[j-nsp] SRX Config Question

Scott T. Cameron routehero at gmail.com
Mon Jun 21 13:35:06 EDT 2010


Your rules actually seem fine at a glance.  Are those the only rules in your
system?  No deny that might otherwise be blocking the traffic?  I also
migrated from ScreenOS and ditched all the old catch-all denies that I had
at the bottom of zone policies because they don't work the same way in JunOS
land.

You're right, you run the policies against the post-translated address, not
the pre-translated.  The NAT is separate entirely from policies.

scott

On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella <bmannella at teraswitch.com
> wrote:

> Yes that makes sense. And the policy pre srx was like this. But I am almost
> positive I read somewhere the srx was different in that the policy is looked
> at post NAT and so the private ip should be used.
>
> I will give that a shot though.
>
> Brendan Mannella
> TeraSwitch Networks Inc.
> Office: 412.224.4333 x303
> Mobile: 412.592.7848
> Efax: 412.202.7094
>
>
> On Jun 21, 2010, at 12:50 PM, "Stefan Fouant" <
> sfouant at shortestpathfirst.net> wrote:
>
>  -----Original Message-----
>>> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
>>> bounces at puck.nether.net] On Behalf Of Brendan Mannella
>>> Sent: Monday, June 21, 2010 11:20 AM
>>> To: juniper-nsp
>>> Subject: [j-nsp] SRX Config Question
>>>
>>> So main issue is the firewall does not seem to allow any incoming traffic
>>>
>> on
>>
>>> the ports i opened below on the policies. Anyone have any ideas what i am
>>> missing?
>>>
>>
>> Hi Brendan,
>>
>> How are things?  I could be wrong, but I believe the issue is with the
>> untrust-to-trust policy where you are matching on destination-address
>> 192.168.1.214:
>>
>> from-zone untrust to-zone trust {
>> policy 240-51 {
>> match {
>> source-address any;
>> destination-address 192.168.1.214;
>> application [ rdp junos-dns-udp junos-ftp junos-http junos-https
>> junos-ms-sql ];
>> }
>>
>> I believe in order for this to work you are going to need to make the
>> destination-address 111.111.111.214.  This will cause it to vector off
>> into
>> the NAT policy which will translate from 111.111.111.214 to 192.168.1.214.
>> I think you might also need to use an address book entry whereby you put
>> the
>> pre-natted address (111.111.111.214) into your trust zone as well.
>>
>> Feel free to contact me offline if you'd like additional assistance.
>>
>> HTHs.
>>
>> Stefan Fouant, CISSP, JNCIEx2
>> www.shortestpathfirst.net
>> GPG Key ID: 0xB5E3803D
>>
>>  _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list