Yes that makes sense. And the policy pre srx was like this. But I am
almost positive I read somewhere the srx was different in that the
policy is looked at post NAT and so the private ip should be used.
I will give that a shot though.
Brendan Mannella
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Mobile: 412.592.7848
Efax: 412.202.7094
On Jun 21, 2010, at 12:50 PM, "Stefan Fouant" <sfou...@shortestpathfirst.net
> wrote:
-----Original Message-----
From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
boun...@puck.nether.net] On Behalf Of Brendan Mannella
Sent: Monday, June 21, 2010 11:20 AM
To: juniper-nsp
Subject: [j-nsp] SRX Config Question
So main issue is the firewall does not seem to allow any incoming
traffic
on
the ports i opened below on the policies. Anyone have any ideas
what i am
missing?
Hi Brendan,
How are things? I could be wrong, but I believe the issue is with the
untrust-to-trust policy where you are matching on destination-address
192.168.1.214:
from-zone untrust to-zone trust {
policy 240-51 {
match {
source-address any;
destination-address 192.168.1.214;
application [ rdp junos-dns-udp junos-ftp junos-http junos-https
junos-ms-sql ];
}
I believe in order for this to work you are going to need to make the
destination-address 111.111.111.214. This will cause it to vector
off into
the NAT policy which will translate from 111.111.111.214 to
192.168.1.214.
I think you might also need to use an address book entry whereby you
put the
pre-natted address (111.111.111.214) into your trust zone as well.
Feel free to contact me offline if you'd like additional assistance.
HTHs.
Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
