Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Application Layer Gateways User Guide Data ALGs

Application Layer Gateways User Guide

keyboard_arrow_up
close
keyboard_arrow_left
Application Layer Gateways User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

RSH ALG

date_range 28-Nov-23
arrow_backward
arrow_forward

The Remote Shell (RSH) provides a conduit to execute commands on a remote host. Unlike Telnet or SSH, which create a terminal shell session on the remote system, RSH passes the command and authentication data. The protocol uses the 514 TCP port to pass the authentication data and the command. The server returns the stdout of the command to the client's source port. RSH requires an ALG to pass a second client port to the server for transmission of the stderr stream.

Understanding the RSH ALG

The Remote Shell (RSH) Application Layer Gateway (ALG) processes RSH packets that initiate requests and open two gates to allow return packets from the reverse direction to the client. One gate is used for an identification (ident) session to apply authorization and the other gate is used for a standard error (stderr) session to transfer an error message.

Note:

The RSH ALG does not work if Port Address Translation (PAT) is configured. The RSH requires the port range to be between 512 to 1024. The source NAT module cannot match this port range.

See Also

Example: Configuring the RSH ALG

This example shows how to configure the RSH ALG in route or NAT mode. The configuration allows RSH traffic to pass through a device, and it transfers remote commands and results between a client and a server located on opposite sides of a Juniper Networks device.

Requirements

This example uses the following hardware and software components:

  • An SRX Series Firewall

  • Two PCs (server and client)

Before you begin:

Overview

In this example, first you configure network interfaces on the device. Create security zones and assign interfaces to the zones, and configure a policy to allow RSH traffic to go through an SRX Series Firewall.

Then you create a static NAT rule set rs1 with a rule r1 to match with the destination address 40.0.172.10/32, and you create a static NAT prefix with address 40.0.172.45/32.

Next you create a source NAT pool src-p1 with a source rule set src-rs1 to translate packets from interface fe-3/0/0.0 to interface fe-3/0/1.0. For matching packets, the source address is translated to an IP address in the src-p1 pool.

Then you create a destination NAT pool des-p1 with a destination rule set des-rs1 to translate packets from zone trust to destination address 40.0.172.10/32. For matching packets, the destination address is translated to an IP address in the des-p1 pool. Finally, you enable RSH ALG trace options.

Topology

Figure 1 shows the RSH ALG topology.

Figure 1: RSH ALG TopologyRSH ALG Topology

Configuration

To configure the RSH ALG, perform these tasks:

Configuring a Route Mode

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set interfaces ge-0/0/0 unit 0 family inet address 10.208.172.58/21
set interfaces fe-3/0/0 unit 0 family inet address 30.3.3.149/8
set interfaces fe-3/0/1 unit 0 family inet address 40.4.4.149/8
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces fe-3/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces fe-3/0/1.0
set security policies from-zone trust to-zone untrust policy rsh match source-address any
set security policies from-zone trust to-zone untrust policy rsh match destination-address any
set security policies from-zone trust to-zone untrust policy rsh match application junos-rsh
set security policies from-zone trust to-zone untrust policy rsh then permit
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure route mode:

  1. Configure interfaces.

    content_copy zoom_out_map
    [edit interfaces]
user@host#set ge-0/0/0 unit 0 family inet address 10.208.172.58/21
user@host#set fe-3/0/0 unit 0 family inet address 30.3.3.149/8
user@host#set fe-3/0/1 unit 0 family inet address 40.4.4.149/8

  2. Configure zones and assign interfaces to the zones.

    content_copy zoom_out_map
    [edit security zones security-zone]
user@host#set trust host-inbound-traffic system-services all
user@host#set trust host-inbound-traffic protocols all
user@host#set trust interfaces fe-3/0/0.0
user@host#set untrust host-inbound-traffic system-services all
user@host#set untrust host-inbound-traffic protocols all
user@host#set untrust interfaces fe-3/0/0.1

  3. Configure an RSH policy that allows RSH traffic from the trust zone to the untrust zone.

    content_copy zoom_out_map
    [edit security policies from-zone trust to-zone untrust]
user@host#set policy rsh match source-address any
user@host#set policy rsh match destination-address any
user@host#set policy rsh match application junos-rsh
user@host#set policy rsh then permit
Results

From configuration mode, confirm your configuration by entering the show interfaces, show security zones, and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example for correction.

For brevity, this show output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

content_copy zoom_out_map
[edit]
user@host# show interfaces
ge-0/0/0 {
    unit 0 {
        family inet {
            address 10.208.172.58/21;
        }
    }
}
fe-3/0/0 {
    unit 0 {
        family inet {
            address 30.3.3.149/8;
        }
    }
}
fe-3/0/1 {
    unit 0 {
        family inet {
            address 40.4.4.149/8;
        }
    }
}
content_copy zoom_out_map
[edit]
user@host# show security zones
..
    security-zone trust {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        fe-3/0/0.0;
        }
}
security-zone untrust {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        fe-3/0/1.0;
        }
}
...
content_copy zoom_out_map
[edit]
user@host# show security policies
from-zone trust to-zone untrust {
    policy rsh {
        match {
            source-address any;
            destination-address any;
            application junos-rsh;
        }
        then {
            permit;
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Configuring a Static NAT Rule Set

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security nat static rule-set rs1 from zone trust 
set security nat static rule-set rs1 rule r1 match destination-address 40.0.172.10/32
set security nat static rule-set rs1 rule r1 then static-nat prefix 40.0.172.45/32
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a static NAT rule set:

  1. Create a static NAT rule set.

    content_copy zoom_out_map
    [edit security nat static rule-set rs1]
user@host#set from zone trust

  2. Define the rule to match with the destination address.

    content_copy zoom_out_map
    [edit security nat static rule-set rs1]
user@host#  set rule r1 match destination-address 40.0.172.10/32

  3. Define the static NAT prefix for the device.

    content_copy zoom_out_map
    [edit security nat static rule-set rs1]
user@host#  set rule r1 then static-nat prefix 40.0.172.45/32
Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show security nat 
static {
    rule-set rs1 {
        from zone trust;
        rule r1 {
            match {
                destination-address 40.0.172.10/32;
            }
            then {
                static-nat {
                    prefix {
                        40.0.172.45/32;
                    }
                }
            }
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Configuring a Source NAT Pool and Rule Set without PAT

CLI Quick Configuration
Note:

The RSH ALG does not support PAT configuration. The RSH ALG requires the stderr port range to be between 512 to 1024. The source NAT module cannot match this port range.

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security nat source pool src-p1 address 40.0.172.100/32 to 40.0.172.101/32
set security nat source pool src-p1 port no-translation
set security nat source rule-set src-rs1 from interface fe-3/0/0.0
set security nat source rule-set src-rs1 to interface fe-3/0/1.0 
set security nat source rule-set src-rs1 rule r1 match source-address 30.0.0.0/8
set security nat source rule-set src-rs1 rule r1 match destination-address 40.0.0.0/8 
set security nat source rule-set src-rs1 rule r1 then source-nat pool src-p1
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a source NAT pool and rule set:

  1. Create a source NAT pool.

    content_copy zoom_out_map
    [edit security nat source]
user@host#set pool src-p1 address 40.0.172.100/32 to 40.0.172.101/32

  2. Create a source NAT pool with no port translation.

    content_copy zoom_out_map
    [edit security nat source ]
set pool src-p1 port no-translation

  3. Create a source NAT rule set.

    content_copy zoom_out_map
    [edit security nat source]
user@host#  set rule-set src-rs1 from interface fe-3/0/0.0
user@host# set rule-set src-rs1 to interface fe-3/0/1.0

  4. Configure a rule that matches packets and translates the source address to an address in the source pool.

    content_copy zoom_out_map
    [edit security nat source]
user@host#  set rule-set src-rs1 rule r1 match source-address 30.0.0.0/8

  5. Configure a rule that matches packets and translates the destination address to an address in the source pool.

    content_copy zoom_out_map
    [edit security nat source]
user@host#  set rule-set src-rs1 rule r1 match destination-address 40.0.0.0/8

  6. Configure a source NAT pool in the rule.

    content_copy zoom_out_map
    [edit security nat source]
user@host# set rule-set src-rs1 rule r1 then source-nat pool src-p1
Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show security nat 
source {
    pool src-p1 {
        address {
            40.0.172.100/32 to 40.0.172.101/32;
        }
        port no-translation;
    }
    rule-set src-rs1 {
        from interface fe-3/0/0.0;
        to interface fe-3/0/1.0;
        rule r1 {
            match {
                source-address 30.0.0.0/8;
                destination-address 40.0.0.0/8;
            }
            then {
                source-nat {
                    pool {
                        src-p1;
                    }
                }
            }
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Configuring a Destination NAT Pool and Rule Set

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security nat destination pool des-p1 address 40.0.172.45/32 
set security nat destination rule-set des-rs1 from zone trust
set security nat destination rule-set des-rs1 rule des-r1 match source-address 30.0.172.12/32
set security nat destination rule-set des-rs1 rule des-r1 match destination-address 40.0.172.10/32
set security nat destination rule-set des-rs1 rule des-r1 then destination-nat pool des-p1
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a destination NAT pool and rule set:

  1. Create a destination NAT pool.

    content_copy zoom_out_map
    [edit security nat destination]
user@host#set pool des-p1 address 40.0.172.45/32

  2. Create a destination NAT rule set.

    content_copy zoom_out_map
    [edit security nat destination]
user@host#  set rule-set des-rs1 from zone trust

  3. Configure a rule that matches packets and translates the source address to the address in the pool.

    content_copy zoom_out_map
    [edit security nat destination]
user@host#  set rule-set des-rs1 rule des-r1 match source-address 30.0.172.12/32

  4. Configure a rule that matches packets and translates the destination address to the address in the pool.

    content_copy zoom_out_map
    [edit security nat destination]
user@host#  set rule-set des-rs1 rule des-r1 match destination-address 40.0.172.10/32

