Hi,
I had a static NAT working, where public IP : 1.1.1.102 was mapped to internal IP : 2.2.2.126, our access from internet (untrust zone) was working for port 8080.
So i had to create a destination nat using this IP: 1.1.1.102 for another internal IP : 2.2.2.40, so i deleted the static IP and create two destination nats using public ip : 1.1.1.102 :
1.1.1.102 port 25 to IP : 2.2.2.40 port 25
1.1.1.102 port 8080 to IP: 2.2.2.126 port 8080
Only nat , 1.1.1.102 port 8080 to IP: 2.2.2.126 port 8080 is working. The destination nat (1.1.1.102 port 25 to IP : 2.2.2.40 port 25) is not working.
When i create the follow log to trace error, not appers when i try access IP: 1.1.1.102 on port 25, only appers traffic of IP:1.1.1.102 on port 80.
edit security flow traceoptions
set file TSHOOT
set flag basic-datapath
set packet-filter IN-TO-OUT source-prefix 4.4.4.4/32 destination-prefix 1.1.1.102/32
Detail: I had another nat of port 25 for internal IP : 2.2.2.4, using IP from my interface (1.1.1.98), and it is working.
set version 11.2R4.3
set interfaces fe-0/0/0 unit 0 family inet address 2.2.2.254/24
set interfaces fe-0/0/1 fastether-options ingress-rate-limit 100
set interfaces fe-0/0/1 unit 0 family inet
set interfaces fe-0/0/2 unit 0 description "WAN Interface"
set interfaces fe-0/0/2 unit 0 family inet address 1.1.1.98/29
set interfaces fe-0/0/2 unit 0 family inet address 1.1.1.102/29
set security nat proxy-arp interface fe-0/0/2.0 address 1.1.1.99/32
set security nat proxy-arp interface fe-0/0/2.0 address 1.1.1.100/32
set security nat proxy-arp interface fe-0/0/2.0 address 1.1.1.101/32
set interfaces st0 unit 0 family inet
set interfaces st0 unit 1 family inet
set interfaces st0 unit 2 family inet
set interfaces st1 unit 0
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.97
set security log mode event
set security screen ids-option untrust-screen icmp ip-sweep threshold 30000
set security screen ids-option untrust-screen icmp fragment
set security screen ids-option untrust-screen icmp large
set security screen ids-option untrust-screen icmp flood
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip bad-option
set security screen ids-option untrust-screen ip record-route-option
set security screen ids-option untrust-screen ip timestamp-option
set security screen ids-option untrust-screen ip security-option
set security screen ids-option untrust-screen ip stream-option
set security screen ids-option untrust-screen ip spoofing
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip loose-source-route-option
set security screen ids-option untrust-screen ip strict-source-route-option
set security screen ids-option untrust-screen ip unknown-protocol
set security screen ids-option untrust-screen ip block-frag
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-fin
set security screen ids-option untrust-screen tcp fin-no-ack
set security screen ids-option untrust-screen tcp tcp-no-flag
set security screen ids-option untrust-screen tcp syn-frag
set security screen ids-option untrust-screen tcp port-scan
set security screen ids-option untrust-screen tcp syn-ack-ack-proxy
set security screen ids-option untrust-screen tcp land
set security screen ids-option untrust-screen tcp winnuke
set security screen ids-option untrust-screen udp flood
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy from-inside match source-address mail1
set security policies from-zone trust to-zone untrust policy from-inside match source-address mail2
set security policies from-zone trust to-zone untrust policy from-inside match source-address server-totvs
set security policies from-zone trust to-zone untrust policy from-inside match destination-address any
set security policies from-zone trust to-zone untrust policy from-inside match application any
set security policies from-zone trust to-zone untrust policy from-inside then permit
set security nat destination pool server-totvs address 2.2.2.126/32
set security nat destination pool mail1 address 2.2.2.4/32
set security nat destination pool mail2 address 2.2.2.40/32
set security nat destination rule-set public-services from zone untrust
set security nat destination rule-set public-services rule smtp match destination-address 1.1.1.98/32
set security nat destination rule-set public-services rule smtp match destination-port 25
set security nat destination rule-set public-services rule smtp then destination-nat pool mail1
set security nat destination rule-set public-services rule totvs-8080 match destination-address 1.1.1.102/32
set security nat destination rule-set public-services rule totvs-8080 match destination-port 8080
set security nat destination rule-set public-services rule totvs-8080 then destination-nat pool server-totvs
set security nat destination rule-set public-services smtp2 match destination-address 1.1.1.102/32
set security nat destination rule-set public-services smtp2 match destination-port 25
set security nat destination rule-set public-services rule smtp2 then destination-nat pool mail2
set security policies from-zone untrust to-zone trust policy mail match source-address any
set security policies from-zone untrust to-zone trust policy mail match destination-address Server-mail1
set security policies from-zone untrust to-zone trust policy mail match destination-address Server-mail2
set security policies from-zone untrust to-zone trust policy mail match application junos-mail
set security policies from-zone untrust to-zone trust policy mail match application junos-smtp
set security policies from-zone untrust to-zone trust policy mail then permit
set security policies from-zone untrust to-zone trust policy mail then log session-init
set security policies from-zone untrust to-zone trust policy mail then log session-close
set security policies from-zone untrust to-zone trust policy TOTVS match source-address any
set security policies from-zone untrust to-zone trust policy TOTVS match destination-address server-totvs
set security policies from-zone untrust to-zone trust policy TOTVS match application port8080
set security policies from-zone untrust to-zone trust policy TOTVS then permit
set security policies from-zone untrust to-zone trust policy Deny-All match source-address any
set security policies from-zone untrust to-zone trust policy Deny-All match destination-address any
set security policies from-zone untrust to-zone trust policy Deny-All match application any
set security policies from-zone untrust to-zone trust policy Deny-All then deny
set security policies from-zone untrust to-zone trust policy Deny-All then log session-close
set applications application port8080 protocol tcp
set applications application port8080 destination-port 8180
set security zones security-zone trust tcp-rst
set security zones security-zone trust address-book address mail1 1.1.1.4/32
set security zones security-zone trust address-book address mail2 1.1.1.40/32
set security zones security-zone trust address-book address server-totvs 1.1.1.126/32
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone trust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces fe-0/0/0.0 host-inbound-traffic system-services telnet
set security zones security-zone trust interfaces fe-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/0.0 host-inbound-traffic system-services ftp
set firewall family inet filter conf-services term icmp-allow from protocol icmp
set firewall family inet filter conf-services term icmp-allow from icmp-type-except redirect
set firewall family inet filter conf-services term icmp-allow then accept
set firewall family inet filter conf-services term match-denied then discard