[j-nsp] SRX Config Question
Brendan Mannella
bmannella at teraswitch.com
Mon Jun 21 16:13:09 EDT 2010
I have to double check but i might have missed
set security nat static rule-set natting from zone untrust... I will double check and update the list.
----- Original Message -----
From: "ben b" <benboyd.lists at gmail.com>
To: "Brendan Mannella" <bmannella at teraswitch.com>
Cc: "Scott T. Cameron" <routehero at gmail.com>, "juniper-nsp" <juniper-nsp at puck.nether.net>
Sent: Monday, June 21, 2010 4:10:43 PM
Subject: Re: [j-nsp] SRX Config Question
I noticed you didn't include all of the nat config.....make sure you have the "from-zone" configured for the static nat rule-set...
----- Original Message -----
From: "ben b" <benboyd.lists at gmail.com>
To: "Brendan Mannella" <bmannella at teraswitch.com>
Cc: "Scott T. Cameron" <routehero at gmail.com>, "juniper-nsp" <juniper-nsp at puck.nether.net>
Sent: Monday, June 21, 2010 4:10:43 PM
Subject: Re: [j-nsp] SRX Config Question
I noticed you didn't include all of the nat config.....make sure you have the "from-zone" configured for the static nat rule-set...
ex.
"set security nat static rule-set natting from zone untrust"
"set security nat static rule-set natting rule 214 match destination-address 111.111.111.214/32 "
"set security nat static rule-set natting rule 214 then static-nat prefix 192.168.1.214/32 "
I've also noticed strange things when using "." inside of an address-book address. I use "_" instead.
-Ben
On Mon, Jun 21, 2010 at 2:57 PM, ben b < benboyd.lists at gmail.com > wrote:
The system does default deny if you haven't specified a default policy action.....
"set security policies default-policy permit-all "
As far as the policy is concerned, the policy is applied AFTER destination nat is performed and BEFORE source nat is performed.
What is the output of 'show security policies' or 'show security policies from-zone untrust to-zone trust'?
-Ben
On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella < bmannella at teraswitch.com > wrote:
Nope, i actually dont see any deny statements at all. Does the system, just deny everything thats not defined as allowed? Any other thing i should look at?
Brendan Mannella
President and CEO
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Toll-Free: 866.583.6338
Mobile: 412-592-7848
Efax: 412.202.7094
----- Original Message -----
From: "Scott T. Cameron" < routehero at gmail.com >
To: "juniper-nsp" < juniper-nsp at puck.nether.net >
Sent: Monday, June 21, 2010 1:35:06 PM
Subject: Re: [j-nsp] SRX Config Question
Your rules actually seem fine at a glance. Are those the only rules in your
system? No deny that might otherwise be blocking the traffic? I also
migrated from ScreenOS and ditched all the old catch-all denies that I had
at the bottom of zone policies because they don't work the same way in JunOS
land.
You're right, you run the policies against the post-translated address, not
the pre-translated. The NAT is separate entirely from policies.
scott
On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella < bmannella at teraswitch.com
> wrote:
> Yes that makes sense. And the policy pre srx was like this. But I am almost
> positive I read somewhere the srx was different in that the policy is looked
> at post NAT and so the private ip should be used.
>
> I will give that a shot though.
>
> Brendan Mannella
> TeraSwitch Networks Inc.
> Office: 412.224.4333 x303
> Mobile: 412.592.7848
> Efax: 412.202.7094
>
>
> On Jun 21, 2010, at 12:50 PM, "Stefan Fouant" <
> sfouant at shortestpathfirst.net > wrote:
>
> -----Original Message-----
>>> From: juniper-nsp-bounces at puck.nether.net [mailto: juniper-nsp-
>>> bounces at puck.nether.net ] On Behalf Of Brendan Mannella
>>> Sent: Monday, June 21, 2010 11:20 AM
>>> To: juniper-nsp
>>> Subject: [j-nsp] SRX Config Question
>>>
>>> So main issue is the firewall does not seem to allow any incoming traffic
>>>
>> on
>>
>>> the ports i opened below on the policies. Anyone have any ideas what i am
>>> missing?
>>>
>>
>> Hi Brendan,
>>
>> How are things? I could be wrong, but I believe the issue is with the
>> untrust-to-trust policy where you are matching on destination-address
>> 192.168.1.214 :
>>
>> from-zone untrust to-zone trust {
>> policy 240-51 {
>> match {
>> source-address any;
>> destination-address 192.168.1.214;
>> application [ rdp junos-dns-udp junos-ftp junos-http junos-https
>> junos-ms-sql ];
>> }
>>
>> I believe in order for this to work you are going to need to make the
>> destination-address 111.111.111.214. This will cause it to vector off
>> into
>> the NAT policy which will translate from 111.111.111.214 to 192.168.1.214.
>> I think you might also need to use an address book entry whereby you put
>> the
>> pre-natted address (111.111.111.214) into your trust zone as well.
>>
>> Feel free to contact me offline if you'd like additional assistance.
>>
>> HTHs.
>>
>> Stefan Fouant, CISSP, JNCIEx2
>> www.shortestpathfirst.net
>> GPG Key ID: 0xB5E3803D
>>
>> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list