[j-nsp] SRX Config Question

Stefan Fouant sfouant at shortestpathfirst.net
Mon Jun 21 12:50:27 EDT 2010


> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Brendan Mannella
> Sent: Monday, June 21, 2010 11:20 AM
> To: juniper-nsp
> Subject: [j-nsp] SRX Config Question
> 
> So main issue is the firewall does not seem to allow any incoming traffic
on
> the ports i opened below on the policies. Anyone have any ideas what i am
> missing?

Hi Brendan,

How are things?  I could be wrong, but I believe the issue is with the
untrust-to-trust policy where you are matching on destination-address
192.168.1.214:

from-zone untrust to-zone trust { 
policy 240-51 { 
match { 
source-address any; 
destination-address 192.168.1.214; 
application [ rdp junos-dns-udp junos-ftp junos-http junos-https
junos-ms-sql ]; 
}

I believe in order for this to work you are going to need to make the
destination-address 111.111.111.214.  This will cause it to vector off into
the NAT policy which will translate from 111.111.111.214 to 192.168.1.214.
I think you might also need to use an address book entry whereby you put the
pre-natted address (111.111.111.214) into your trust zone as well.

Feel free to contact me offline if you'd like additional assistance.

HTHs.

Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D



More information about the juniper-nsp mailing list