[j-nsp] SRX Config Question

ben b benboyd.lists at gmail.com
Mon Jun 21 15:57:13 EDT 2010


The system does default deny if you haven't specified a default policy
action.....
"set security policies default-policy permit-all "


As far as the policy is concerned, the policy is applied AFTER destination
nat is performed and BEFORE source nat is performed.

What is the output of 'show security policies' or 'show security policies
from-zone untrust to-zone trust'?

-Ben

On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella
<bmannella at teraswitch.com>wrote:

> Nope, i actually dont see any deny statements at all. Does the system, just
> deny everything thats not defined as allowed? Any other thing i should look
> at?
>
> Brendan Mannella
> President and CEO
> TeraSwitch Networks Inc.
> Office: 412.224.4333 x303
> Toll-Free: 866.583.6338
> Mobile: 412-592-7848
> Efax: 412.202.7094
>
>
>
> ----- Original Message -----
> From: "Scott T. Cameron" <routehero at gmail.com>
> To: "juniper-nsp" <juniper-nsp at puck.nether.net>
> Sent: Monday, June 21, 2010 1:35:06 PM
> Subject: Re: [j-nsp] SRX Config Question
>
> Your rules actually seem fine at a glance.  Are those the only rules in
> your
> system?  No deny that might otherwise be blocking the traffic?  I also
> migrated from ScreenOS and ditched all the old catch-all denies that I had
> at the bottom of zone policies because they don't work the same way in
> JunOS
> land.
>
> You're right, you run the policies against the post-translated address, not
> the pre-translated.  The NAT is separate entirely from policies.
>
> scott
>
> On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella <
> bmannella at teraswitch.com
> > wrote:
>
> > Yes that makes sense. And the policy pre srx was like this. But I am
> almost
> > positive I read somewhere the srx was different in that the policy is
> looked
> > at post NAT and so the private ip should be used.
> >
> > I will give that a shot though.
> >
> > Brendan Mannella
> > TeraSwitch Networks Inc.
> > Office: 412.224.4333 x303
> > Mobile: 412.592.7848
> > Efax: 412.202.7094
> >
> >
> > On Jun 21, 2010, at 12:50 PM, "Stefan Fouant" <
> > sfouant at shortestpathfirst.net> wrote:
> >
> >  -----Original Message-----
> >>> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> >>> bounces at puck.nether.net] On Behalf Of Brendan Mannella
> >>> Sent: Monday, June 21, 2010 11:20 AM
> >>> To: juniper-nsp
> >>> Subject: [j-nsp] SRX Config Question
> >>>
> >>> So main issue is the firewall does not seem to allow any incoming
> traffic
> >>>
> >> on
> >>
> >>> the ports i opened below on the policies. Anyone have any ideas what i
> am
> >>> missing?
> >>>
> >>
> >> Hi Brendan,
> >>
> >> How are things?  I could be wrong, but I believe the issue is with the
> >> untrust-to-trust policy where you are matching on destination-address
> >> 192.168.1.214:
> >>
> >> from-zone untrust to-zone trust {
> >> policy 240-51 {
> >> match {
> >> source-address any;
> >> destination-address 192.168.1.214;
> >> application [ rdp junos-dns-udp junos-ftp junos-http junos-https
> >> junos-ms-sql ];
> >> }
> >>
> >> I believe in order for this to work you are going to need to make the
> >> destination-address 111.111.111.214.  This will cause it to vector off
> >> into
> >> the NAT policy which will translate from 111.111.111.214 to
> 192.168.1.214.
> >> I think you might also need to use an address book entry whereby you put
> >> the
> >> pre-natted address (111.111.111.214) into your trust zone as well.
> >>
> >> Feel free to contact me offline if you'd like additional assistance.
> >>
> >> HTHs.
> >>
> >> Stefan Fouant, CISSP, JNCIEx2
> >> www.shortestpathfirst.net
> >> GPG Key ID: 0xB5E3803D
> >>
> >>  _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list