[j-nsp] SRX Config Question

ben b benboyd.lists at gmail.com
Mon Jun 21 16:10:43 EDT 2010


I noticed you didn't include all of the nat config.....make sure you have
 the "from-zone" configured for the static nat rule-set...

ex.
"set security nat static rule-set natting from zone untrust"
"set security nat static rule-set natting rule 214 match destination-address
111.111.111.214/32"
"set security nat static rule-set natting rule 214 then static-nat prefix
192.168.1.214/32"

I've also noticed strange things when using "." inside of an address-book
address.  I use "_" instead.

-Ben


On Mon, Jun 21, 2010 at 2:57 PM, ben b <benboyd.lists at gmail.com> wrote:

> The system does default deny if you haven't specified a default policy
> action.....
> "set security policies default-policy permit-all "
>
>
> As far as the policy is concerned, the policy is applied AFTER destination
> nat is performed and BEFORE source nat is performed.
>
> What is the output of 'show security policies' or 'show security policies
> from-zone untrust to-zone trust'?
>
> -Ben
>
> On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella <
> bmannella at teraswitch.com> wrote:
>
>> Nope, i actually dont see any deny statements at all. Does the system,
>> just deny everything thats not defined as allowed? Any other thing i should
>> look at?
>>
>> Brendan Mannella
>> President and CEO
>> TeraSwitch Networks Inc.
>> Office: 412.224.4333 x303
>> Toll-Free: 866.583.6338
>> Mobile: 412-592-7848
>> Efax: 412.202.7094
>>
>>
>>
>> ----- Original Message -----
>> From: "Scott T. Cameron" <routehero at gmail.com>
>> To: "juniper-nsp" <juniper-nsp at puck.nether.net>
>> Sent: Monday, June 21, 2010 1:35:06 PM
>> Subject: Re: [j-nsp] SRX Config Question
>>
>> Your rules actually seem fine at a glance.  Are those the only rules in
>> your
>> system?  No deny that might otherwise be blocking the traffic?  I also
>> migrated from ScreenOS and ditched all the old catch-all denies that I had
>> at the bottom of zone policies because they don't work the same way in
>> JunOS
>> land.
>>
>> You're right, you run the policies against the post-translated address,
>> not
>> the pre-translated.  The NAT is separate entirely from policies.
>>
>> scott
>>
>> On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella <
>> bmannella at teraswitch.com
>> > wrote:
>>
>> > Yes that makes sense. And the policy pre srx was like this. But I am
>> almost
>> > positive I read somewhere the srx was different in that the policy is
>> looked
>> > at post NAT and so the private ip should be used.
>> >
>> > I will give that a shot though.
>> >
>> > Brendan Mannella
>> > TeraSwitch Networks Inc.
>> > Office: 412.224.4333 x303
>> > Mobile: 412.592.7848
>> > Efax: 412.202.7094
>> >
>> >
>> > On Jun 21, 2010, at 12:50 PM, "Stefan Fouant" <
>> > sfouant at shortestpathfirst.net> wrote:
>> >
>> >  -----Original Message-----
>> >>> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
>> >>> bounces at puck.nether.net] On Behalf Of Brendan Mannella
>> >>> Sent: Monday, June 21, 2010 11:20 AM
>> >>> To: juniper-nsp
>> >>> Subject: [j-nsp] SRX Config Question
>> >>>
>> >>> So main issue is the firewall does not seem to allow any incoming
>> traffic
>> >>>
>> >> on
>> >>
>> >>> the ports i opened below on the policies. Anyone have any ideas what i
>> am
>> >>> missing?
>> >>>
>> >>
>> >> Hi Brendan,
>> >>
>> >> How are things?  I could be wrong, but I believe the issue is with the
>> >> untrust-to-trust policy where you are matching on destination-address
>> >> 192.168.1.214:
>> >>
>> >> from-zone untrust to-zone trust {
>> >> policy 240-51 {
>> >> match {
>> >> source-address any;
>> >> destination-address 192.168.1.214;
>> >> application [ rdp junos-dns-udp junos-ftp junos-http junos-https
>> >> junos-ms-sql ];
>> >> }
>> >>
>> >> I believe in order for this to work you are going to need to make the
>> >> destination-address 111.111.111.214.  This will cause it to vector off
>> >> into
>> >> the NAT policy which will translate from 111.111.111.214 to
>> 192.168.1.214.
>> >> I think you might also need to use an address book entry whereby you
>> put
>> >> the
>> >> pre-natted address (111.111.111.214) into your trust zone as well.
>> >>
>> >> Feel free to contact me offline if you'd like additional assistance.
>> >>
>> >> HTHs.
>> >>
>> >> Stefan Fouant, CISSP, JNCIEx2
>> >> www.shortestpathfirst.net
>> >> GPG Key ID: 0xB5E3803D
>> >>
>> >>  _______________________________________________
>> > juniper-nsp mailing list juniper-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>> >
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>


More information about the juniper-nsp mailing list