Re: [j-nsp] SRX Config Question
I double checked i do have from zone untrust I will try updating the address book and remove the periods. Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 - Original Message - From: ben b benboyd.li...@gmail.com To: Brendan Mannella bmanne...@teraswitch.com Cc: Scott T. Cameron routeh...@gmail.com, juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 4:19:32 PM Subject: Re: [j-nsp] SRX Config Question the rule-set won't be natting, it'll be whatever rule-set rule 214 exists in Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 - Original Message - From: ben b benboyd.li...@gmail.com To: Brendan Mannella bmanne...@teraswitch.com Cc: Scott T. Cameron routeh...@gmail.com, juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 4:19:32 PM Subject: Re: [j-nsp] SRX Config Question the rule-set won't be natting, it'll be whatever rule-set rule 214 exists in -Ben On Mon, Jun 21, 2010 at 3:13 PM, Brendan Mannella bmanne...@teraswitch.com wrote: I have to double check but i might have missed set security nat static rule-set natting from zone untrust... I will double check and update the list. - Original Message - From: ben b benboyd.li...@gmail.com To: Brendan Mannella bmanne...@teraswitch.com Cc: Scott T. Cameron routeh...@gmail.com , juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 4:10:43 PM Subject: Re: [j-nsp] SRX Config Question I noticed you didn't include all of the nat config.make sure you have the from-zone configured for the static nat rule-set... ex. set security nat static rule-set natting from zone untrust set security nat static rule-set natting rule 214 match destination-address 111.111.111.214/32 set security nat static rule-set natting rule 214 then static-nat prefix 192.168.1.214/32 I've also noticed strange things when using . inside of an address-book address. I use _ instead. -Ben On Mon, Jun 21, 2010 at 2:57 PM, ben b benboyd.li...@gmail.com wrote: The system does default deny if you haven't specified a default policy action. set security policies default-policy permit-all As far as the policy is concerned, the policy is applied AFTER destination nat is performed and BEFORE source nat is performed. What is the output of 'show security policies' or 'show security policies from-zone untrust to-zone trust'? -Ben On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Nope, i actually dont see any deny statements at all. Does the system, just deny everything thats not defined as allowed? Any other thing i should look at? Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 - Original Message - From: Scott T. Cameron routeh...@gmail.com To: juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 1:35:06 PM Subject: Re: [j-nsp] SRX Config Question Your rules actually seem fine at a glance. Are those the only rules in your system? No deny that might otherwise be blocking the traffic? I also migrated from ScreenOS and ditched all the old catch-all denies that I had at the bottom of zone policies because they don't work the same way in JunOS land. You're right, you run the policies against the post-translated address, not the pre-translated. The NAT is separate entirely from policies. scott On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Yes that makes sense. And the policy pre srx was like this. But I am almost positive I read somewhere the srx was different in that the policy is looked at post NAT and so the private ip should be used. I will give that a shot though. Brendan Mannella TeraSwitch Networks Inc. Office: 412.224.4333 x303 Mobile: 412.592.7848 Efax: 412.202.7094 On Jun 21, 2010, at 12:50 PM, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto: juniper-nsp- boun...@puck.nether.net ] On Behalf Of Brendan Mannella Sent: Monday, June 21, 2010 11:20 AM To: juniper-nsp Subject: [j-nsp] SRX Config Question So main issue is the firewall does not seem to allow any incoming traffic on the ports i opened below on the policies. Anyone have any ideas what i am missing? Hi Brendan, How are things? I could be wrong, but I believe the issue is with the untrust-to-trust policy where you are matching on destination-address 192.168.1.214 : from-zone untrust to-zone trust { policy 240-51 { match { source
Re: [j-nsp] SRX Config Question