  5. Configure a source NAT pool in the rule.

    content_copy zoom_out_map
    [edit security nat destination]
user@host# set rule-set des-rs1 rule des-r1 then destination-nat pool des-p1
Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show security nat 
destination {
    pool des-p1 {
        address {
            40.0.172.45/32;
        }
    }
    rule-set des-rs1 {
        from zone trust;
        rule des-r1 {
            match {
                source-address 30.0.172.12/32;
                destination-address 40.0.172.10/32;
            }
            then {
                destination-nat {
                    pool {
                        des--p1;
                    }
                }
            }
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Enabling RSH ALG Trace Options

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security alg rsh traceoptions flag all
set security alg traceoptions file trace
set security alg traceoptions file size 1g
set security alg traceoptions level verbose
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To enable RSH ALG trace options:

  1. Enable RSH ALG trace options.

    content_copy zoom_out_map
    [edit security alg]
user@host#set sql traceoptions flag all

  2. Configure a filename to receive output from the tracing operation.

    content_copy zoom_out_map
    [edit security alg]
user@host#set traceoptions file trace

  3. Specify the maximum trace file size.

    content_copy zoom_out_map
    [edit security alg]
user@host#set traceoptions file size 1g

  4. Specify the level of tracing output.

    content_copy zoom_out_map
    [edit security alg]
user@host#set traceoptions level verbose
Results

From configuration mode, confirm your configuration by entering the show security alg command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show security alg
traceoptions {
    file trace size 1g;
    level verbose;
}
rsh traceoptions flag all;

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the RSH ALG Control Session

Purpose

Verify that the RSH command is executed and all the RSH control and data sessions are created.

Action

From operational mode, enter the show security flow session command.

content_copy zoom_out_map
user@host>show security flow session
Session ID: 2924, Policy name: rsh/6, Timeout: 2, Valid
Resource information : RSH ALG, 2, 0
  In: 30.0.172.12/1023 --> 40.0.172.45/514;tcp, If: fe-3/0/0.0, Pkts: 7, Bytes: 320
  Out: 40.0.172.45/514 --> 30.0.172.12/1023;tcp, If: fe-3/0/1.0, Pkts: 7, Bytes: 314

Session ID: 2925, Policy name: rsh/6, Timeout: 2, Valid
Resource information : RSH ALG, 2, 24
  In: 40.0.172.45/44864 --> 30.0.172.12/113;tcp, If: fe-3/0/1.0, Pkts: 5, Bytes: 278
  Out: 30.0.172.12/113 --> 40.0.172.45/44864;tcp, If: fe-3/0/0.0, Pkts: 5, Bytes: 345

Session ID: 2926, Policy name: rsh/6, Timeout: 2, Valid
Resource information : RSH ALG, 2, 23
  In: 40.0.172.45/1023 --> 30.0.172.12/1022;tcp, If: fe-3/0/1.0, Pkts: 4, Bytes: 216
  Out: 30.0.172.12/1022 --> 40.0.172.45/1023;tcp, If: fe-3/0/0.0, Pkts: 3, Bytes: 164
Total sessions: 3
Meaning

  • Session ID—Number that identifies the session. Use this ID to get more information about the session such as policy name, number of packets in and out.

  • Policy name—Policy name that permitted the traffic.

  • In—Incoming flow (source and destination IP addresses with their respective source and destination port numbers, session is TCP, and source interface for this session is fe-3/0/0.0).

  • Out—Reverse flow (source and destination IP addresses with their respective source and destination port numbers, session is TCP, and destination interface for this session is fe-3/0/1.0).

Verifying the RSH ALG

Purpose

Verify that the RSH ALG is enabled.

Action

From operational mode, enter the show security alg status command.

content_copy zoom_out_map
user@host>show security alg status
ALG Status :
  PPTP     : Enabled
  RSH      : Disabled
  RTSP     : Enabled
  SCCP     : Enabled
  SIP      : Enabled
  TALK     : Enabled
  TFTP     : Enabled
  IKE-ESP  : Disabled
Note:

The RSH ALG is disabled by default. To enable the RSH ALG, enter the set security alg rsh command in the configuration mode.

Meaning

The output shows the RSH ALG status as follows:

  • Enabled—Shows the RSH ALG is enabled.

  • Disabled—Shows the RSH ALG is disabled.

Verifying the RSH ALG Resource Manager Group

Purpose

Verify the total number of resource manager groups and active groups that are used by the RSH ALG.

Action

From operational mode, enter the show security resource-manager group active command.

content_copy zoom_out_map
user@host>show security resource-manager group active
Group ID 1: Application - RSH ALG
				Total groups 677, active groups 1

Verifying the RSH ALG Resource Information

Purpose

Verify the total number of resources and active resources that are used by the RSH ALG.

Action

From operational mode, enter the show security resource-manager resource active command.

content_copy zoom_out_map
user@host>show security resource-manager resource active
Resource ID 2: Group ID - 1, Application - RSH ALG

  		  Resource ID 1: Group ID - 1, Application - RSH ALG
			  Total Resources 4044, active resources 2

See Also

arrow_backward PREVIOUS RPC ALG
NEXT arrow_forward RTSP ALG
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top