Re: [j-nsp] SRX Config Question
I double checked i do have from zone untrust
I will try updating the address book and remove the periods.
Brendan Mannella
President and CEO
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Toll-Free: 866.583.6338
Mobile: 412-592-7848
Efax: 412.202.7094
- Original Message -
From: ben b benboyd.li...@gmail.com
To: Brendan Mannella bmanne...@teraswitch.com
Cc: Scott T. Cameron routeh...@gmail.com, juniper-nsp
juniper-nsp@puck.nether.net
Sent: Monday, June 21, 2010 4:19:32 PM
Subject: Re: [j-nsp] SRX Config Question
the rule-set won't be natting, it'll be whatever rule-set rule 214 exists
in
Brendan Mannella
President and CEO
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Toll-Free: 866.583.6338
Mobile: 412-592-7848
Efax: 412.202.7094
- Original Message -
From: ben b benboyd.li...@gmail.com
To: Brendan Mannella bmanne...@teraswitch.com
Cc: Scott T. Cameron routeh...@gmail.com, juniper-nsp
juniper-nsp@puck.nether.net
Sent: Monday, June 21, 2010 4:19:32 PM
Subject: Re: [j-nsp] SRX Config Question
the rule-set won't be natting, it'll be whatever rule-set rule 214 exists
in
-Ben
On Mon, Jun 21, 2010 at 3:13 PM, Brendan Mannella bmanne...@teraswitch.com
wrote:
I have to double check but i might have missed
set security nat static rule-set natting from zone untrust... I will double
check and update the list.
- Original Message -
From: ben b benboyd.li...@gmail.com
To: Brendan Mannella bmanne...@teraswitch.com
Cc: Scott T. Cameron routeh...@gmail.com , juniper-nsp
juniper-nsp@puck.nether.net
Sent: Monday, June 21, 2010 4:10:43 PM
Subject: Re: [j-nsp] SRX Config Question
I noticed you didn't include all of the nat config.make sure you have the
from-zone configured for the static nat rule-set...
ex.
set security nat static rule-set natting from zone untrust
set security nat static rule-set natting rule 214 match destination-address
111.111.111.214/32
set security nat static rule-set natting rule 214 then static-nat prefix
192.168.1.214/32
I've also noticed strange things when using . inside of an address-book
address. I use _ instead.
-Ben
On Mon, Jun 21, 2010 at 2:57 PM, ben b benboyd.li...@gmail.com wrote:
The system does default deny if you haven't specified a default policy
action.
set security policies default-policy permit-all
As far as the policy is concerned, the policy is applied AFTER destination nat
is performed and BEFORE source nat is performed.
What is the output of 'show security policies' or 'show security policies
from-zone untrust to-zone trust'?
-Ben
On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella bmanne...@teraswitch.com
wrote:
Nope, i actually dont see any deny statements at all. Does the system, just
deny everything thats not defined as allowed? Any other thing i should look at?
Brendan Mannella
President and CEO
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Toll-Free: 866.583.6338
Mobile: 412-592-7848
Efax: 412.202.7094
- Original Message -
From: Scott T. Cameron routeh...@gmail.com
To: juniper-nsp juniper-nsp@puck.nether.net
Sent: Monday, June 21, 2010 1:35:06 PM
Subject: Re: [j-nsp] SRX Config Question
Your rules actually seem fine at a glance. Are those the only rules in your
system? No deny that might otherwise be blocking the traffic? I also
migrated from ScreenOS and ditched all the old catch-all denies that I had
at the bottom of zone policies because they don't work the same way in JunOS
land.
You're right, you run the policies against the post-translated address, not
the pre-translated. The NAT is separate entirely from policies.
scott
On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella bmanne...@teraswitch.com
wrote:
Yes that makes sense. And the policy pre srx was like this. But I am almost
positive I read somewhere the srx was different in that the policy is looked
at post NAT and so the private ip should be used.
I will give that a shot though.
Brendan Mannella
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Mobile: 412.592.7848
Efax: 412.202.7094
On Jun 21, 2010, at 12:50 PM, Stefan Fouant
sfou...@shortestpathfirst.net wrote:
-Original Message-
From: juniper-nsp-boun...@puck.nether.net [mailto: juniper-nsp-
boun...@puck.nether.net ] On Behalf Of Brendan Mannella
Sent: Monday, June 21, 2010 11:20 AM
To: juniper-nsp
Subject: [j-nsp] SRX Config Question
So main issue is the firewall does not seem to allow any incoming traffic
on
the ports i opened below on the policies. Anyone have any ideas what i am
missing?
Hi Brendan,
How are things? I could be wrong, but I believe the issue is with the
untrust-to-trust policy where you are matching on destination-address
192.168.1.214 :
from-zone untrust to-zone trust {
policy 240-51 {
match {
source
Re: [j-nsp] SRX Config Question
If the results of the show security policies detail operational command show the policies in the right order and allowing the right ports and show security nat static rule 214 looks like it's natting correctly, and removing the periods doesn't fix it, the only thing I can think of is that 192.168.1.214 isn't reachable from the SRX and the SRX is dropping the traffic. I typically start with an any any any permit to verify ping/trace through the SRX, then replace that with a narrowed down policy On Tue, Jun 22, 2010 at 12:06 PM, Brendan Mannella bmanne...@teraswitch.com wrote: I double checked i do have from zone untrust I will try updating the address book and remove the periods. Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
Ok i updated the address book from . to _ Below is the output of the commands, i havent had a chance to retest with the updated address book to see if that does it, i will let you know. The Nat and polices look ok.. r...@srx210 show security nat static rule all Total static-nat rules: 58 Static NAT rule: 51 Rule-set: static Rule-Id : 1 Rule position : 1 From zone : untrust Destination addresses : 111.111.111.214 (external public ip) Host addresses : 192.168.1.214 Netmask : 255.255.255.255 Host routing-instance : N/A Translation hits : 0 r...@srx210 show security policies detail Default policy: deny-all Policy: trust-to-untrust, action-type: permit, State: enabled, Index: 4 Sequence number: 1 From zone: trust, To zone: untrust Source addresses: any: 0.0.0.0/0 Destination addresses: any: 0.0.0.0/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Policy: 240-214, action-type: permit, State: enabled, Index: 5 Sequence number: 1 From zone: untrust, To zone: trust Source addresses: any: 0.0.0.0/0 Destination addresses: 192_168_1_214: 192.168.1.214/32 Application: rdp IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [3389-3389] Application: junos-dns-udp IP protocol: udp, ALG: dns, Inactivity timeout: 60 Source port range: [0-0] Destination port range: [53-53] Application: junos-ftp IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [21-21] Application: junos-http IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [80-80] Application: junos-https IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [443-443] Application: junos-ms-sql IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [1433-1433] Session log: at-create, at-close - Original Message - From: ben b benboyd.li...@gmail.com To: Brendan Mannella bmanne...@teraswitch.com Cc: Scott T. Cameron routeh...@gmail.com, juniper-nsp juniper-nsp@puck.nether.net Sent: Tuesday, June 22, 2010 1:32:52 PM Subject: Re: [j-nsp] SRX Config Question If the results of the show security policies detail operational command show the policies in the right order and allowing the right ports and show security nat static rule 214 looks like it's natting correctly, and removing the periods doesn't fix it, the only thing I can think of is that 192.168.1.214 isn't reachable from the SRX and the SRX is dropping the traffic. I typically start with an any any any permit to verify ping/trace through the SRX, then replace that with a narrowed down policy On Tue, Jun 22, 2010 at 12:06 PM, Brendan Mannella bmanne...@teraswitch.com wrote: I double checked i do have from zone untrust I will try updating the address book and remove the periods. Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
The policy looks good, but your nat isn't translating. You have 0 translation hits. Your destination address is never changed to 192.169.1.214 which is why your policy is never invoked. Is 192.168.1.214 reachable from the SRX? I would say check previous nat rules, but the position of this one is 1. -Ben On Tue, Jun 22, 2010 at 1:00 PM, Brendan Mannella bmanne...@teraswitch.comwrote: Ok i updated the address book from . to _ Below is the output of the commands, i havent had a chance to retest with the updated address book to see if that does it, i will let you know. The Nat and polices look ok.. r...@srx210 show security nat static rule all Total static-nat rules: 58 Static NAT rule: 51 Rule-set: static Rule-Id: 1 Rule position : 1 From zone : untrust Destination addresses : 111.111.111.214 (external public ip) Host addresses : 192.168.1.214 Netmask: 255.255.255.255 Host routing-instance : N/A Translation hits : 0 r...@srx210 show security policies detail Default policy: deny-all Policy: trust-to-untrust, action-type: permit, State: enabled, Index: 4 Sequence number: 1 From zone: trust, To zone: untrust Source addresses: any: 0.0.0.0/0 Destination addresses: any: 0.0.0.0/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Policy: 240-214, action-type: permit, State: enabled, Index: 5 Sequence number: 1 From zone: untrust, To zone: trust Source addresses: any: 0.0.0.0/0 Destination addresses: 192_168_1_214: 192.168.1.214/32 Application: rdp IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [3389-3389] Application: junos-dns-udp IP protocol: udp, ALG: dns, Inactivity timeout: 60 Source port range: [0-0] Destination port range: [53-53] Application: junos-ftp IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [21-21] Application: junos-http IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [80-80] Application: junos-https IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [443-443] Application: junos-ms-sql IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [1433-1433] Session log: at-create, at-close ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
-Original Message-
From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
boun...@puck.nether.net] On Behalf Of Brendan Mannella
Sent: Monday, June 21, 2010 11:20 AM
To: juniper-nsp
Subject: [j-nsp] SRX Config Question
So main issue is the firewall does not seem to allow any incoming traffic
on
the ports i opened below on the policies. Anyone have any ideas what i am
missing?
Hi Brendan,
How are things? I could be wrong, but I believe the issue is with the
untrust-to-trust policy where you are matching on destination-address
192.168.1.214:
from-zone untrust to-zone trust {
policy 240-51 {
match {
source-address any;
destination-address 192.168.1.214;
application [ rdp junos-dns-udp junos-ftp junos-http junos-https
junos-ms-sql ];
}
I believe in order for this to work you are going to need to make the
destination-address 111.111.111.214. This will cause it to vector off into
the NAT policy which will translate from 111.111.111.214 to 192.168.1.214.
I think you might also need to use an address book entry whereby you put the
pre-natted address (111.111.111.214) into your trust zone as well.
Feel free to contact me offline if you'd like additional assistance.
HTHs.
Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
Yes that makes sense. And the policy pre srx was like this. But I am
almost positive I read somewhere the srx was different in that the
policy is looked at post NAT and so the private ip should be used.
I will give that a shot though.
Brendan Mannella
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Mobile: 412.592.7848
Efax: 412.202.7094
On Jun 21, 2010, at 12:50 PM, Stefan Fouant sfou...@shortestpathfirst.net
wrote:
-Original Message-
From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
boun...@puck.nether.net] On Behalf Of Brendan Mannella
Sent: Monday, June 21, 2010 11:20 AM
To: juniper-nsp
Subject: [j-nsp] SRX Config Question
So main issue is the firewall does not seem to allow any incoming
traffic
on
the ports i opened below on the policies. Anyone have any ideas
what i am
missing?
Hi Brendan,
How are things? I could be wrong, but I believe the issue is with the
untrust-to-trust policy where you are matching on destination-address
192.168.1.214:
from-zone untrust to-zone trust {
policy 240-51 {
match {
source-address any;
destination-address 192.168.1.214;
application [ rdp junos-dns-udp junos-ftp junos-http junos-https
junos-ms-sql ];
}
I believe in order for this to work you are going to need to make the
destination-address 111.111.111.214. This will cause it to vector
off into
the NAT policy which will translate from 111.111.111.214 to
192.168.1.214.
I think you might also need to use an address book entry whereby you
put the
pre-natted address (111.111.111.214) into your trust zone as well.
Feel free to contact me offline if you'd like additional assistance.
HTHs.
Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
Your rules actually seem fine at a glance. Are those the only rules in your
system? No deny that might otherwise be blocking the traffic? I also
migrated from ScreenOS and ditched all the old catch-all denies that I had
at the bottom of zone policies because they don't work the same way in JunOS
land.
You're right, you run the policies against the post-translated address, not
the pre-translated. The NAT is separate entirely from policies.
scott
On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella bmanne...@teraswitch.com
wrote:
Yes that makes sense. And the policy pre srx was like this. But I am almost
positive I read somewhere the srx was different in that the policy is looked
at post NAT and so the private ip should be used.
I will give that a shot though.
Brendan Mannella
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Mobile: 412.592.7848
Efax: 412.202.7094
On Jun 21, 2010, at 12:50 PM, Stefan Fouant
sfou...@shortestpathfirst.net wrote:
-Original Message-
From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
boun...@puck.nether.net] On Behalf Of Brendan Mannella
Sent: Monday, June 21, 2010 11:20 AM
To: juniper-nsp
Subject: [j-nsp] SRX Config Question
So main issue is the firewall does not seem to allow any incoming traffic
on
the ports i opened below on the policies. Anyone have any ideas what i am
missing?
Hi Brendan,
How are things? I could be wrong, but I believe the issue is with the
untrust-to-trust policy where you are matching on destination-address
192.168.1.214:
from-zone untrust to-zone trust {
policy 240-51 {
match {
source-address any;
destination-address 192.168.1.214;
application [ rdp junos-dns-udp junos-ftp junos-http junos-https
junos-ms-sql ];
}
I believe in order for this to work you are going to need to make the
destination-address 111.111.111.214. This will cause it to vector off
into
the NAT policy which will translate from 111.111.111.214 to 192.168.1.214.
I think you might also need to use an address book entry whereby you put
the
pre-natted address (111.111.111.214) into your trust zone as well.
Feel free to contact me offline if you'd like additional assistance.
HTHs.
Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
Nope, i actually dont see any deny statements at all. Does the system, just
deny everything thats not defined as allowed? Any other thing i should look at?
Brendan Mannella
President and CEO
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Toll-Free: 866.583.6338
Mobile: 412-592-7848
Efax: 412.202.7094
- Original Message -
From: Scott T. Cameron routeh...@gmail.com
To: juniper-nsp juniper-nsp@puck.nether.net
Sent: Monday, June 21, 2010 1:35:06 PM
Subject: Re: [j-nsp] SRX Config Question
Your rules actually seem fine at a glance. Are those the only rules in your
system? No deny that might otherwise be blocking the traffic? I also
migrated from ScreenOS and ditched all the old catch-all denies that I had
at the bottom of zone policies because they don't work the same way in JunOS
land.
You're right, you run the policies against the post-translated address, not
the pre-translated. The NAT is separate entirely from policies.
scott
On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella bmanne...@teraswitch.com
wrote:
Yes that makes sense. And the policy pre srx was like this. But I am almost
positive I read somewhere the srx was different in that the policy is looked
at post NAT and so the private ip should be used.
I will give that a shot though.
Brendan Mannella
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Mobile: 412.592.7848
Efax: 412.202.7094
On Jun 21, 2010, at 12:50 PM, Stefan Fouant
sfou...@shortestpathfirst.net wrote:
-Original Message-
From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
boun...@puck.nether.net] On Behalf Of Brendan Mannella
Sent: Monday, June 21, 2010 11:20 AM
To: juniper-nsp
Subject: [j-nsp] SRX Config Question
So main issue is the firewall does not seem to allow any incoming traffic
on
the ports i opened below on the policies. Anyone have any ideas what i am
missing?
Hi Brendan,
How are things? I could be wrong, but I believe the issue is with the
untrust-to-trust policy where you are matching on destination-address
192.168.1.214:
from-zone untrust to-zone trust {
policy 240-51 {
match {
source-address any;
destination-address 192.168.1.214;
application [ rdp junos-dns-udp junos-ftp junos-http junos-https
junos-ms-sql ];
}
I believe in order for this to work you are going to need to make the
destination-address 111.111.111.214. This will cause it to vector off
into
the NAT policy which will translate from 111.111.111.214 to 192.168.1.214.
I think you might also need to use an address book entry whereby you put
the
pre-natted address (111.111.111.214) into your trust zone as well.
Feel free to contact me offline if you'd like additional assistance.
HTHs.
Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
The system does default deny if you haven't specified a default policy
action.
set security policies default-policy permit-all
As far as the policy is concerned, the policy is applied AFTER destination
nat is performed and BEFORE source nat is performed.
What is the output of 'show security policies' or 'show security policies
from-zone untrust to-zone trust'?
-Ben
On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella
bmanne...@teraswitch.comwrote:
Nope, i actually dont see any deny statements at all. Does the system, just
deny everything thats not defined as allowed? Any other thing i should look
at?
Brendan Mannella
President and CEO
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Toll-Free: 866.583.6338
Mobile: 412-592-7848
Efax: 412.202.7094
- Original Message -
From: Scott T. Cameron routeh...@gmail.com
To: juniper-nsp juniper-nsp@puck.nether.net
Sent: Monday, June 21, 2010 1:35:06 PM
Subject: Re: [j-nsp] SRX Config Question
Your rules actually seem fine at a glance. Are those the only rules in
your
system? No deny that might otherwise be blocking the traffic? I also
migrated from ScreenOS and ditched all the old catch-all denies that I had
at the bottom of zone policies because they don't work the same way in
JunOS
land.
You're right, you run the policies against the post-translated address, not
the pre-translated. The NAT is separate entirely from policies.
scott
On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella
bmanne...@teraswitch.com
wrote:
Yes that makes sense. And the policy pre srx was like this. But I am
almost
positive I read somewhere the srx was different in that the policy is
looked
at post NAT and so the private ip should be used.
I will give that a shot though.
Brendan Mannella
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Mobile: 412.592.7848
Efax: 412.202.7094
On Jun 21, 2010, at 12:50 PM, Stefan Fouant
sfou...@shortestpathfirst.net wrote:
-Original Message-
From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
boun...@puck.nether.net] On Behalf Of Brendan Mannella
Sent: Monday, June 21, 2010 11:20 AM
To: juniper-nsp
Subject: [j-nsp] SRX Config Question
So main issue is the firewall does not seem to allow any incoming
traffic
on
the ports i opened below on the policies. Anyone have any ideas what i
am
missing?
Hi Brendan,
How are things? I could be wrong, but I believe the issue is with the
untrust-to-trust policy where you are matching on destination-address
192.168.1.214:
from-zone untrust to-zone trust {
policy 240-51 {
match {
source-address any;
destination-address 192.168.1.214;
application [ rdp junos-dns-udp junos-ftp junos-http junos-https
junos-ms-sql ];
}
I believe in order for this to work you are going to need to make the
destination-address 111.111.111.214. This will cause it to vector off
into
the NAT policy which will translate from 111.111.111.214 to
192.168.1.214.
I think you might also need to use an address book entry whereby you put
the
pre-natted address (111.111.111.214) into your trust zone as well.
Feel free to contact me offline if you'd like additional assistance.
HTHs.
Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
I noticed you didn't include all of the nat config.make sure you have
the from-zone configured for the static nat rule-set...
ex.
set security nat static rule-set natting from zone untrust
set security nat static rule-set natting rule 214 match destination-address
111.111.111.214/32
set security nat static rule-set natting rule 214 then static-nat prefix
192.168.1.214/32
I've also noticed strange things when using . inside of an address-book
address. I use _ instead.
-Ben
On Mon, Jun 21, 2010 at 2:57 PM, ben b benboyd.li...@gmail.com wrote:
The system does default deny if you haven't specified a default policy
action.
set security policies default-policy permit-all
As far as the policy is concerned, the policy is applied AFTER destination
nat is performed and BEFORE source nat is performed.
What is the output of 'show security policies' or 'show security policies
from-zone untrust to-zone trust'?
-Ben
On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella
bmanne...@teraswitch.com wrote:
Nope, i actually dont see any deny statements at all. Does the system,
just deny everything thats not defined as allowed? Any other thing i should
look at?
Brendan Mannella
President and CEO
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Toll-Free: 866.583.6338
Mobile: 412-592-7848
Efax: 412.202.7094
- Original Message -
From: Scott T. Cameron routeh...@gmail.com
To: juniper-nsp juniper-nsp@puck.nether.net
Sent: Monday, June 21, 2010 1:35:06 PM
Subject: Re: [j-nsp] SRX Config Question
Your rules actually seem fine at a glance. Are those the only rules in
your
system? No deny that might otherwise be blocking the traffic? I also
migrated from ScreenOS and ditched all the old catch-all denies that I had
at the bottom of zone policies because they don't work the same way in
JunOS
land.
You're right, you run the policies against the post-translated address,
not
the pre-translated. The NAT is separate entirely from policies.
scott
On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella
bmanne...@teraswitch.com
wrote:
Yes that makes sense. And the policy pre srx was like this. But I am
almost
positive I read somewhere the srx was different in that the policy is
looked
at post NAT and so the private ip should be used.
I will give that a shot though.
Brendan Mannella
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Mobile: 412.592.7848
Efax: 412.202.7094
On Jun 21, 2010, at 12:50 PM, Stefan Fouant
sfou...@shortestpathfirst.net wrote:
-Original Message-
From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
boun...@puck.nether.net] On Behalf Of Brendan Mannella
Sent: Monday, June 21, 2010 11:20 AM
To: juniper-nsp
Subject: [j-nsp] SRX Config Question
So main issue is the firewall does not seem to allow any incoming
traffic
on
the ports i opened below on the policies. Anyone have any ideas what i
am
missing?
Hi Brendan,
How are things? I could be wrong, but I believe the issue is with the
untrust-to-trust policy where you are matching on destination-address
192.168.1.214:
from-zone untrust to-zone trust {
policy 240-51 {
match {
source-address any;
destination-address 192.168.1.214;
application [ rdp junos-dns-udp junos-ftp junos-http junos-https
junos-ms-sql ];
}
I believe in order for this to work you are going to need to make the
destination-address 111.111.111.214. This will cause it to vector off
into
the NAT policy which will translate from 111.111.111.214 to
192.168.1.214.
I think you might also need to use an address book entry whereby you
put
the
pre-natted address (111.111.111.214) into your trust zone as well.
Feel free to contact me offline if you'd like additional assistance.
HTHs.
Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
I have to double check but i might have missed
set security nat static rule-set natting from zone untrust... I will double
check and update the list.
- Original Message -
From: ben b benboyd.li...@gmail.com
To: Brendan Mannella bmanne...@teraswitch.com
Cc: Scott T. Cameron routeh...@gmail.com, juniper-nsp
juniper-nsp@puck.nether.net
Sent: Monday, June 21, 2010 4:10:43 PM
Subject: Re: [j-nsp] SRX Config Question
I noticed you didn't include all of the nat config.make sure you have the
from-zone configured for the static nat rule-set...
- Original Message -
From: ben b benboyd.li...@gmail.com
To: Brendan Mannella bmanne...@teraswitch.com
Cc: Scott T. Cameron routeh...@gmail.com, juniper-nsp
juniper-nsp@puck.nether.net
Sent: Monday, June 21, 2010 4:10:43 PM
Subject: Re: [j-nsp] SRX Config Question
I noticed you didn't include all of the nat config.make sure you have the
from-zone configured for the static nat rule-set...
ex.
set security nat static rule-set natting from zone untrust
set security nat static rule-set natting rule 214 match destination-address
111.111.111.214/32
set security nat static rule-set natting rule 214 then static-nat prefix
192.168.1.214/32
I've also noticed strange things when using . inside of an address-book
address. I use _ instead.
-Ben
On Mon, Jun 21, 2010 at 2:57 PM, ben b benboyd.li...@gmail.com wrote:
The system does default deny if you haven't specified a default policy
action.
set security policies default-policy permit-all
As far as the policy is concerned, the policy is applied AFTER destination nat
is performed and BEFORE source nat is performed.
What is the output of 'show security policies' or 'show security policies
from-zone untrust to-zone trust'?
-Ben
On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella bmanne...@teraswitch.com
wrote:
Nope, i actually dont see any deny statements at all. Does the system, just
deny everything thats not defined as allowed? Any other thing i should look at?
Brendan Mannella
President and CEO
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Toll-Free: 866.583.6338
Mobile: 412-592-7848
Efax: 412.202.7094
- Original Message -
From: Scott T. Cameron routeh...@gmail.com
To: juniper-nsp juniper-nsp@puck.nether.net
Sent: Monday, June 21, 2010 1:35:06 PM
Subject: Re: [j-nsp] SRX Config Question
Your rules actually seem fine at a glance. Are those the only rules in your
system? No deny that might otherwise be blocking the traffic? I also
migrated from ScreenOS and ditched all the old catch-all denies that I had
at the bottom of zone policies because they don't work the same way in JunOS
land.
You're right, you run the policies against the post-translated address, not
the pre-translated. The NAT is separate entirely from policies.
scott
On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella bmanne...@teraswitch.com
wrote:
Yes that makes sense. And the policy pre srx was like this. But I am almost
positive I read somewhere the srx was different in that the policy is looked
at post NAT and so the private ip should be used.
I will give that a shot though.
Brendan Mannella
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Mobile: 412.592.7848
Efax: 412.202.7094
On Jun 21, 2010, at 12:50 PM, Stefan Fouant
sfou...@shortestpathfirst.net wrote:
-Original Message-
From: juniper-nsp-boun...@puck.nether.net [mailto: juniper-nsp-
boun...@puck.nether.net ] On Behalf Of Brendan Mannella
Sent: Monday, June 21, 2010 11:20 AM
To: juniper-nsp
Subject: [j-nsp] SRX Config Question
So main issue is the firewall does not seem to allow any incoming traffic
on
the ports i opened below on the policies. Anyone have any ideas what i am
missing?
Hi Brendan,
How are things? I could be wrong, but I believe the issue is with the
untrust-to-trust policy where you are matching on destination-address
192.168.1.214 :
from-zone untrust to-zone trust {
policy 240-51 {
match {
source-address any;
destination-address 192.168.1.214;
application [ rdp junos-dns-udp junos-ftp junos-http junos-https
junos-ms-sql ];
}
I believe in order for this to work you are going to need to make the
destination-address 111.111.111.214. This will cause it to vector off
into
the NAT policy which will translate from 111.111.111.214 to 192.168.1.214.
I think you might also need to use an address book entry whereby you put
the
pre-natted address (111.111.111.214) into your trust zone as well.
Feel free to contact me offline if you'd like additional assistance.
HTHs.
Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper
Re: [j-nsp] SRX Config Question
the rule-set won't be natting, it'll be whatever rule-set rule 214
exists in
-Ben
On Mon, Jun 21, 2010 at 3:13 PM, Brendan Mannella
bmanne...@teraswitch.comwrote:
I have to double check but i might have missed
set security nat static rule-set natting from zone untrust... I will double
check and update the list.
- Original Message -
From: ben b benboyd.li...@gmail.com
To: Brendan Mannella bmanne...@teraswitch.com
Cc: Scott T. Cameron routeh...@gmail.com, juniper-nsp
juniper-nsp@puck.nether.net
Sent: Monday, June 21, 2010 4:10:43 PM
Subject: Re: [j-nsp] SRX Config Question
I noticed you didn't include all of the nat config.make sure you have
the from-zone configured for the static nat rule-set...
ex.
set security nat static rule-set natting from zone untrust
set security nat static rule-set natting rule 214 match
destination-address 111.111.111.214/32
set security nat static rule-set natting rule 214 then static-nat prefix
192.168.1.214/32
I've also noticed strange things when using . inside of an address-book
address. I use _ instead.
-Ben
On Mon, Jun 21, 2010 at 2:57 PM, ben b benboyd.li...@gmail.com wrote:
The system does default deny if you haven't specified a default policy
action.
set security policies default-policy permit-all
As far as the policy is concerned, the policy is applied AFTER destination
nat is performed and BEFORE source nat is performed.
What is the output of 'show security policies' or 'show security policies
from-zone untrust to-zone trust'?
-Ben
On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella
bmanne...@teraswitch.com wrote:
Nope, i actually dont see any deny statements at all. Does the system,
just deny everything thats not defined as allowed? Any other thing i should
look at?
Brendan Mannella
President and CEO
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Toll-Free: 866.583.6338
Mobile: 412-592-7848
Efax: 412.202.7094
- Original Message -
From: Scott T. Cameron routeh...@gmail.com
To: juniper-nsp juniper-nsp@puck.nether.net
Sent: Monday, June 21, 2010 1:35:06 PM
Subject: Re: [j-nsp] SRX Config Question
Your rules actually seem fine at a glance. Are those the only rules in
your
system? No deny that might otherwise be blocking the traffic? I also
migrated from ScreenOS and ditched all the old catch-all denies that I
had
at the bottom of zone policies because they don't work the same way in
JunOS
land.
You're right, you run the policies against the post-translated address,
not
the pre-translated. The NAT is separate entirely from policies.
scott
On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella
bmanne...@teraswitch.com
wrote:
Yes that makes sense. And the policy pre srx was like this. But I am
almost
positive I read somewhere the srx was different in that the policy is
looked
at post NAT and so the private ip should be used.
I will give that a shot though.
Brendan Mannella
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Mobile: 412.592.7848
Efax: 412.202.7094
On Jun 21, 2010, at 12:50 PM, Stefan Fouant
sfou...@shortestpathfirst.net wrote:
-Original Message-
From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
boun...@puck.nether.net] On Behalf Of Brendan Mannella
Sent: Monday, June 21, 2010 11:20 AM
To: juniper-nsp
Subject: [j-nsp] SRX Config Question
So main issue is the firewall does not seem to allow any incoming
traffic
on
the ports i opened below on the policies. Anyone have any ideas what
i am
missing?
Hi Brendan,
How are things? I could be wrong, but I believe the issue is with the
untrust-to-trust policy where you are matching on destination-address
192.168.1.214:
from-zone untrust to-zone trust {
policy 240-51 {
match {
source-address any;
destination-address 192.168.1.214;
application [ rdp junos-dns-udp junos-ftp junos-http junos-https
junos-ms-sql ];
}
I believe in order for this to work you are going to need to make the
destination-address 111.111.111.214. This will cause it to vector off
into
the NAT policy which will translate from 111.111.111.214 to
192.168.1.214.
I think you might also need to use an address book entry whereby you
put
the
pre-natted address (111.111.111.214) into your trust zone as well.
Feel free to contact me offline if you'd like additional assistance.
HTHs.
Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https
