I have two web servers (10.9.21.17 and 10.9.21.90) behind my Juniper SRX firewall. I want to make both available to the Internet. I have one public ip address (1.1.1.116)  bound to the interface facing the Internet to be used with the first web server (10.9.21.17) and a second ip address (1.1.1.73) that will be used with the second web server (10.9.21.90)

 

 

First – set up the first server as outlined above

 

Set up the second server as follows:

 

edit security
set zones security-zone trust address-book address WEBSERV2 10.9.21.90/32

edit  nat
set proxy-arp interface ge-0/0/0.0 address 1.1.1.73

edit destination
set pool NATPOOL-WEB2 address 10.9.21.90 port 80
set rule-set RULE-WEB from zone untrust
set rule-set RULE-WEB rule R2 match destination-address 1.1.1.73
set rule-set RULE-WEB rule R2 match destination-port 80
set rule-set RULE-WEB rule R2 then destination-nat pool NATPOOL-WEB2
exit

edit policies from-zone untrust to-zone trust
set policy WEB2-ACCESS match source-address any destination-address WEBSERV2 application junos-http
set policy WEB2-ACCESS then permit
exit
exit

---

 

I want to modify my web site to be accessed from a non-standard port – I want to use port 8080 to access the server from the internet instead of port 80

 

Change the line
set rule-set RULE-WEB rule R2 match destination-port 80

to be

set rule-set RULE-WEB rule R2 match destination-port 8080

 

 

Junos has a built in set of application values (to see them show configuration groups junos-defaults applications ) but if you need some other customized application you need to customized application.

 

Example – I need to run ssh on port 2022 so

 

set applications application SSH-2022 description “SSH port 2022”
set applications application SSH-2022 protocol tcp
set applications application SSH-2022 destination-port 2022

 

Now you can use SSH-2022 for an application

 

---

 

 

Port forward two different ports to the same internal IP address from the same external ip address

 

set security nat destination pool MONITOR_2022 address 10.9.6.25/32
set security nat destination pool MONITOR_2022 address port 2022
set security nat destination pool MONITOR_2443 address 10.9.6.25/32
set security nat destination pool MONITOR_2443 address port 2443
set security nat destination rule-set DNAT-MONITOR from zone CHARTER
set security nat destination rule-set DNAT-MONITOR rule DNAT_MONITOR_2022 match destination-address 1.1.1.18/32
set security nat destination rule-set DNAT-MONITOR rule DNAT_MONITOR_2022 match destination-port 2022
set security nat destination rule-set DNAT-MONITOR rule DNAT_MONITOR_2022 then destination-nat pool MONITOR_2022
set security nat destination rule-set DNAT-MONITOR rule DNAT_MONITOR_2443 match destination-address 1.1.1.18/32
set security nat destination rule-set DNAT-MONITOR rule DNAT_MONITOR_2443 match destination-port 2443
set security nat destination rule-set DNAT-MONITOR rule DNAT_MONITOR_2443 then destination-nat pool MONITOR_443

set security policies from-zone CHARTER to-zone trust policy NAT-MONITOR match source-address any
set security policies from-zone CHARTER to-zone trust policy NAT-MONITOR match destination-address MONITOR
set security policies from-zone CHARTER to-zone trust policy NAT-MONITOR match application any
set security policies from-zone CHARTER to-zone trust policy NAT-MONITOR then permit

 

---

Referneces:

 

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-nat-destination.html

https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21922&actp=METADATA