Question : Netscreen-25 Port Translation

The el cheapo broadband router we're currently using has the ability to forward an external port number to a different internal port number.  For example, inbound connections to port 4444 can be mapped onto internal port 5555.

Example:  Traffic to 49.131.26.31 port 4444 gets forwarded to 192.168.1.16 port 5555  

I know how to create custom services, but as far as I can tell, the external and internal port numbers must be the same.

Is there a way to map external port A to internal port B?  It would be ironic that a $50 router could do something an NS-25 could not.

Answer : Netscreen-25 Port Translation

Found the solution.  When the external port does not match the internal port, 2 different services have to be used.  If neither service is pre-defined, then 2 "custom services" have to be defined-- one referencing the external port, and one referencing the internal port.  As an example, consider the following.  Port 9100 is a standard listening port for printing.

External port:  9105
Internal port:  9100  

Create 2 custom services.
1)  External_Printer_Access_9105.  Set it for destination port 9105.
2)  Internal_Printer_Access_9100.  Set it for destination port 9100.

In your policies, Untrust to Trust, permit inbound connections to service "External_Printer_Access_9105" on the VIP interface.  This allows connections to enter via port 9105.

On your untrust interface, create a VIP on port 9105 and map to service "Internal_Printer_Access_9100".  This maps port 9105 onto internal port 9100.

This was a bit of a head scratcher, but we've been successfully using for more than a week and it works great.

Thanks to all who tried.