[j-nsp] SRX Config Question

Brendan Mannella bmannella at teraswitch.com
Mon Jun 21 11:20:08 EDT 2010



Have a SRX210 that i am migrating to from a NS-5GT. We used a bunch of MIPs and of course policies to allow numerous port to those MIPs on our NS-5GT. Now converting to the SRX, i seem to have most everything correct, but the SRX does not allow any of my "allow" policies to work. 



The internal servers can hit the internet and so forth, and if i go to whatismyip.com, different servers show the correct external MIP'ed ip address, so it seems static NAT is working correctly. 





So main issue is the firewall does not seem to allow any incoming traffic on the ports i opened below on the policies. Anyone have any ideas what i am missing? 





***Static Nat Rule******* 

rule 214 { 
match { 
destination-address 111.111.111.214/32; 
} 
then { 
static-nat prefix 192.168.1.214/32; 

***Proxy Arp**** 

proxy-arp { 
interface ge-0/0/0.0 { 
address { 
111.111.111.214/32; 

****Security Zone (trust)**** 
zones { 
security-zone trust { 
address-book { 
address 192.168.1.214 192.168.1.214/32; 

} 
host-inbound-traffic { 
system-services { 
all; 
} 
protocols { 
all; 
} 
} 
interfaces { 
vlan.0; 

****Security Zone (un-trust)**** 

security-zone untrust { 
screen untrust-screen; 
interfaces { 
ge-0/0/0.0 { 
host-inbound-traffic { 
system-services { 
dhcp; 
tftp; 




***********Policies************** 

policies { 
from-zone trust to-zone untrust { 
policy trust-to-untrust { 
match { 
source-address any; 
destination-address any; 
application any; 
} 
then { 
permit; 
} 
} 
} 
from-zone untrust to-zone trust { 
policy 240-51 { 
match { 
source-address any; 
destination-address 192.168.1.214; 
application [ rdp junos-dns-udp junos-ftp junos-http junos-https junos-ms-sql ]; 
} 
then { 
permit; 
log { 
session-init; 
session-close; 








More information about the juniper-nsp mailing list