Nope, i actually dont see any deny statements at all. Does the system, just deny everything thats not defined as allowed? Any other thing i should look at?
Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 ----- Original Message ----- From: "Scott T. Cameron" <routeh...@gmail.com> To: "juniper-nsp" <juniper-nsp@puck.nether.net> Sent: Monday, June 21, 2010 1:35:06 PM Subject: Re: [j-nsp] SRX Config Question Your rules actually seem fine at a glance. Are those the only rules in your system? No deny that might otherwise be blocking the traffic? I also migrated from ScreenOS and ditched all the old catch-all denies that I had at the bottom of zone policies because they don't work the same way in JunOS land. You're right, you run the policies against the post-translated address, not the pre-translated. The NAT is separate entirely from policies. scott On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella <bmanne...@teraswitch.com > wrote: > Yes that makes sense. And the policy pre srx was like this. But I am almost > positive I read somewhere the srx was different in that the policy is looked > at post NAT and so the private ip should be used. > > I will give that a shot though. > > Brendan Mannella > TeraSwitch Networks Inc. > Office: 412.224.4333 x303 > Mobile: 412.592.7848 > Efax: 412.202.7094 > > > On Jun 21, 2010, at 12:50 PM, "Stefan Fouant" < > sfou...@shortestpathfirst.net> wrote: > > -----Original Message----- >>> From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- >>> boun...@puck.nether.net] On Behalf Of Brendan Mannella >>> Sent: Monday, June 21, 2010 11:20 AM >>> To: juniper-nsp >>> Subject: [j-nsp] SRX Config Question >>> >>> So main issue is the firewall does not seem to allow any incoming traffic >>> >> on >> >>> the ports i opened below on the policies. Anyone have any ideas what i am >>> missing? >>> >> >> Hi Brendan, >> >> How are things? I could be wrong, but I believe the issue is with the >> untrust-to-trust policy where you are matching on destination-address >> 192.168.1.214: >> >> from-zone untrust to-zone trust { >> policy 240-51 { >> match { >> source-address any; >> destination-address 192.168.1.214; >> application [ rdp junos-dns-udp junos-ftp junos-http junos-https >> junos-ms-sql ]; >> } >> >> I believe in order for this to work you are going to need to make the >> destination-address 111.111.111.214. This will cause it to vector off >> into >> the NAT policy which will translate from 111.111.111.214 to 192.168.1.214. >> I think you might also need to use an address book entry whereby you put >> the >> pre-natted address (111.111.111.214) into your trust zone as well. >> >> Feel free to contact me offline if you'd like additional assistance. >> >> HTHs. >> >> Stefan Fouant, CISSP, JNCIEx2 >> www.shortestpathfirst.net >> GPG Key ID: 0xB5E3803D >> >> _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