If the results of the show security policies detail operational command show the policies in the right order and allowing the right ports and show security nat static rule 214 looks like it's natting correctly, and removing the periods doesn't fix it, the only thing I can think of is that 192.168.1.214 isn't reachable from the SRX and the SRX is dropping the traffic. I typically start with an any any any permit to verify ping/trace through the SRX, then replace that with a narrowed down policy On Tue, Jun 22, 2010 at 12:06 PM, Brendan Mannella bmanne...@teraswitch.com wrote: I double checked i do have from zone untrust I will try updating the address book and remove the periods. Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
Ok i updated the address book from . to _ Below is the output of the commands, i havent had a chance to retest with the updated address book to see if that does it, i will let you know. The Nat and polices look ok.. r...@srx210 show security nat static rule all Total static-nat rules: 58 Static NAT rule: 51 Rule-set: static Rule-Id : 1 Rule position : 1 From zone : untrust Destination addresses : 111.111.111.214 (external public ip) Host addresses : 192.168.1.214 Netmask : 255.255.255.255 Host routing-instance : N/A Translation hits : 0 r...@srx210 show security policies detail Default policy: deny-all Policy: trust-to-untrust, action-type: permit, State: enabled, Index: 4 Sequence number: 1 From zone: trust, To zone: untrust Source addresses: any: 0.0.0.0/0 Destination addresses: any: 0.0.0.0/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Policy: 240-214, action-type: permit, State: enabled, Index: 5 Sequence number: 1 From zone: untrust, To zone: trust Source addresses: any: 0.0.0.0/0 Destination addresses: 192_168_1_214: 192.168.1.214/32 Application: rdp IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [3389-3389] Application: junos-dns-udp IP protocol: udp, ALG: dns, Inactivity timeout: 60 Source port range: [0-0] Destination port range: [53-53] Application: junos-ftp IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [21-21] Application: junos-http IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [80-80] Application: junos-https IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [443-443] Application: junos-ms-sql IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [1433-1433] Session log: at-create, at-close - Original Message - From: ben b benboyd.li...@gmail.com To: Brendan Mannella bmanne...@teraswitch.com Cc: Scott T. Cameron routeh...@gmail.com, juniper-nsp juniper-nsp@puck.nether.net Sent: Tuesday, June 22, 2010 1:32:52 PM Subject: Re: [j-nsp] SRX Config Question If the results of the show security policies detail operational command show the policies in the right order and allowing the right ports and show security nat static rule 214 looks like it's natting correctly, and removing the periods doesn't fix it, the only thing I can think of is that 192.168.1.214 isn't reachable from the SRX and the SRX is dropping the traffic. I typically start with an any any any permit to verify ping/trace through the SRX, then replace that with a narrowed down policy On Tue, Jun 22, 2010 at 12:06 PM, Brendan Mannella bmanne...@teraswitch.com wrote: I double checked i do have from zone untrust I will try updating the address book and remove the periods. Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
The policy looks good, but your nat isn't translating. You have 0 translation hits. Your destination address is never changed to 192.169.1.214 which is why your policy is never invoked. Is 192.168.1.214 reachable from the SRX? I would say check previous nat rules, but the position of this one is 1. -Ben On Tue, Jun 22, 2010 at 1:00 PM, Brendan Mannella bmanne...@teraswitch.comwrote: Ok i updated the address book from . to _ Below is the output of the commands, i havent had a chance to retest with the updated address book to see if that does it, i will let you know. The Nat and polices look ok.. r...@srx210 show security nat static rule all Total static-nat rules: 58 Static NAT rule: 51 Rule-set: static Rule-Id: 1 Rule position : 1 From zone : untrust Destination addresses : 111.111.111.214 (external public ip) Host addresses : 192.168.1.214 Netmask: 255.255.255.255 Host routing-instance : N/A Translation hits : 0 r...@srx210 show security policies detail Default policy: deny-all Policy: trust-to-untrust, action-type: permit, State: enabled, Index: 4 Sequence number: 1 From zone: trust, To zone: untrust Source addresses: any: 0.0.0.0/0 Destination addresses: any: 0.0.0.0/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Policy: 240-214, action-type: permit, State: enabled, Index: 5 Sequence number: 1 From zone: untrust, To zone: trust Source addresses: any: 0.0.0.0/0 Destination addresses: 192_168_1_214: 192.168.1.214/32 Application: rdp IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [3389-3389] Application: junos-dns-udp IP protocol: udp, ALG: dns, Inactivity timeout: 60 Source port range: [0-0] Destination port range: [53-53] Application: junos-ftp IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [21-21] Application: junos-http IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [80-80] Application: junos-https IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [443-443] Application: junos-ms-sql IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [1433-1433] Session log: at-create, at-close ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
-Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Monday, June 21, 2010 11:20 AM To: juniper-nsp Subject: [j-nsp] SRX Config Question So main issue is the firewall does not seem to allow any incoming traffic on the ports i opened below on the policies. Anyone have any ideas what i am missing? Hi Brendan, How are things? I could be wrong, but I believe the issue is with the untrust-to-trust policy where you are matching on destination-address 192.168.1.214: from-zone untrust to-zone trust { policy 240-51 { match { source-address any; destination-address 192.168.1.214; application [ rdp junos-dns-udp junos-ftp junos-http junos-https junos-ms-sql ]; } I believe in order for this to work you are going to need to make the destination-address 111.111.111.214. This will cause it to vector off into the NAT policy which will translate from 111.111.111.214 to 192.168.1.214. I think you might also need to use an address book entry whereby you put the pre-natted address (111.111.111.214) into your trust zone as well. Feel free to contact me offline if you'd like additional assistance. HTHs. Stefan Fouant, CISSP, JNCIEx2 www.shortestpathfirst.net GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
Yes that makes sense. And the policy pre srx was like this. But I am almost positive I read somewhere the srx was different in that the policy is looked at post NAT and so the private ip should be used. I will give that a shot though. Brendan Mannella TeraSwitch Networks Inc. Office: 412.224.4333 x303 Mobile: 412.592.7848 Efax: 412.202.7094 On Jun 21, 2010, at 12:50 PM, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Monday, June 21, 2010 11:20 AM To: juniper-nsp Subject: [j-nsp] SRX Config Question So main issue is the firewall does not seem to allow any incoming traffic on the ports i opened below on the policies. Anyone have any ideas what i am missing? Hi Brendan, How are things? I could be wrong, but I believe the issue is with the untrust-to-trust policy where you are matching on destination-address 192.168.1.214: from-zone untrust to-zone trust { policy 240-51 { match { source-address any; destination-address 192.168.1.214; application [ rdp junos-dns-udp junos-ftp junos-http junos-https junos-ms-sql ]; } I believe in order for this to work you are going to need to make the destination-address 111.111.111.214. This will cause it to vector off into the NAT policy which will translate from 111.111.111.214 to 192.168.1.214. I think you might also need to use an address book entry whereby you put the pre-natted address (111.111.111.214) into your trust zone as well. Feel free to contact me offline if you'd like additional assistance. HTHs. Stefan Fouant, CISSP, JNCIEx2 www.shortestpathfirst.net GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
Your rules actually seem fine at a glance. Are those the only rules in your system? No deny that might otherwise be blocking the traffic? I also migrated from ScreenOS and ditched all the old catch-all denies that I had at the bottom of zone policies because they don't work the same way in JunOS land. You're right, you run the policies against the post-translated address, not the pre-translated. The NAT is separate entirely from policies. scott On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Yes that makes sense. And the policy pre srx was like this. But I am almost positive I read somewhere the srx was different in that the policy is looked at post NAT and so the private ip should be used. I will give that a shot though. Brendan Mannella TeraSwitch Networks Inc. Office: 412.224.4333 x303 Mobile: 412.592.7848 Efax: 412.202.7094 On Jun 21, 2010, at 12:50 PM, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Monday, June 21, 2010 11:20 AM To: juniper-nsp Subject: [j-nsp] SRX Config Question So main issue is the firewall does not seem to allow any