[j-nsp] SRX Config Question
Brendan Mannella
bmannella at teraswitch.com
Mon Jun 21 12:54:21 EDT 2010
Yes that makes sense. And the policy pre srx was like this. But I am
almost positive I read somewhere the srx was different in that the
policy is looked at post NAT and so the private ip should be used.
I will give that a shot though.
Brendan Mannella
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Mobile: 412.592.7848
Efax: 412.202.7094
On Jun 21, 2010, at 12:50 PM, "Stefan Fouant" <sfouant at shortestpathfirst.net
> wrote:
>> -----Original Message-----
>> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
>> bounces at puck.nether.net] On Behalf Of Brendan Mannella
>> Sent: Monday, June 21, 2010 11:20 AM
>> To: juniper-nsp
>> Subject: [j-nsp] SRX Config Question
>>
>> So main issue is the firewall does not seem to allow any incoming
>> traffic
> on
>> the ports i opened below on the policies. Anyone have any ideas
>> what i am
>> missing?
>
> Hi Brendan,
>
> How are things? I could be wrong, but I believe the issue is with the
> untrust-to-trust policy where you are matching on destination-address
> 192.168.1.214:
>
> from-zone untrust to-zone trust {
> policy 240-51 {
> match {
> source-address any;
> destination-address 192.168.1.214;
> application [ rdp junos-dns-udp junos-ftp junos-http junos-https
> junos-ms-sql ];
> }
>
> I believe in order for this to work you are going to need to make the
> destination-address 111.111.111.214. This will cause it to vector
> off into
> the NAT policy which will translate from 111.111.111.214 to
> 192.168.1.214.
> I think you might also need to use an address book entry whereby you
> put the
> pre-natted address (111.111.111.214) into your trust zone as well.
>
> Feel free to contact me offline if you'd like additional assistance.
>
> HTHs.
>
> Stefan Fouant, CISSP, JNCIEx2
> www.shortestpathfirst.net
> GPG Key ID: 0xB5E3803D
>
More information about the juniper-nsp
mailing list