Hi,
I am migrating from SSG to SRX: allow SSH on a non-standard port from the WAN and forwarding it to a machine on the standard port.
WAN:nnnn -> 192.168.3.100:22
Trying to understand why I need to do something that was posted in 2011 from https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-port-forwarding-translation/m-p/100942. Specifically the untrust-to-trust policy needs to match the junos-ssh application in addition to my custom one that refers to the non-standard port. Isn't the destination pool host definition enough?
Thanks
version 12.1X46-D71;
security {
destination {
pool DNAT-host-SSH-test {
address 192.168.3.100/32 port 22;
}
rule-set DST-NAT {
from zone untrust;
rule Rule1 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
destination-port nnnn;
}
then {
destination-nat {
pool {
DNAT-host-SSH-test;
}
}
}
}
}
}
}
policies {
from-zone untrust to-zone trust {
policy UNTRUST-to-TRUST-test {
match {
source-address any;
destination-address any;
application [ SSH-DNAT junos-ssh ];
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
}
}
applications {
application SSH-DNAT {
protocol tcp;
source-port 1024-65535;
destination-port nnnn;
}
}