[j-nsp] SRX Config Question

Brendan Mannella bmannella at teraswitch.com
Tue Jun 22 14:00:38 EDT 2010 

Ok i updated the address book from "." to "_" 

Below is the output of the commands, i havent had a chance to retest with the updated address book to see if that does it, i will let you know. The Nat and polices look ok.. 


root at srx210> show security nat static rule all 
Total static-nat rules: 58 

Static NAT rule: 51 Rule-set: static 
Rule-Id : 1 
Rule position : 1 
>From zone : untrust 
Destination addresses : 111.111.111.214 (external public ip) 
Host addresses : 192.168.1.214 
Netmask : 255.255.255.255 
Host routing-instance : N/A 
Translation hits : 0 




root at srx210> show security policies detail 
Default policy: deny-all 
Policy: trust-to-untrust, action-type: permit, State: enabled, Index: 4 
Sequence number: 1 
>From zone: trust, To zone: untrust 
Source addresses: 
any: 0.0.0.0/0 
Destination addresses: 
any: 0.0.0.0/0 
Application: any 
IP protocol: 0, ALG: 0, Inactivity timeout: 0 
Source port range: [0-0] 
Destination port range: [0-0] 


Policy: 240-214, action-type: permit, State: enabled, Index: 5 
Sequence number: 1 
>From zone: untrust, To zone: trust 
Source addresses: 
any: 0.0.0.0/0 
Destination addresses: 
192_168_1_214: 192.168.1.214/32 
Application: rdp 
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 
Source port range: [0-0] 
Destination port range: [3389-3389] 
Application: junos-dns-udp 
IP protocol: udp, ALG: dns, Inactivity timeout: 60 
Source port range: [0-0] 
Destination port range: [53-53] 
Application: junos-ftp 
IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800 
Source port range: [0-0] 
Destination port range: [21-21] 
Application: junos-http 
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 
Source port range: [0-0] 
Destination port range: [80-80] 
Application: junos-https 
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 
Source port range: [0-0] 
Destination port range: [443-443] 
Application: junos-ms-sql 
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 
Source port range: [0-0] 
Destination port range: [1433-1433] 
Session log: at-create, at-close 





----- Original Message ----- 
From: "ben b" <benboyd.lists at gmail.com> 
To: "Brendan Mannella" <bmannella at teraswitch.com> 
Cc: "Scott T. Cameron" <routehero at gmail.com>, "juniper-nsp" <juniper-nsp at puck.nether.net> 
Sent: Tuesday, June 22, 2010 1:32:52 PM 
Subject: Re: [j-nsp] SRX Config Question 


If the results of the "show security policies detail" operational command show the policies in the right order and allowing the right ports and "show security nat static rule 214" looks like it's natting correctly, and removing the periods doesn't fix it, the only thing I can think of is that 192.168.1.214 isn't reachable from the SRX and the SRX is dropping the traffic. 


I typically start with an "any any any permit" to verify ping/trace through the SRX, then replace that with a narrowed down policy 




On Tue, Jun 22, 2010 at 12:06 PM, Brendan Mannella < bmannella at teraswitch.com > wrote: 






I double checked i do have "from zone untrust" 



I will try updating the address book and remove the periods. 




Brendan Mannella 
President and CEO 
TeraSwitch Networks Inc. 
Office: 412.224.4333 x303 
Toll-Free: 866.583.6338 
Mobile: 412-592-7848 
Efax: 412.202.7094

More information about the juniper-nsp mailing list