnat-192_168_30_75_ssh;
}
}
rule rule2 {
match {
destination-address WAN ADDRESS/32;
destination-port 25565;
}
then {
destination-nat pool dnat-192_168_30_75_minecraft;
}
}
rule rule3 {
match {
destination-address WAN ADDRESS/32;
destination-port 32400;
}
then {
destination-nat pool dnat-192_168_30_75_plex;
}
}
rule rule4 {
match {
destination-address WAN ADDRESS/32;
destination-port 25571;
}
then {
destination-nat pool dnat-192_168_30_75_minecraftsb2;
}
}
rule rule5 {
match {
destination-address WAN ADDRESS/32;
destination-port 32323;
}
then {
destination-nat pool dnat-192_168_30_75_MC_SF3;
}
}
}
}
proxy-arp {
interface ge-0/0/1.0 {
address {
WAN ADDRESS/32;
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone trust {
address-book {
address home_LAN 192.168.25.0/24;
}
interfaces {
vlan.2500 {
host-inbound-traffic {
system-services {
dhcp;
ssh;
ping;
}
}
}
}
}
security-zone untrust {
address-book {
address weird_address 37.46.128.26/32;
}
screen untrust-screen;
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
}
}
security-zone neutral_zone {
address-book {
address neutral_zone 192.168.30.0/24;
address warbird 192.168.30.75/32;
}
interfaces {
vlan.3000 {
host-inbound-traffic {
system-services {
ssh;
ping;
dhcp;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone neutral_zone {
policy trust_to_neutral_zone {
match {
source-address home_LAN;
destination-address neutral_zone;
application any;
}
then {
permit;
}
}
}
from-zone neutral_zone to-zone trust {
policy neutral_zone_to_trust {
match {
source-address neutral_zone;
destination-address home_LAN;
application any;
}
then {
deny;
}
}
}
from-zone neutral_zone to-zone untrust {
policy neutral_zone-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone neutral_zone to-zone neutral_zone {
policy neutral_zone_to_neutral_zone {
match {
source-address neutral_zone;
destination-address neutral_zone;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone neutral_zone {
inactive: policy untrust-to-neutral_zone_deny {
match {
source-address weird_address;
destination-address any;
application any;
}
then {
deny;
}
}
policy untrust-to-neutral_zone_allow {
match {
source-address any;
destination-address warbird;
application [ junos-ssh plex minecraft-30003 minecraft-32323 ];
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy trust_to_trust {
match {
source-address home_LAN;
destination-address home_LAN;
application any;
}
then {
permit;
}
}
}
}
alg {
ftp ftps-extension;
}
No comments:
Post a Comment