You are asked to publish a local website on an external network such as Internet, and you have to do it in a secure manner using the SRX firewall at your office.
The procedure is pretty straight forward.
- Local host’s zone (Local IP) :
show route
andshow interface
- Find out to which External (Global) IP address you should apply the D-NAT
- External access zone (Global IP) :
show route
andshow interface
- OPTIONAL: Create “security address-book global” entries for source/destination addresses
- If you are Port-Forwarding: Create an “application“
- Define a “security policy“ from EXTERNAL zone to LOCAL zone, matching the source (external hosts), destination (local hosts) and application (local hosts’ protocol/port) parameters and then set the action as permit
- Create a “NAT Destination Pool” for the Local IP and if Port Forwarding add the service’s port
- Define a “security nat destination rule-set rule” matching the source (external hosts), destination (local hosts) and destination-port (local hosts’ port) parameters and then set the “destination-nat pool” to the pool created in last step
Below you will find a sample snippet of the configuration:
moghaddas@srx# show configuration | compare rollback 3 [edit security address-book global] + address EXTERNAL1 1.1.1.1/32; + address EXTERNAL2 2.2.2.2/32; + address LOCAL-WEB 192.168.3.3/32; [edit security address-book global] + address-set EXTERNALs { + address EXTERNAL1; + address EXTERNAL2; + } [edit security nat destination] + pool LOCAL-WEB { + address 192.168.3.3/32 port 80; + } [edit security nat destination rule-set EXTERNAL_TO_LOCAL-DNAT] + rule EXTERNALs_TO_LOCAL-WEB { + description "YOU CAN WRITE SOME INFO HERE AS DESCRIPTION"; + match { + source-address-name EXTERNALs; + destination-address 3.3.3.3/32; + destination-port 80; + } + then { + destination-nat pool LOCAL-WEB; + } + } [edit security policies from-zone EXTERNAL to-zone LOCAL] + /* YOU CAN ANNOTATE SOME INFO HERE */ + policy EXTERNALs_TO_LOCAL-WEB { + match { + source-address EXTERNALs; + destination-address LOCAL-WEB; + application LOCAL-WEB-app; + } + then { + permit; + } + } [edit applications] + application LOCAL-WEB-app { + protocol tcp; + destination-port 80; + }