I noticed you didn't include all of the nat config.....make sure you have the "from-zone" configured for the static nat rule-set...
ex. "set security nat static rule-set natting from zone untrust" "set security nat static rule-set natting rule 214 match destination-address 111.111.111.214/32" "set security nat static rule-set natting rule 214 then static-nat prefix 192.168.1.214/32" I've also noticed strange things when using "." inside of an address-book address. I use "_" instead. -Ben On Mon, Jun 21, 2010 at 2:57 PM, ben b <benboyd.li...@gmail.com> wrote: > The system does default deny if you haven't specified a default policy > action..... > "set security policies default-policy permit-all " > > > As far as the policy is concerned, the policy is applied AFTER destination > nat is performed and BEFORE source nat is performed. > > What is the output of 'show security policies' or 'show security policies > from-zone untrust to-zone trust'? > > -Ben > > On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella < > bmanne...@teraswitch.com> wrote: > >> Nope, i actually dont see any deny statements at all. Does the system, >> just deny everything thats not defined as allowed? Any other thing i should >> look at? >> >> Brendan Mannella >> President and CEO >> TeraSwitch Networks Inc. >> Office: 412.224.4333 x303 >> Toll-Free: 866.583.6338 >> Mobile: 412-592-7848 >> Efax: 412.202.7094 >> >> >> >> ----- Original Message ----- >> From: "Scott T. Cameron" <routeh...@gmail.com> >> To: "juniper-nsp" <juniper-nsp@puck.nether.net> >> Sent: Monday, June 21, 2010 1:35:06 PM >> Subject: Re: [j-nsp] SRX Config Question >> >> Your rules actually seem fine at a glance. Are those the only rules in >> your >> system? No deny that might otherwise be blocking the traffic? I also >> migrated from ScreenOS and ditched all the old catch-all denies that I had >> at the bottom of zone policies because they don't work the same way in >> JunOS >> land. >> >> You're right, you run the policies against the post-translated address, >> not >> the pre-translated. The NAT is separate entirely from policies. >> >> scott >> >> On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella < >> bmanne...@teraswitch.com >> > wrote: >> >> > Yes that makes sense. And the policy pre srx was like this. But I am >> almost >> > positive I read somewhere the srx was different in that the policy is >> looked >> > at post NAT and so the private ip should be used. >> > >> > I will give that a shot though. >> > >> > Brendan Mannella >> > TeraSwitch Networks Inc. >> > Office: 412.224.4333 x303 >> > Mobile: 412.592.7848 >> > Efax: 412.202.7094 >> > >> > >> > On Jun 21, 2010, at 12:50 PM, "Stefan Fouant" < >> > sfou...@shortestpathfirst.net> wrote: >> > >> > -----Original Message----- >> >>> From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- >> >>> boun...@puck.nether.net] On Behalf Of Brendan Mannella >> >>> Sent: Monday, June 21, 2010 11:20 AM >> >>> To: juniper-nsp >> >>> Subject: [j-nsp] SRX Config Question >> >>> >> >>> So main issue is the firewall does not seem to allow any incoming >> traffic >> >>> >> >> on >> >> >> >>> the ports i opened below on the policies. Anyone have any ideas what i >> am >> >>> missing? >> >>> >> >> >> >> Hi Brendan, >> >> >> >> How are things? I could be wrong, but I believe the issue is with the >> >> untrust-to-trust policy where you are matching on destination-address >> >> 192.168.1.214: >> >> >> >> from-zone untrust to-zone trust { >> >> policy 240-51 { >> >> match { >> >> source-address any; >> >> destination-address 192.168.1.214; >> >> application [ rdp junos-dns-udp junos-ftp junos-http junos-https >> >> junos-ms-sql ]; >> >> } >> >> >> >> I believe in order for this to work you are going to need to make the >> >> destination-address 111.111.111.214. This will cause it to vector off >> >> into >> >> the NAT policy which will translate from 111.111.111.214 to >> 192.168.1.214. >> >> I think you might also need to use an address book entry whereby you >> put >> >> the >> >> pre-natted address (111.111.111.214) into your trust zone as well. >> >> >> >> Feel free to contact me offline if you'd like additional assistance. >> >> >> >> HTHs. >> >> >> >> Stefan Fouant, CISSP, JNCIEx2 >> >> www.shortestpathfirst.net >> >> GPG Key ID: 0xB5E3803D >> >> >> >> _______________________________________________ >> > juniper-nsp mailing list juniper-nsp@puck.nether.net >> > https://puck.nether.net/mailman/listinfo/juniper-nsp >> > >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp