Juniper: port forwarding

Recently I had to configure Port Address Translation on Juniper SSG5 firewall for one of our small business customers.

I’ve spent quite some time trying to understand why policies with my custom services don’t work. It turns out that ScreenOS doesn’t make it simple if you want to use the same address as assigned to outside interface. You need to use so called VIP (see Example 3 in the following article).

If you use GUI:

  1. Create custom services.
  2. Edit outside interface, go to VIP, create VIP with interface IP and add services.
  3. Go to policies and create new policies using VIP as destination address.

Furthermore, you are not going to be able to create translations for ports that are used for management (ex. 80 or 22). You’ll get “Service not supported for this VIP” error message when trying to assign service to VIP.

To resolve this, you’ll need to change ports used for management under Admin -> Management.