Have a SRX210 that i am migrating to from a NS-5GT. We used a bunch of MIPs and
of course policies to allow numerous port to those MIPs on our NS-5GT. Now
converting to the SRX, i seem to have most everything correct, but the SRX does
not allow any of my "allow" policies to work.
The internal servers can hit the internet and so forth, and if i go to
whatismyip.com, different servers show the correct external MIP'ed ip address,
so it seems static NAT is working correctly.
So main issue is the firewall does not seem to allow any incoming traffic on
the ports i opened below on the policies. Anyone have any ideas what i am
missing?
***Static Nat Rule*******
rule 214 {
match {
destination-address 111.111.111.214/32;
}
then {
static-nat prefix 192.168.1.214/32;
***Proxy Arp****
proxy-arp {
interface ge-0/0/0.0 {
address {
111.111.111.214/32;
****Security Zone (trust)****
zones {
security-zone trust {
address-book {
address 192.168.1.214 192.168.1.214/32;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
****Security Zone (un-trust)****
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
***********Policies**************
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy 240-51 {
match {
source-address any;
destination-address 192.168.1.214;
application [ rdp junos-dns-udp junos-ftp junos-http junos-https junos-ms-sql
];
}
then {
permit;
log {
session-init;
session-close;
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
