Re: Destination NAT/Port NAT - Totally confused and in dire need of help

I have copied the entire configuration here.

I'm not sure how to setup a "flow trace".

I do have other rules that allow remote access to resources on our internal network. The servers in the Amazon VPC are reached through an ipsec tunnel.

## Last changed: 2017-02-19 20:53:14 CST
version 15.1X49-D60.7;
system {
host-name HSRX300;
domain-name stonemountainaccess.local;
backup-router xxx.xxx.xxx.150;
time-zone America/Chicago;
use-imported-time-zones;
root-authentication {
encrypted-password "$5$MisN.BKn$1Ah8LYfMHrvZ5rvCeLfeCKw8kZ0hdgiZJNL3ZHq7.XC";
}
name-server {
8.8.8.8;
8.8.4.4;
75.75.75.75;
75.75.75.76;
}
login {
user srxadmin {
uid 2000;
class super-user;
authentication {
encrypted-password "$5$YWGvMpY2$CjPkJ6TeNknFFUCTikaiFF/2x80cDnMDuhXPq2TnOE/";
}
}
}
services {
ssh;
telnet;
xnm-clear-text;
dhcp-local-server {
group jdhcp-group {
interface irb.20;
}
}
web-management {
http {
interface [ ge-0/0/1.0 ge-0/0/4.0 ];
}
https {
system-generated-certificate;
interface [ ge-0/0/1.0 ge-0/0/4.0 ];
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 15;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 67.18.187.111 version 4;
server 129.250.35.251 version 4;
server 50.116.52.97 version 4;
}
}
security {
ike {
proposal ike-prop-vpn-xxxxxxx-1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
proposal ike-prop-vpn-xxxxxxx-2 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
policy ike-pol-vpn-xxxxxxx-1 {
mode main;
proposals ike-prop-vpn-xxxxxxx-1;
pre-shared-key ascii-text "xxxxxxx";
}
policy ike-pol-vpn-xxxxx-2 {
mode main;
proposals ike-prop-vpn-xxxxxxx-2;
pre-shared-key ascii-text "xxxxxxxx";
}
gateway gw-vpn-xxxxx-1 {
ike-policy ike-pol-vpn-xxxxxxx-1;
address 34.xxx.xxx.119;
dead-peer-detection;
no-nat-traversal;
external-interface ge-0/0/0.0;
}
gateway gw-vpn-xxxxxxx-2 {
ike-policy ike-pol-vpn-xxxxxxx-2;
address 34.xxx.xxx.217;
dead-peer-detection;
no-nat-traversal;
external-interface ge-0/0/0.0;
}
}
ipsec {
proposal ipsec-prop-vpn-xxxxxx-1 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
proposal ipsec-prop-vpn-xxxxxx-2 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy ipsec-pol-vpn-xxxxxx-1 {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-prop-vpn-xxxxxx-1;
}
policy ipsec-pol-vpn-xxxxxx-2 {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-prop-vpn-xxxxxx-2;
}
vpn vpn-xxxxxx-1 {
bind-interface st0.1;
df-bit clear;
vpn-monitor {
source-interface st0.1;
destination-ip 169.xxx.xxx.117;
}
ike {
gateway gw-vpn-xxxxxx-1;
ipsec-policy ipsec-pol-vpn-xxxxxx-1;
}
}
vpn vpn-xxxxxx-2 {
bind-interface st0.2;
df-bit clear;
vpn-monitor {
source-interface st0.2;
destination-ip 169.xxx.xxx.65;
}
ike {
gateway gw-vpn-xxxxxx-2;
ipsec-policy ipsec-pol-vpn-xxxxxx-2;
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1379;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool RMI-Nat-Pool {
address 192.xxx.xxx.130/24 port 3489;
}
pool Security-Cameras-100 {
address 192.xxx.xxx.7/32 port 100;
}
pool Security-Cameras-6036 {
address 192.xxx.xxx.7/32 port 6036;
}
pool BPSQL {
address 10.0.1.111/32 port 3388;
}
pool BPApplication {
address 10.0.1.110/32 port 3387;
}
rule-set rs1 {
from zone untrust;
rule r1 {
match {
destination-address xxx.xxx.xxx.148/32;
destination-port {
3489;
}
}
then {
destination-nat {
pool {
RMI-Nat-Pool;
}
}
}
}
rule r4 {
match {
destination-address xxx.xxx.xxx.148/32;
destination-port {
100;
}
}
then {
destination-nat {
pool {
Security-Cameras-100;
}
}
}
}
rule r5 {
match {
destination-address xxx.xxx.xxx.148/32;
destination-port {
6036;
}
}
then {
destination-nat {
pool {
Security-Cameras-6036;
}
}
}
}
rule r2 {
match {
destination-address xxx.xxx.xxx.149/32;
destination-port {
3489;
}
}
then {
destination-nat {
pool {
RMI-Nat-Pool;
}
}
}
}
rule r6 {
match {
destination-address xxx.xxx.xxx.148/32;
destination-port {
3387;
}
}
then {
destination-nat {
pool {
BPApplication;
}
}
}
}
rule r7 {
match {
destination-address xxx.xxx.xxx.148/32;
destination-port {
3388;
}
}
then {
destination-nat {
pool {
BPSQL;
}
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy VLAN-GUEST {
match {
source-address VLAN-GUEST;
destination-address any-ipv4;
application any;
}
then {
deny;
}
}
policy trust-to-VLAN-GUEST {
match {
source-address any;
destination-address VLAN-GUEST;
application any;
}
then {
deny;
}
}
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy RMI-RDP {
match {
source-address any;
destination-address RMI-Server;
application any;
}
then {
permit;
}
}
policy Security-Cameras {
match {
source-address any;
destination-address Security-Cameras;
application any;
source-identity any;
}
then {
permit;
}
}
policy untrust-to-trust1 {
match {
source-address any;
destination-address BPApplication;
application BPApplication-RDP;
}
then {
permit;
}
}
policy untrust-to-trust2 {
match {
source-address any;
destination-address BPSQL;
application BPSQL-RDP;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
address-book {
address RMI-Server 192.xxx.xxx.130/32;
address Security-Cameras 192.xxx.xxx.7/32;
address VLAN-GUEST 192.xxx.xxx.0/24;
address BPApplication 10.0.1.110/32;
address BPSQL 10.0.1.111/32;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
bgp;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
ge-0/0/3.0;
ge-0/0/4.0;
irb.20;
st0.1;
st0.2;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address xxx.xxx.xxx.148/29;
address xxx.xxx.xxx.149/29;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.xxx.xxx.xxx/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.xxx.xxx.xxx/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 192.xxx.xxx.xxx/24;
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
address 192.xxx.xxx.2/24;
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members WLAN-GUEST;
}
}
}
}
ge-0/0/6 {
unit 0;
}
ge-0/0/7 {
unit 0;
}
irb {
unit 20 {
family inet {
address 192.168.5.1/24;
}
}
}
st0 {
unit 1 {
family inet {
mtu 1436;
address 169.254.46.118/30;
}
}
unit 2 {
family inet {
mtu 1436;
address 169.254.44.66/30;
}
}
}
}
routing-options {
static {
route 10.0.0.0/16 next-hop [ st0.1 st0.2 ];
route 0.0.0.0/0 next-hop 173.xxx.xxx.150;
}
}
protocols {
l2-learning {
global-mode switching;
}
}
access {
address-assignment {
pool WLAN-GUEST-POOL {
family inet {
network 192.168.5.0/24;
range junosRange {
low 192.168.5.10;
high 192.168.5.80;
}
dhcp-attributes {
maximum-lease-time 3600;
name-server {
8.8.8.8;
8.8.4.4;
}
router {
192.168.5.1;
}
}
}
}
}
}
applications {
application BPApplication-RDP {
protocol tcp;
destination-port 3387;
}
application BPSQL-RDP {
protocol tcp;
destination-port 3388;
}
}
vlans {
WLAN-GUEST {
vlan-id 20;
l3-interface irb.20;
}
}