Computer Networking

dnat – Juniper MX and vacation spot/portforwarding NAT

17 August 2025

I am struggling to get portforwarding engaged on a Juniper MX:

[show interfaces ge-1/0/0 unit 13]
description "CCTV and Entry Management";
vlan-id 13;
household inet {
    filter {
        output cctv-and-access-control;
    }
    service {
        enter {
            service-set nat-lan;
        }
        output {
            service-set nat-lan-portforward service-filter nat-lan-filter;
            service-set nat-lan;
        }
    }
    handle 172.16.20.1/24 {
        major;
    }
    handle 172.16.21.1/24;
}
[show services service-set nat-lan-portforward]
nat-rules sk7-port-forwarding;
interface-service {
    service-interface ms-0/2/0;
}
[show services nat]
pool prospects {
    address-range low 91.196.137.4 excessive 91.196.137.6;
    port {
        automated;
    }
}
pool sk7 {
    handle 91.196.137.254/32;
    port {
        automated;
    }
}
pool infrastructure {
    handle 91.196.137.253/32;
    port {
        automated;
    }
}
pool sk7-portforwarded {
    handle 91.196.137.252/32;
}
rule default {
    match-direction enter;
    time period no-nat {
        from {
            destination-address {
                10.0.0.0/8;
                172.16.0.0/12;
                192.168.0.0/16;
            }
        }
        then {
            no-translation;
        }
    }
    time period prospects {
        from {
            source-address {
                10.20.100.0/22;
            }
        }
        then {
            translated {
                source-pool prospects;
                translation-type {
                    napt-44;
                }
            }
        }
    }
    time period infrastructure {
        from {
            source-address {
                10.10.10.0/24;
                10.10.12.0/24;
                10.10.16.0/21;
            }
        }
        then {
            translated {
                source-pool infrastructure;
                translation-type {
                    napt-44;
                }
            }
        }
    }
    time period sk7 {
        from {
            source-address {
                172.16.25.8/29;
            }
        }
        then {
            translated {
                source-pool sk7;
                translation-type {
                    napt-44;
                }
            }
        }
    }
}
rule sk7-port-forwarding {
    match-direction output;
    time period default {
        from {
            destination-address {
                91.196.137.252/32;
            }
            destination-port {
                vary low 7000 excessive 7000;
            }
        }
        then {
            translated {
                destination-prefix 172.16.21.3/32;
                translation-type {
                    dnat-44;
                }
            }
        }
    }
}
[show firewall]
household inet {
    service-filter nat-lan-filter {
        time period skip-translation {
            from {
                source-address {
                    10.0.0.0/8;
                    172.16.0.0/12;
                    192.168.0.0/16;
                }
            }
            then skip;
        }
        time period default {
            then service;
        }
    }
}

pnat does work, so the hosts have entry to the Web, however portforwarding of tcp/7000 doesn’t:

[from MX itself]
emz@perm-mx5# run telnet 172.16.21.3 port 7000
Attempting 172.16.21.3...
Linked to 172.16.21.3.
Escape character is '^]'.
�^]
telnet> Connection closed.
[edit]

[from a host in WAN]
$ telnet 91.196.137.252 7000
Attempting 91.196.137.252...
telnet: Unable to connect with distant host: Connection timed out

This unit is operating the next JunOS model:

run present system software program
Info for jbase:

Remark:
JUNOS Base OS Software program Suite [21.2R3-S5.4]

Info for jcrypto:

Remark:
JUNOS Crypto Software program Suite [21.2R3-S5.4]

Info for jcrypto-dp-support:

Remark:
JUNOS DP Crypto Software program Software program Suite [21.2R3-S5.4]

Info for jdocs:

Remark:
JUNOS On-line Documentation [21.2R3-S5.4]

Info for jkernel:

Remark:
JUNOS Kernel Software program Suite [21.2R3-S5.4]

Info for jmacsec:

Remark:
JUNOS Macsec Software program Suite [21.2R3-S5.4]

Info for jpfe:

Remark:
JUNOS Packet Forwarding Engine Assist (MX80) [21.2R3-S5.4]

Info for jroute:

Remark:
JUNOS Routing Software program Suite [21.2R3-S5.4]

Info for jsd:

Remark:
JUNOS jsd [powerpc-21.2R3-S5.4-jet-1]

Info for jsdn-powerpc:

Remark:
JUNOS SDN Software program Suite [21.2R3-S5.4]

Info for jservices-alg:

Remark:
JUNOS Providers Software Degree Gateways [21.2R3-S5.4]

Info for jservices-cos:

Remark:
JUNOS Providers COS [21.2R3-S5.4]

Info for jservices-cpcd:

Remark:
JUNOS Providers Captive Portal and Content material Supply Container bundle [21.2R3-S5.4]

Info for jservices-crypto-base:

Remark:
JUNOS Providers Crypto [21.2R3-S5.4]

Info for jservices-ipsec:

Remark:
JUNOS Providers IPSec [21.2R3-S5.4]

Info for jservices-jflow:

Remark:
JUNOS Providers Jflow Container bundle [21.2R3-S5.4]

Info for jservices-nat:

Remark:
JUNOS Providers NAT [21.2R3-S5.4]

Info for jservices-rpm:

Remark:
JUNOS Providers RPM [21.2R3-S5.4]

Info for jservices-rtcom:

Remark:
JUNOS Providers RTCOM [21.2R3-S5.4]

Info for jservices-sfw:

Remark:
JUNOS Providers Stateful Firewall [21.2R3-S5.4]

Info for jservices-softwire:

Remark:
JUNOS Providers SOFTWIRE [21.2R3-S5.4]

Info for jservices-ssl:

Remark:
JUNOS Providers SSL [21.2R3-S5.4]

Info for jservices-tcp-log:

Remark:
JUNOS Providers TCP-LOG [21.2R3-S5.4]

Info for junos:

Remark:
JUNOS Base OS boot [21.2R3-S5.4]

Info for py-base-powerpc:

Remark:
JUNOS py-base-powerpc [21.2R3-S5.4]

Info for py-extensions-powerpc:

Remark:
JUNOS py-extensions-powerpc [21.2R3-S5.4]

LEAVE A REPLY Cancel reply