How-To: Destination NAT in JunOS

You are asked to publish a local website on an external network such as Internet, and you have to do it in a secure manner using the SRX firewall at your office.

The procedure is pretty straight forward.

  1. Local host’s zone (Local IP) : show route and show interface
  2. Find out to which External (Global) IP address you should apply the D-NAT
  3. External access zone (Global IP) : show route and show interface
  4. OPTIONAL: Create “security address-book global” entries for source/destination addresses
  5. If you are Port-Forwarding: Create an “application
  6. Define a “security policy from EXTERNAL zone to LOCAL zone, matching the source (external hosts), destination (local hosts) and application (local hosts’ protocol/port) parameters and then set the action as permit
  7. Create a “NAT Destination Pool” for the Local IP and if Port Forwarding add the service’s port
  8. Define a “security nat destination rule-set rule” matching the source (external hosts), destination (local hosts) and destination-port (local hosts’ port) parameters and then set the “destination-nat pool” to the pool created in last step

Below you will find a sample snippet of the configuration:

Share this!