[j-nsp] SRX Config Question

ben b benboyd.lists at gmail.com
Mon Jun 21 16:19:32 EDT 2010


the rule-set won't be "natting", it'll be whatever rule-set "rule 214"
exists in

-Ben

On Mon, Jun 21, 2010 at 3:13 PM, Brendan Mannella
<bmannella at teraswitch.com>wrote:

> I have to double check but i might have missed
>
>
>
> set security nat static rule-set natting from zone untrust... I will double
> check and update the list.
>
>
>
>
>
> ----- Original Message -----
> From: "ben b" <benboyd.lists at gmail.com>
> To: "Brendan Mannella" <bmannella at teraswitch.com>
> Cc: "Scott T. Cameron" <routehero at gmail.com>, "juniper-nsp" <
> juniper-nsp at puck.nether.net>
> Sent: Monday, June 21, 2010 4:10:43 PM
> Subject: Re: [j-nsp] SRX Config Question
>
> I noticed you didn't include all of the nat config.....make sure you have
>  the "from-zone" configured for the static nat rule-set...
>
> ex.
> "set security nat static rule-set natting from zone untrust"
> "set security nat static rule-set natting rule 214 match
> destination-address 111.111.111.214/32"
> "set security nat static rule-set natting rule 214 then static-nat prefix
> 192.168.1.214/32"
>
> I've also noticed strange things when using "." inside of an address-book
> address.  I use "_" instead.
>
> -Ben
>
>
> On Mon, Jun 21, 2010 at 2:57 PM, ben b <benboyd.lists at gmail.com> wrote:
>
>> The system does default deny if you haven't specified a default policy
>> action.....
>> "set security policies default-policy permit-all "
>>
>>
>> As far as the policy is concerned, the policy is applied AFTER destination
>> nat is performed and BEFORE source nat is performed.
>>
>> What is the output of 'show security policies' or 'show security policies
>> from-zone untrust to-zone trust'?
>>
>> -Ben
>>
>> On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella <
>> bmannella at teraswitch.com> wrote:
>>
>>> Nope, i actually dont see any deny statements at all. Does the system,
>>> just deny everything thats not defined as allowed? Any other thing i should
>>> look at?
>>>
>>> Brendan Mannella
>>> President and CEO
>>> TeraSwitch Networks Inc.
>>> Office: 412.224.4333 x303
>>> Toll-Free: 866.583.6338
>>> Mobile: 412-592-7848
>>> Efax: 412.202.7094
>>>
>>>
>>>
>>>  ----- Original Message -----
>>> From: "Scott T. Cameron" <routehero at gmail.com>
>>> To: "juniper-nsp" <juniper-nsp at puck.nether.net>
>>> Sent: Monday, June 21, 2010 1:35:06 PM
>>> Subject: Re: [j-nsp] SRX Config Question
>>>
>>> Your rules actually seem fine at a glance.  Are those the only rules in
>>> your
>>> system?  No deny that might otherwise be blocking the traffic?  I also
>>> migrated from ScreenOS and ditched all the old catch-all denies that I
>>> had
>>> at the bottom of zone policies because they don't work the same way in
>>> JunOS
>>> land.
>>>
>>> You're right, you run the policies against the post-translated address,
>>> not
>>> the pre-translated.  The NAT is separate entirely from policies.
>>>
>>> scott
>>>
>>> On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella <
>>> bmannella at teraswitch.com
>>> > wrote:
>>>
>>> > Yes that makes sense. And the policy pre srx was like this. But I am
>>> almost
>>> > positive I read somewhere the srx was different in that the policy is
>>> looked
>>> > at post NAT and so the private ip should be used.
>>> >
>>> > I will give that a shot though.
>>> >
>>> > Brendan Mannella
>>> > TeraSwitch Networks Inc.
>>> > Office: 412.224.4333 x303
>>> > Mobile: 412.592.7848
>>> > Efax: 412.202.7094
>>> >
>>> >
>>> > On Jun 21, 2010, at 12:50 PM, "Stefan Fouant" <
>>> > sfouant at shortestpathfirst.net> wrote:
>>> >
>>> >  -----Original Message-----
>>> >>> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
>>> >>> bounces at puck.nether.net] On Behalf Of Brendan Mannella
>>> >>> Sent: Monday, June 21, 2010 11:20 AM
>>> >>> To: juniper-nsp
>>> >>> Subject: [j-nsp] SRX Config Question
>>> >>>
>>> >>> So main issue is the firewall does not seem to allow any incoming
>>> traffic
>>> >>>
>>> >> on
>>> >>
>>> >>> the ports i opened below on the policies. Anyone have any ideas what
>>> i am
>>> >>> missing?
>>> >>>
>>> >>
>>> >> Hi Brendan,
>>> >>
>>> >> How are things?  I could be wrong, but I believe the issue is with the
>>> >> untrust-to-trust policy where you are matching on destination-address
>>> >> 192.168.1.214:
>>> >>
>>> >> from-zone untrust to-zone trust {
>>> >> policy 240-51 {
>>> >> match {
>>> >> source-address any;
>>> >> destination-address 192.168.1.214;
>>> >> application [ rdp junos-dns-udp junos-ftp junos-http junos-https
>>> >> junos-ms-sql ];
>>> >> }
>>> >>
>>> >> I believe in order for this to work you are going to need to make the
>>> >> destination-address 111.111.111.214.  This will cause it to vector off
>>> >> into
>>> >> the NAT policy which will translate from 111.111.111.214 to
>>> 192.168.1.214.
>>> >> I think you might also need to use an address book entry whereby you
>>> put
>>> >> the
>>> >> pre-natted address (111.111.111.214) into your trust zone as well.
>>> >>
>>> >> Feel free to contact me offline if you'd like additional assistance.
>>> >>
>>> >> HTHs.
>>> >>
>>> >> Stefan Fouant, CISSP, JNCIEx2
>>> >> www.shortestpathfirst.net
>>> >> GPG Key ID: 0xB5E3803D
>>> >>
>>> >>  _______________________________________________
>>> > juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>>> >
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>
>>
>


More information about the juniper-nsp mailing list