I have to double check but i might have missed
set security nat static rule-set natting from zone untrust... I will double
check and update the list.
----- Original Message -----
From: "ben b" <benboyd.li...@gmail.com>
To: "Brendan Mannella" <bmanne...@teraswitch.com>
Cc: "Scott T. Cameron" <routeh...@gmail.com>, "juniper-nsp"
<juniper-nsp@puck.nether.net>
Sent: Monday, June 21, 2010 4:10:43 PM
Subject: Re: [j-nsp] SRX Config Question
I noticed you didn't include all of the nat config.....make sure you have the
"from-zone" configured for the static nat rule-set...
----- Original Message -----
From: "ben b" <benboyd.li...@gmail.com>
To: "Brendan Mannella" <bmanne...@teraswitch.com>
Cc: "Scott T. Cameron" <routeh...@gmail.com>, "juniper-nsp"
<juniper-nsp@puck.nether.net>
Sent: Monday, June 21, 2010 4:10:43 PM
Subject: Re: [j-nsp] SRX Config Question
I noticed you didn't include all of the nat config.....make sure you have the
"from-zone" configured for the static nat rule-set...
ex.
"set security nat static rule-set natting from zone untrust"
"set security nat static rule-set natting rule 214 match destination-address
111.111.111.214/32 "
"set security nat static rule-set natting rule 214 then static-nat prefix
192.168.1.214/32 "
I've also noticed strange things when using "." inside of an address-book
address. I use "_" instead.
-Ben
On Mon, Jun 21, 2010 at 2:57 PM, ben b < benboyd.li...@gmail.com > wrote:
The system does default deny if you haven't specified a default policy
action.....
"set security policies default-policy permit-all "
As far as the policy is concerned, the policy is applied AFTER destination nat
is performed and BEFORE source nat is performed.
What is the output of 'show security policies' or 'show security policies
from-zone untrust to-zone trust'?
-Ben
On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella < bmanne...@teraswitch.com >
wrote:
Nope, i actually dont see any deny statements at all. Does the system, just
deny everything thats not defined as allowed? Any other thing i should look at?
Brendan Mannella
President and CEO
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Toll-Free: 866.583.6338
Mobile: 412-592-7848
Efax: 412.202.7094
----- Original Message -----
From: "Scott T. Cameron" < routeh...@gmail.com >
To: "juniper-nsp" < juniper-nsp@puck.nether.net >
Sent: Monday, June 21, 2010 1:35:06 PM
Subject: Re: [j-nsp] SRX Config Question
Your rules actually seem fine at a glance. Are those the only rules in your
system? No deny that might otherwise be blocking the traffic? I also
migrated from ScreenOS and ditched all the old catch-all denies that I had
at the bottom of zone policies because they don't work the same way in JunOS
land.
You're right, you run the policies against the post-translated address, not
the pre-translated. The NAT is separate entirely from policies.
scott
On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella < bmanne...@teraswitch.com
> wrote:
> Yes that makes sense. And the policy pre srx was like this. But I am almost
> positive I read somewhere the srx was different in that the policy is looked
> at post NAT and so the private ip should be used.
>
> I will give that a shot though.
>
> Brendan Mannella
> TeraSwitch Networks Inc.
> Office: 412.224.4333 x303
> Mobile: 412.592.7848
> Efax: 412.202.7094
>
>
> On Jun 21, 2010, at 12:50 PM, "Stefan Fouant" <
> sfou...@shortestpathfirst.net > wrote:
>
> -----Original Message-----
>>> From: juniper-nsp-boun...@puck.nether.net [mailto: juniper-nsp-
>>> boun...@puck.nether.net ] On Behalf Of Brendan Mannella
>>> Sent: Monday, June 21, 2010 11:20 AM
>>> To: juniper-nsp
>>> Subject: [j-nsp] SRX Config Question
>>>
>>> So main issue is the firewall does not seem to allow any incoming traffic
>>>
>> on
>>
>>> the ports i opened below on the policies. Anyone have any ideas what i am
>>> missing?
>>>
>>
>> Hi Brendan,
>>
>> How are things? I could be wrong, but I believe the issue is with the
>> untrust-to-trust policy where you are matching on destination-address
>> 192.168.1.214 :
>>
>> from-zone untrust to-zone trust {
>> policy 240-51 {
>> match {
>> source-address any;
>> destination-address 192.168.1.214;
>> application [ rdp junos-dns-udp junos-ftp junos-http junos-https
>> junos-ms-sql ];
>> }
>>
>> I believe in order for this to work you are going to need to make the
>> destination-address 111.111.111.214. This will cause it to vector off
>> into
>> the NAT policy which will translate from 111.111.111.214 to 192.168.1.214.
>> I think you might also need to use an address book entry whereby you put
>> the
>> pre-natted address (111.111.111.214) into your trust zone as well.
>>
>> Feel free to contact me offline if you'd like additional assistance.
>>
>> HTHs.
>>
>> Stefan Fouant, CISSP, JNCIEx2
>> www.shortestpathfirst.net
>> GPG Key ID: 0xB5E3803D
>>
>> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