incoming traffic on the ports i opened below on the policies. Anyone have any ideas what i am missing? Hi Brendan, How are things? I could be wrong, but I believe the issue is with the untrust-to-trust policy where you are matching on destination-address 192.168.1.214: from-zone untrust to-zone trust { policy 240-51 { match { source-address any; destination-address 192.168.1.214; application [ rdp junos-dns-udp junos-ftp junos-http junos-https junos-ms-sql ]; } I believe in order for this to work you are going to need to make the destination-address 111.111.111.214. This will cause it to vector off into the NAT policy which will translate from 111.111.111.214 to 192.168.1.214. I think you might also need to use an address book entry whereby you put the pre-natted address (111.111.111.214) into your trust zone as well. Feel free to contact me offline if you'd like additional assistance. HTHs. Stefan Fouant, CISSP, JNCIEx2 www.shortestpathfirst.net GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
Nope, i actually dont see any deny statements at all. Does the system, just deny everything thats not defined as allowed? Any other thing i should look at? Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 - Original Message - From: Scott T. Cameron routeh...@gmail.com To: juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 1:35:06 PM Subject: Re: [j-nsp] SRX Config Question Your rules actually seem fine at a glance. Are those the only rules in your system? No deny that might otherwise be blocking the traffic? I also migrated from ScreenOS and ditched all the old catch-all denies that I had at the bottom of zone policies because they don't work the same way in JunOS land. You're right, you run the policies against the post-translated address, not the pre-translated. The NAT is separate entirely from policies. scott On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Yes that makes sense. And the policy pre srx was like this. But I am almost positive I read somewhere the srx was different in that the policy is looked at post NAT and so the private ip should be used. I will give that a shot though. Brendan Mannella TeraSwitch Networks Inc. Office: 412.224.4333 x303 Mobile: 412.592.7848 Efax: 412.202.7094 On Jun 21, 2010, at 12:50 PM, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Monday, June 21, 2010 11:20 AM To: juniper-nsp Subject: [j-nsp] SRX Config Question So main issue is the firewall does not seem to allow any incoming traffic on the ports i opened below on the policies. Anyone have any ideas what i am missing? Hi Brendan, How are things? I could be wrong, but I believe the issue is with the untrust-to-trust policy where you are matching on destination-address 192.168.1.214: from-zone untrust to-zone trust { policy 240-51 { match { source-address any; destination-address 192.168.1.214; application [ rdp junos-dns-udp junos-ftp junos-http junos-https junos-ms-sql ]; } I believe in order for this to work you are going to need to make the destination-address 111.111.111.214. This will cause it to vector off into the NAT policy which will translate from 111.111.111.214 to 192.168.1.214. I think you might also need to use an address book entry whereby you put the pre-natted address (111.111.111.214) into your trust zone as well. Feel free to contact me offline if you'd like additional assistance. HTHs. Stefan Fouant, CISSP, JNCIEx2 www.shortestpathfirst.net GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
The system does default deny if you haven't specified a default policy action. set security policies default-policy permit-all As far as the policy is concerned, the policy is applied AFTER destination nat is performed and BEFORE source nat is performed. What is the output of 'show security policies' or 'show security policies from-zone untrust to-zone trust'? -Ben On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella bmanne...@teraswitch.comwrote: Nope, i actually dont see any deny statements at all. Does the system, just deny everything thats not defined as allowed? Any other thing i should look at? Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 - Original Message - From: Scott T. Cameron routeh...@gmail.com To: juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 1:35:06 PM Subject: Re: [j-nsp] SRX Config Question Your rules actually seem fine at a glance. Are those the only rules in your system? No deny that might otherwise be blocking the traffic? I also migrated from ScreenOS and ditched all the old catch-all denies that I had at the bottom of zone policies because they don't work the same way in JunOS land. You're right, you run the policies against the post-translated address, not the pre-translated. The NAT is separate entirely from policies. scott On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Yes that makes sense. And the policy pre srx was like this. But I am almost positive I read somewhere the srx was different in that the policy is looked at post NAT and so the private ip should be used. I will give that a shot though. Brendan Mannella TeraSwitch Networks Inc. Office: 412.224.4333 x303 Mobile: 412.592.7848 Efax: 412.202.7094 On Jun 21, 2010, at 12:50 PM, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Monday, June 21, 2010 11:20 AM To: juniper-nsp Subject: [j-nsp] SRX Config Question So main issue is the firewall does not seem to allow any incoming traffic on the ports i opened below on the policies. Anyone have any ideas what i am missing? Hi Brendan, How are things? I could be wrong, but I believe the issue is with the untrust-to-trust policy where you are matching on destination-address 192.168.1.214: from-zone untrust to-zone trust { policy 240-51 { match { source-address any; destination-address 192.168.1.214; application [ rdp junos-dns-udp junos-ftp junos-http junos-https junos-ms-sql ]; } I believe in order for this to work you are going to need to make the destination-address 111.111.111.214. This will cause it to vector off into the NAT policy which will translate from 111.111.111.214 to 192.168.1.214. I think you might also need to use an address book entry whereby you put the pre-natted address (111.111.111.214) into your trust zone as well. Feel free to contact me offline if you'd like additional assistance. HTHs. Stefan Fouant, CISSP, JNCIEx2 www.shortestpathfirst.net GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
I noticed you didn't include all of the nat config.make sure you have the from-zone configured for the static nat rule-set... ex. set security nat static rule-set natting from zone untrust set security nat static rule-set natting rule 214 match destination-address 111.111.111.214/32 set security nat static rule-set natting rule 214 then static-nat prefix 192.168.1.214/32 I've also noticed strange things when using . inside of an address-book address. I use _ instead. -Ben On Mon, Jun 21, 2010 at 2:57 PM, ben b benboyd.li...@gmail.com wrote: The system does default deny if you haven't specified a default policy action. set security policies default-policy permit-all As far as the policy is concerned, the policy is applied AFTER destination nat is performed and BEFORE source nat is performed. What is the output of 'show security policies' or 'show security policies from-zone untrust to-zone trust'? -Ben On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Nope, i actually dont see any deny statements at all. Does the system, just deny everything thats not defined as allowed? Any other thing i should look at? Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 - Original Message - From: Scott T. Cameron routeh...@gmail.com To: juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 1:35:06 PM Subject: Re: [j-nsp] SRX Config Question Your rules actually seem fine at a glance. Are those the only rules in your system? No deny that might otherwise be blocking the traffic? I also migrated from ScreenOS and ditched all the old catch-all denies that I had at the bottom of zone policies because they don't work the same way in JunOS land. You're right, you run the policies against the post-translated address, not the pre-translated. The NAT is separate entirely from policies. scott On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Yes that makes sense. And the policy pre srx was like this. But I am almost positive I read somewhere the srx was different in that the policy is looked at post NAT and so the private ip should be used. I will give that a shot though. Brendan Mannella TeraSwitch Networks Inc. Office: 412.224.4333 x303 Mobile: 412.592.7848 Efax: 412.202.7094 On Jun 21, 2010, at 12:50 PM, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Monday, June 21, 2010 11:20 AM To: juniper-nsp Subject: [j-nsp] SRX Config Question So main issue is the firewall does not seem to allow any incoming traffic on the ports i opened below on the policies. Anyone have any ideas what i am missing? Hi Brendan, How are things? I could be wrong, but I believe the issue is with the untrust-to-trust policy where you are matching on destination-address 192.168.1.214: from-zone untrust to-zone trust { policy 240-51 { match { source-address any; destination-address 192.168.1.214; application [ rdp junos-dns-udp junos-ftp junos-http junos-https junos-ms-sql ]; } I believe in order for this to work you are going to need to make the destination-address 111.111.111.214. This will cause it to vector off into the NAT policy which will translate from 111.111.111.214 to 192.168.1.214. I think you might also need to use an address book entry whereby you put the pre-natted address (111.111.111.214) into your trust zone as well. Feel free to contact me offline if you'd like additional assistance. HTHs. Stefan Fouant, CISSP, JNCIEx2 www.shortestpathfirst.net GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
I have to double check but i might have missed set security nat static rule-set natting from zone untrust... I will double check and update the list. - Original Message - From: ben b benboyd.li...@gmail.com To: Brendan Mannella bmanne...@teraswitch.com Cc: Scott T. Cameron routeh...@gmail.com, juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 4:10:43 PM Subject: Re: [j-nsp] SRX Config Question I noticed you didn't include all of the nat config.make sure you have the from-zone configured for the static nat rule-set... - Original Message - From: ben b benboyd.li...@gmail.com To: Brendan Mannella bmanne...@teraswitch.com Cc: Scott T. Cameron routeh...@gmail.com, juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 4:10:43 PM Subject: Re: [j-nsp] SRX Config Question I noticed you didn't include all of the nat config.make sure you have the from-zone configured for the static nat rule-set... ex. set security nat static rule-set natting from zone untrust set security nat static rule-set natting rule 214 match destination-address 111.111.111.214/32 set security nat static rule-set natting rule 214 then static-nat prefix 192.168.1.214/32 I've also noticed strange things when using . inside of an address-book address. I use _ instead. -Ben On Mon, Jun 21, 2010 at 2:57 PM, ben b benboyd.li...@gmail.com wrote: The system does default deny if you haven't specified a default policy action. set security policies default-policy permit-all As far as the policy is concerned, the policy is applied AFTER destination nat is performed and BEFORE source nat is performed. What is the output of 'show security policies' or 'show security policies from-zone untrust to-zone trust'? -Ben On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Nope, i actually dont see any deny statements at all. Does the system, just deny everything thats not defined as allowed? Any other thing i should look at? Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 - Original Message - From: Scott T. Cameron routeh...@gmail.com To: juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 1:35:06 PM Subject: Re: [j-nsp] SRX Config Question Your rules actually seem fine at a glance. Are those the only rules in your system? No deny that might otherwise be blocking the traffic? I also migrated from ScreenOS and ditched all the old catch-all denies that I had at the bottom of zone policies because they don't work the same way in JunOS land. You're right, you run the policies against the post-translated address, not the pre-translated. The NAT is separate entirely from policies. scott On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Yes that makes sense. And the policy pre srx was like this. But I am almost positive I read somewhere the srx was different in that the policy is looked at post NAT and so the private ip should be used. I will give that a shot though. Brendan Mannella TeraSwitch Networks Inc. Office: 412.224.4333 x303 Mobile: 412.592.7848 Efax: 412.202.7094 On Jun 21, 2010, at 12:50 PM, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto: juniper-nsp- boun...@puck.nether.net ] On Behalf Of Brendan Mannella Sent: Monday, June 21, 2010 11:20 AM To: juniper-nsp Subject: [j-nsp] SRX Config Question So main issue is the firewall does not seem to allow any incoming traffic on the ports i opened below on the policies. Anyone have any ideas what i am missing? Hi Brendan, How are things? I could be wrong, but I believe the issue is with the untrust-to-trust policy where you are matching on destination-address 192.168.1.214 : from-zone untrust to-zone trust { policy 240-51 { match { source-address any; destination-address 192.168.1.214; application [ rdp junos-dns-udp junos-ftp junos-http junos-https junos-ms-sql ]; } I believe in order for this to work you are going to need to make the destination-address 111.111.111.214. This will cause it to vector off into the NAT policy which will translate from 111.111.111.214 to 192.168.1.214. I think you might also need to use an address book entry whereby you put the pre-natted address (111.111.111.214) into your trust zone as well. Feel free to contact me offline if you'd like additional assistance. HTHs. Stefan Fouant, CISSP, JNCIEx2 www.shortestpathfirst.net GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper
Re: [j-nsp] SRX Config Question
the rule-set won't be natting, it'll be whatever rule-set rule 214 exists in -Ben On Mon, Jun 21, 2010 at 3:13 PM, Brendan Mannella bmanne...@teraswitch.comwrote: I have to double check but i might have missed set security nat static rule-set natting from zone untrust... I will double check and update the list. - Original Message - From: ben b benboyd.li...@gmail.com To: Brendan Mannella bmanne...@teraswitch.com Cc: Scott T. Cameron routeh...@gmail.com, juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 4:10:43 PM Subject: Re: [j-nsp] SRX Config Question I noticed you didn't include all of the nat config.make sure you have the from-zone configured for the static nat rule-set... ex. set security nat static rule-set natting from zone untrust set security nat static rule-set natting rule 214 match destination-address 111.111.111.214/32 set security nat static rule-set natting rule 214 then static-nat prefix 192.168.1.214/32 I've also noticed strange things when using . inside of an address-book address. I use _ instead. -Ben On Mon, Jun 21, 2010 at 2:57 PM, ben b benboyd.li...@gmail.com wrote: The system does default deny if you haven't specified a default policy action. set security policies default-policy permit-all As far as the policy is concerned, the policy is applied AFTER destination nat is performed and BEFORE source nat is performed. What is the output of 'show security policies' or 'show security policies from-zone untrust to-zone trust'? -Ben On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Nope, i actually dont see any deny statements at all. Does the system, just deny everything thats not defined as allowed? Any other thing i should look at? Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 - Original Message - From: Scott T. Cameron routeh...@gmail.com To: juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 1:35:06 PM Subject: Re: [j-nsp] SRX Config Question Your rules actually seem fine at a glance. Are those the only rules in your system? No deny that might otherwise be blocking the traffic? I also migrated from ScreenOS and ditched all the old catch-all denies that I had at the bottom of zone policies because they don't work the same way in JunOS land. You're right, you run the policies against the post-translated address, not the pre-translated. The NAT is separate entirely from policies. scott On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Yes that makes sense. And the policy pre srx was like this. But I am almost positive I read somewhere the srx was different in that the policy is looked at post NAT and so the private ip should be used. I will give that a shot though. Brendan Mannella TeraSwitch Networks Inc. Office: 412.224.4333 x303 Mobile: 412.592.7848 Efax: 412.202.7094 On Jun 21, 2010, at 12:50 PM, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Monday, June 21, 2010 11:20 AM To: juniper-nsp Subject: [j-nsp] SRX Config Question So main issue is the firewall does not seem to allow any incoming traffic on the ports i opened below on the policies. Anyone have any ideas what i am missing? Hi Brendan, How are things? I could be wrong, but I believe the issue is with the untrust-to-trust policy where you are matching on destination-address 192.168.1.214: from-zone untrust to-zone trust { policy 240-51 { match { source-address any; destination-address 192.168.1.214; application [ rdp junos-dns-udp junos-ftp junos-http junos-https junos-ms-sql ]; } I believe in order for this to work you are going to need to make the destination-address 111.111.111.214. This will cause it to vector off into the NAT policy which will translate from 111.111.111.214 to 192.168.1.214. I think you might also need to use an address book entry whereby you put the pre-natted address (111.111.111.214) into your trust zone as well. Feel free to contact me offline if you'd like additional assistance. HTHs. Stefan Fouant, CISSP, JNCIEx2 www.shortestpathfirst.net GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https