[j-nsp] SRX Config Question

Brendan Mannella bmannella at teraswitch.com
Mon Jun 21 16:13:09 EDT 2010



I have to double check but i might have missed 



set security nat static rule-set natting from zone untrust... I will double check and update the list. 





----- Original Message ----- 
From: "ben b" <benboyd.lists at gmail.com> 
To: "Brendan Mannella" <bmannella at teraswitch.com> 
Cc: "Scott T. Cameron" <routehero at gmail.com>, "juniper-nsp" <juniper-nsp at puck.nether.net> 
Sent: Monday, June 21, 2010 4:10:43 PM 
Subject: Re: [j-nsp] SRX Config Question 

I noticed you didn't include all of the nat config.....make sure you have  the "from-zone" configured for the static nat rule-set... 





----- Original Message ----- 
From: "ben b" <benboyd.lists at gmail.com> 
To: "Brendan Mannella" <bmannella at teraswitch.com> 
Cc: "Scott T. Cameron" <routehero at gmail.com>, "juniper-nsp" <juniper-nsp at puck.nether.net> 
Sent: Monday, June 21, 2010 4:10:43 PM 
Subject: Re: [j-nsp] SRX Config Question 

I noticed you didn't include all of the nat config.....make sure you have  the "from-zone" configured for the static nat rule-set... 


ex.  
"set security nat static rule-set natting from zone untrust" 
"set security nat static rule-set natting rule 214 match destination-address 111.111.111.214/32 " 
"set security nat static rule-set natting rule 214 then static-nat prefix 192.168.1.214/32 " 


I've also noticed strange things when using "." inside of an address-book address.  I use "_" instead. 


-Ben 




On Mon, Jun 21, 2010 at 2:57 PM, ben b < benboyd.lists at gmail.com > wrote: 



The system does default deny if you haven't specified a default policy action..... 
"set security policies default-policy permit-all " 




As far as the policy is concerned, the policy is applied AFTER destination nat is performed and BEFORE source nat is performed. 


What is the output of 'show security policies' or 'show security policies from-zone untrust to-zone trust'? 


-Ben 




On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella < bmannella at teraswitch.com > wrote: 


Nope, i actually dont see any deny statements at all. Does the system, just deny everything thats not defined as allowed? Any other thing i should look at? 

Brendan Mannella 
President and CEO 

TeraSwitch Networks Inc. 
Office: 412.224.4333 x303 
Toll-Free: 866.583.6338 

Mobile: 412-592-7848 
Efax: 412.202.7094 






----- Original Message ----- 
From: "Scott T. Cameron" < routehero at gmail.com > 
To: "juniper-nsp" < juniper-nsp at puck.nether.net > 
Sent: Monday, June 21, 2010 1:35:06 PM 
Subject: Re: [j-nsp] SRX Config Question 

Your rules actually seem fine at a glance.  Are those the only rules in your 
system?  No deny that might otherwise be blocking the traffic?  I also 
migrated from ScreenOS and ditched all the old catch-all denies that I had 
at the bottom of zone policies because they don't work the same way in JunOS 
land. 

You're right, you run the policies against the post-translated address, not 
the pre-translated.  The NAT is separate entirely from policies. 

scott 

On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella < bmannella at teraswitch.com 
> wrote: 

> Yes that makes sense. And the policy pre srx was like this. But I am almost 
> positive I read somewhere the srx was different in that the policy is looked 
> at post NAT and so the private ip should be used. 
> 
> I will give that a shot though. 
> 
> Brendan Mannella 
> TeraSwitch Networks Inc. 
> Office: 412.224.4333 x303 
> Mobile: 412.592.7848 
> Efax: 412.202.7094 
> 
> 
> On Jun 21, 2010, at 12:50 PM, "Stefan Fouant" < 
> sfouant at shortestpathfirst.net > wrote: 
> 
>  -----Original Message----- 
>>> From: juniper-nsp-bounces at puck.nether.net [mailto: juniper-nsp- 
>>> bounces at puck.nether.net ] On Behalf Of Brendan Mannella 
>>> Sent: Monday, June 21, 2010 11:20 AM 
>>> To: juniper-nsp 
>>> Subject: [j-nsp] SRX Config Question 
>>> 
>>> So main issue is the firewall does not seem to allow any incoming traffic 
>>> 
>> on 
>> 
>>> the ports i opened below on the policies. Anyone have any ideas what i am 
>>> missing? 
>>> 
>> 
>> Hi Brendan, 
>> 
>> How are things?  I could be wrong, but I believe the issue is with the 
>> untrust-to-trust policy where you are matching on destination-address 
>> 192.168.1.214 : 
>> 
>> from-zone untrust to-zone trust { 
>> policy 240-51 { 
>> match { 
>> source-address any; 
>> destination-address 192.168.1.214; 
>> application [ rdp junos-dns-udp junos-ftp junos-http junos-https 
>> junos-ms-sql ]; 
>> } 
>> 
>> I believe in order for this to work you are going to need to make the 
>> destination-address 111.111.111.214.  This will cause it to vector off 
>> into 
>> the NAT policy which will translate from 111.111.111.214 to 192.168.1.214. 
>> I think you might also need to use an address book entry whereby you put 
>> the 
>> pre-natted address (111.111.111.214) into your trust zone as well. 
>> 
>> Feel free to contact me offline if you'd like additional assistance. 
>> 
>> HTHs. 
>> 
>> Stefan Fouant, CISSP, JNCIEx2 
>> www.shortestpathfirst.net 
>> GPG Key ID: 0xB5E3803D 
>> 
>>  _______________________________________________ 
> juniper-nsp mailing list juniper-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/juniper-nsp 
> 
_______________________________________________ 
juniper-nsp mailing list juniper-nsp at puck.nether.net 
https://puck.nether.net/mailman/listinfo/juniper-nsp 
_______________________________________________ 
juniper-nsp mailing list juniper-nsp at puck.nether.net 
https://puck.nether.net/mailman/listinfo/juniper-nsp 




More information about the juniper-nsp mailing list