[j-nsp] SRX Config Question
Brendan Mannella
bmannella at teraswitch.com
Tue Jun 22 14:00:38 EDT 2010
Ok i updated the address book from "." to "_"
Below is the output of the commands, i havent had a chance to retest with the updated address book to see if that does it, i will let you know. The Nat and polices look ok..
root at srx210> show security nat static rule all
Total static-nat rules: 58
Static NAT rule: 51 Rule-set: static
Rule-Id : 1
Rule position : 1
>From zone : untrust
Destination addresses : 111.111.111.214 (external public ip)
Host addresses : 192.168.1.214
Netmask : 255.255.255.255
Host routing-instance : N/A
Translation hits : 0
root at srx210> show security policies detail
Default policy: deny-all
Policy: trust-to-untrust, action-type: permit, State: enabled, Index: 4
Sequence number: 1
>From zone: trust, To zone: untrust
Source addresses:
any: 0.0.0.0/0
Destination addresses:
any: 0.0.0.0/0
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Policy: 240-214, action-type: permit, State: enabled, Index: 5
Sequence number: 1
>From zone: untrust, To zone: trust
Source addresses:
any: 0.0.0.0/0
Destination addresses:
192_168_1_214: 192.168.1.214/32
Application: rdp
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [3389-3389]
Application: junos-dns-udp
IP protocol: udp, ALG: dns, Inactivity timeout: 60
Source port range: [0-0]
Destination port range: [53-53]
Application: junos-ftp
IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [21-21]
Application: junos-http
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [80-80]
Application: junos-https
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [443-443]
Application: junos-ms-sql
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [1433-1433]
Session log: at-create, at-close
----- Original Message -----
From: "ben b" <benboyd.lists at gmail.com>
To: "Brendan Mannella" <bmannella at teraswitch.com>
Cc: "Scott T. Cameron" <routehero at gmail.com>, "juniper-nsp" <juniper-nsp at puck.nether.net>
Sent: Tuesday, June 22, 2010 1:32:52 PM
Subject: Re: [j-nsp] SRX Config Question
If the results of the "show security policies detail" operational command show the policies in the right order and allowing the right ports and "show security nat static rule 214" looks like it's natting correctly, and removing the periods doesn't fix it, the only thing I can think of is that 192.168.1.214 isn't reachable from the SRX and the SRX is dropping the traffic.
I typically start with an "any any any permit" to verify ping/trace through the SRX, then replace that with a narrowed down policy
On Tue, Jun 22, 2010 at 12:06 PM, Brendan Mannella < bmannella at teraswitch.com > wrote:
I double checked i do have "from zone untrust"
I will try updating the address book and remove the periods.
Brendan Mannella
President and CEO
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Toll-Free: 866.583.6338
Mobile: 412-592-7848
Efax: 412.202.7094
More information about the juniper-nsp
mailing list