You can port forward a range of ports using group mappings. Just ensure that your Juniper ScreenOS is setup for VIP multi-port. Unfortunately due to the nature of the VIP (Virtual IPs) you need to specify all the ports via the VIP commands. There is no quick and easy way to do that. After that bit of pain the NAT translates are fairly straight forward. The only time consuming portion is to create the VIPs. I suggest doing so in notepad (or notepad++) to get the commands in line and then copy/paste to the CLI.
 
To do this ensure the following is enabled on the router:
 

 
set vip multi-port
 

Reboot the router to enable this and then enter the CLI once again to continue the confirguration.
 
From there you would setup the port groups to a service object:
 

 
set service "<name here>" protocol tcp src-port 1024-65535 dst-port 10-20
 
set service "<second name here>" protocol tcp src-port 1024-65535 dst-port 30-40
 

 
If the ports needing to be opened are also necessary for UDP you would need additional lines:

 
set service "<UDP name>" protocol udp src-port 1024-65535 dst-port 10-20
 
set service "<Second UDP name here>" protocol udp src-port 1024-65535 dst-port 30-40
 

 
Then create the Virtual IP address interfaces:

 
## X.X.X.X = Public IP
 
## Y.Y.Y.Y = Private IP
 
set interface ethernet0/0 vip X.X.X.X 10 "10" Y.Y.Y.Y
 
set interface ethernet0/0 vip X.X.X.X 11 "11" Y.Y.Y.Y
 
set interface ethernet0/0 vip X.X.X.X 12 "12" Y.Y.Y.Y
 
...
 
set interface ethernet0/0 vip X.X.X.X 40 "40" Y.Y.Y.Y
 

 
Then setup the NAT translates for the port group services you want to open up:

 
set interface ethernet0/1 zone Untrust
 
set interface ethernet0/1 ip <public IP>/<CIDR>
 
set interface ethernet0/2 zone dmz
 
set interface ethernet0/2 ip <private IP>/<CIDR>
 
set interface ethernet0/1 vip untrust-ip <port> "<service name>" <private IP address>
 
set interface ethernet0/1 vip untrust-ip <next port> "<service name>" <private IP address>
 
set policy from untrust to dmz any vip(ethernet0/1) "<service group name>" permit
 
set policy from untrust to dmz any vip(ethernet0/1) "<next service group name>" permit
 
....
 
set policy from untrust to dmz any vip(ethernet0/1) "<last service group name>" permit
 

 
What you're asking to do is not relatively simple using the Juniper CLI but it can be done provided you know exactly what is needing to be done. There is plenty of documentation out there on the Juniper site, just find the version you want and read into it. Please also note that you are suggesting to use ports 10-20 and 30-40 for services. Those are generally assigned as follows:
 

 
10     TCP     UDP     Unassigned     
11     TCP     UDP     Active Users (systatservice)
12     TCP     UDP     Unassigned     
13     TCP     UDP     Daytime Protocol (RFC 867)     
14     TCP     UDP     Unassigned    
15     TCP     UDP     Previously netstat service
16     TCP     UDP     Unassigned     
17     TCP     UDP     Quote of the Day    
18     TCP     UDP     Message Send Protocol 
19     TCP     UDP     Character Generator Protocol (CHARGEN)  
20     TCP     UDP     FTP data transfer    
21     TCP            FTP control (command)    
22     TCP     UDP     Secure Shell (SSH)—used for secure logins, file transfers (scp, sftp) and port forwarding 
23     TCP     UDP     Telnet protocol—unencrypted text communications 
24     TCP     UDP     Priv-mail : any private mail system.  
25     TCP                Simple Mail Transfer Protocol (SMTP)—used for e-mail routing between mail servers
26     TCP     UDP     Unassigned   
27     TCP     UDP     NSW User System FE   
29     TCP     UDP     MSG ICP   
33     TCP     UDP     Display Support Protocol   
35     TCP     UDP     Any private printer server protocol  
37     TCP     UDP     TIME protocol
39     TCP     UDP     Resource Location Protocol (RLP)—used for determining the location of higher level services from hosts on a network 
40     TCP     UDP     Unassigned
 

 
Hopefully this will give you an idea as to what needs to be done for the Juniper using the CLI and essentially what would be necessary prior to just jumping into using VIP itself for port forwarding. Some considerations would be necessary.
 

gara024
Thanks James, I enabled the multi port but I'm still have issues allowing the firewall to forward a range of ports. Example, an application listens on 2550-2570 and the firewall only allows for a VIP to be used on a single port with the limitation of 64 entries.
 
From firewall help:
Virtual IP Address Service Configuration
You can configure up to 64 services per Virtual IP. Because you can  only map one service at a time, you need to configure one service at a time.
 

That is correct according to the version of the OS you are running on the Juniper. Just remember that is for each virtual IP which has a limitation of 64 entries. If you are looking to run it with VIP. Why not just use a destination NAT translation for the services instead of using virtual IP addressing for the connections? This would allow your ports to not necessarily need to be port forwarded but you would need some kind of server level security as the translations are for the source/destination IP address translations instead of using port forwarding. You can review this on the Juniper KB12631.

gara024
Yes that worked with when we hosted one internal server but now we're trying to use multiple servers. I guess our problem is we are limited to one external IP address and we have more than one server hosting multiple services.
 
 

That's usually the case when wanting to use port translations. You can try to split up the hosting for groups of services but the limitations on VIP are just a bit much for my tastes. That's generally why I tend towards Cisco devices for firewalling/port forwarding instead of using some of the Juniper security products at times. I took a look around further on the Juniper site about using different methods for a single VIP using multiple port forward groups but so far I haven't run across a decent KB article which makes it fairly simple to do.
 
[edit]
I did happen to find a decent document from Juniper about NAT-dst for destination NAT translations using a single IP address to multiple hosts from their site. The PDF is here. Read that document and it should lead you to the proper solution for what you are trying to accomplish. Funny how I didn't see that particular segment before looking at the overall configuration materials.
[/edit]

gara024
Is the solution in the pdf? or would you recommend at Cisco firewall?

For the Juniper I saw what should be the solution in the PDF using NAT-dst (Destination NAT translations). That should serve what you are looking to do. I don't recommend using a Cisco firewall unless you already had one available but the configuration of the Cisco device would be a bit more straight forward as you would have service groups linked to inbound services without having to utilize a VIP scheme that the ScreenOs requires. For example here is what my NAT translation table would normally look like using ASDM on my firewall:
 

 
And my service groups from ASDM:
 

 
It is far different from the Juniper way of doing things as you need other assorted inspects and inbound/outbound ACLs to deal with the services to multiple internal servers using different ports. Just really a different way of doing the same thing without as many limitations as ScreenOs seems to have in version 6.3.

Moving to Gen. Hardware.

gara024
So if I'm running 6.3.0r14.0 a simple update to r18 fixes it?

It's possible as those notes are from 6.3.0r18. You should take advantage of the upgraded firmware to ensure you are running currently supported code. I would certainly suggest it if you have a service contract with Juniper (or the local provider partner) so that you can get rid of any lagging issues prior to trying your port forwarding or even NAT-dst configurations.