There are three main types of Network Address Translation (NAT) that we can configure as per our requirement. They are Source NAT, Destination NAT and Static NAT. We use Destination NAT when you want to get access to our internal network from outside. This type of NAT is also called Destination PAT (Port Address Translation) because in this type of NAT, we simply translate different ports to reach various services with same IP address. Below is an example setup:

In the above scenario, we have two zones – the Untrust zone and Trust zone. Our requirement is to access the Mail Server in the trust zone or internal network. We will translate ports 25 and 110 with the public IP address 2.2.2.2/30. The firewall will translate the destination IP address of packets from 2.2.2.2 to 192.168.101.2 and forward to internal network if the request was coming for port 25 and 110.

Configure Destination NAT in Juniper SRX

Lets start configuring the SRX device. We must be on configuration mode to configure this. At first, we will configure pool for Mail Server under edit security nat destination hierarchy. Then create rule for POP3 (110) service.

[edit security nat destination]

root@srx#set pool MailServer address 192.168.101.2

[edit security nat destination]

root@srx# edit rule-set NatRule 

[edit security nat destination rule-set NatRule]

root@srx# set from zone untrust

[edit security nat destination rule-set NatRule]

root@srx# edit rule Rule1POP

[edit security nat destination rule-set NatRule rule Rule1POP]

root@srx# set match destination-address 2.2.2.2

[edit security nat destination rule-set NatRule rule Rule1POP]

root@srx# set match destination-port 110

[edit security nat destination rule-set NatRule rule Rule1POP]

root@srx# set then destination-nat pool MailServer

We can view our configuration by typing show command in the current hierarchy.

[edit security nat destination rule-set NatRule rule Rule1POP]

root@srx# show

match {

destination-address 2.2.2.2/32;

destination-port 110;

}

then {

destination-nat pool MailServer;

} 

Now create a rule for SMTP (25) service under same hierarchy but with a different term name.

[edit security nat destination rule-set NatRule rule Rule2SMTP]

root@srx# show

match {

destination-address 2.2.2.2/32;

destination-port 25;

}

then {

destination-nat pool MailServer;

}

Configuring Security Policy

We have successfully created NAT rule. So now we will configure security policy. The policy will be configured to allow any hosts from outside to inside with service of SMTP and POP3.

Configure address set in trust zone for Mail Server at first.

[edit security zones security-zone trust]
root@srx# show
address-book {
address MailServer 192.168.101.2;
}

root@srx# edit security policies from-zone untrust to-zone trust

[edit security policies from-zone untrust to-zone trust]

root@srx# edit policy MailPolicy [Creates a policy named MailPolicy]

[edit security policies from-zone untrust to-zone trust policy MailPolicy]

root@srx# set match source-address any [This allows any client from the Internet to get to Mail Server][edit security policies from-zone untrust to-zone trust policy MailPolicy]

root@srx# set match destination-address MailServer [Matches destination address of MailServer i.e. 192.168.101.2]

[edit security policies from-zone untrust to-zone trust policy MailPolicy]

root@srx# set match application junos-pop3 [Matches POP Protocol]

[edit security policies from-zone untrust to-zone trust policy MailPolicy]

root@srx# set match application junos-smtp [Matches SMTP Protocol]

[edit security policies from-zone untrust to-zone trust policy MailPolicy]

root@srx# set then permit 

[edit security policies from-zone untrust to-zone trust policy MailPolicy]
root@srx# show

match {

source-address any;

destination-address MailServer;

application [ junos-pop3 junos-smtp ];

}

then {

permit;

}

We should now be able to reach the mail server.