the rule-set won't be "natting", it'll be whatever rule-set "rule 214" exists in
-Ben On Mon, Jun 21, 2010 at 3:13 PM, Brendan Mannella <bmanne...@teraswitch.com>wrote: > I have to double check but i might have missed > > > > set security nat static rule-set natting from zone untrust... I will double > check and update the list. > > > > > > ----- Original Message ----- > From: "ben b" <benboyd.li...@gmail.com> > To: "Brendan Mannella" <bmanne...@teraswitch.com> > Cc: "Scott T. Cameron" <routeh...@gmail.com>, "juniper-nsp" < > juniper-nsp@puck.nether.net> > Sent: Monday, June 21, 2010 4:10:43 PM > Subject: Re: [j-nsp] SRX Config Question > > I noticed you didn't include all of the nat config.....make sure you have > the "from-zone" configured for the static nat rule-set... > > ex. > "set security nat static rule-set natting from zone untrust" > "set security nat static rule-set natting rule 214 match > destination-address 111.111.111.214/32" > "set security nat static rule-set natting rule 214 then static-nat prefix > 192.168.1.214/32" > > I've also noticed strange things when using "." inside of an address-book > address. I use "_" instead. > > -Ben > > > On Mon, Jun 21, 2010 at 2:57 PM, ben b <benboyd.li...@gmail.com> wrote: > >> The system does default deny if you haven't specified a default policy >> action..... >> "set security policies default-policy permit-all " >> >> >> As far as the policy is concerned, the policy is applied AFTER destination >> nat is performed and BEFORE source nat is performed. >> >> What is the output of 'show security policies' or 'show security policies >> from-zone untrust to-zone trust'? >> >> -Ben >> >> On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella < >> bmanne...@teraswitch.com> wrote: >> >>> Nope, i actually dont see any deny statements at all. Does the system, >>> just deny everything thats not defined as allowed? Any other thing i should >>> look at? >>> >>> Brendan Mannella >>> President and CEO >>> TeraSwitch Networks Inc. >>> Office: 412.224.4333 x303 >>> Toll-Free: 866.583.6338 >>> Mobile: 412-592-7848 >>> Efax: 412.202.7094 >>> >>> >>> >>> ----- Original Message ----- >>> From: "Scott T. Cameron" <routeh...@gmail.com> >>> To: "juniper-nsp" <juniper-nsp@puck.nether.net> >>> Sent: Monday, June 21, 2010 1:35:06 PM >>> Subject: Re: [j-nsp] SRX Config Question >>> >>> Your rules actually seem fine at a glance. Are those the only rules in >>> your >>> system? No deny that might otherwise be blocking the traffic? I also >>> migrated from ScreenOS and ditched all the old catch-all denies that I >>> had >>> at the bottom of zone policies because they don't work the same way in >>> JunOS >>> land. >>> >>> You're right, you run the policies against the post-translated address, >>> not >>> the pre-translated. The NAT is separate entirely from policies. >>> >>> scott >>> >>> On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella < >>> bmanne...@teraswitch.com >>> > wrote: >>> >>> > Yes that makes sense. And the policy pre srx was like this. But I am >>> almost >>> > positive I read somewhere the srx was different in that the policy is >>> looked >>> > at post NAT and so the private ip should be used. >>> > >>> > I will give that a shot though. >>> > >>> > Brendan Mannella >>> > TeraSwitch Networks Inc. >>> > Office: 412.224.4333 x303 >>> > Mobile: 412.592.7848 >>> > Efax: 412.202.7094 >>> > >>> > >>> > On Jun 21, 2010, at 12:50 PM, "Stefan Fouant" < >>> > sfou...@shortestpathfirst.net> wrote: >>> > >>> > -----Original Message----- >>> >>> From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- >>> >>> boun...@puck.nether.net] On Behalf Of Brendan Mannella >>> >>> Sent: Monday, June 21, 2010 11:20 AM >>> >>> To: juniper-nsp >>> >>> Subject: [j-nsp] SRX Config Question >>> >>> >>> >>> So main issue is the firewall does not seem to allow any incoming >>> traffic >>> >>> >>> >> on >>> >> >>> >>> the ports i opened below on the policies. Anyone have any ideas what >>> i am >>> >>> missing? >>> >>> >>> >> >>> >> Hi Brendan, >>> >> >>> >> How are things? I could be wrong, but I believe the issue is with the >>> >> untrust-to-trust policy where you are matching on destination-address >>> >> 192.168.1.214: >>> >> >>> >> from-zone untrust to-zone trust { >>> >> policy 240-51 { >>> >> match { >>> >> source-address any; >>> >> destination-address 192.168.1.214; >>> >> application [ rdp junos-dns-udp junos-ftp junos-http junos-https >>> >> junos-ms-sql ]; >>> >> } >>> >> >>> >> I believe in order for this to work you are going to need to make the >>> >> destination-address 111.111.111.214. This will cause it to vector off >>> >> into >>> >> the NAT policy which will translate from 111.111.111.214 to >>> 192.168.1.214. >>> >> I think you might also need to use an address book entry whereby you >>> put >>> >> the >>> >> pre-natted address (111.111.111.214) into your trust zone as well. >>> >> >>> >> Feel free to contact me offline if you'd like additional assistance. >>> >> >>> >> HTHs. >>> >> >>> >> Stefan Fouant, CISSP, JNCIEx2 >>> >> www.shortestpathfirst.net >>> >> GPG Key ID: 0xB5E3803D >>> >> >>> >> _______________________________________________ >>> > juniper-nsp mailing list juniper-nsp@puck.nether.net >>> > https://puck.nether.net/mailman/listinfo/juniper-nsp >>> > >>> _______________________________________________ >>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>> _______________________________________________ >>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>> >> >> > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp