Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Help with NAT configuration.

September 30, 2017, 10:25 pm
$
0
0

I have a srx240 and am trying to learn junos the best that I can however I have reached my googling capabilities and simply can not figure out nat!

 

topology

 

modem -> ge-0/0/0(untrust) -> ge-0/0/2(trust)

 

 

I have a  basic internal to external nat configured that works fine

set security nat source rule-set internal-to-internet description "NAT anything from trust zone to untrust (LAN to Internet)"
set security nat source rule-set internal-to-internet from zone trust
set security nat source rule-set internal-to-internet to zone untrust
set security nat source rule-set internal-to-internet rule internet-access match source-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access then source-nat interface

However anytime I attempt to create a destination nat to forward a port it breaks ping to my external interface.

 

set security nat destination pool siege address 10.x.x.x/32
set security nat destination pool siege address port 6015
set security nat destination rule-set internal-to-wan from zone untrust
set security nat destination rule-set internal-to-wan rule siege-wan match destination-address 73.x.x.x/32
set security nat destination rule-set internal-to-wan rule siege-wan then destination-nat pool siege

any help would be appreciated, I have confirmed that my security policies are not causing this break as ping works correctly as long as the destination nat is not in place. I have attached my scrubbed configuration blanking out important details such as login information / password hashes / IP address information. Thanks for any help offered Smiley Happy

Search

Re: Help with NAT configuration.

October 1, 2017, 12:35 am
$
0
0

Your issue is that you haven't defined a destination port on your destination nat rule. That way all traffic to the IP is being nat'ed.

 

Try add this command and let us know of the result :-)

 

set security nat destination rule-set internal-to-wan rule siege-wan match destination-port 6015

Config Dynamic DNS on SRX300

October 1, 2017, 4:07 am
$
0
0

Hi,

 

I want to config the SRX300 as a DDNS client. Is there any way to config it on web GUI or CLI?

 

My SRX300 software is 15.1X49-D100.6  .

 

Thanks.

Any one has exprienced impement this command on SRX5800?

October 1, 2017, 4:19 am
$
0
0

Hi all,

 

May i know whether have someone exprecinced implement this hidden command below on the production. As per ATAC inform this command can perevent the RE from impact of broadcast storm but it not recommended.

 

 

set system arp arp-cpu-threshold <cpu idle %>

 

 

Thanks and appreciate any feedback

SRX GATEWAY Cluster with VLAN

October 1, 2017, 5:26 am
$
0
0

Greetings Experts

The following is the question on SRX 240 with Cluster, please guide me to the right path if this is already being answered... 

 

The below is the topology

a) There are 2 SRX (SRX-A and SRX-B)  which is connected northbound to EX switches (which is the gateway to the internet)

b) SRX is southbound directly connected to Servers (so each Server is having 2 connectivity 1 each to SRX-A and SRX-B)

c) Server1 and Server2 are in the same subnet so same VLAN.

 

Requirement is to have SRX cluster Active/Standby 

 

Question

a) since both servers are in same vlan/subnet i need to create a l3 vlan interface in SRX...

b) Do i need to have a lag interface created in SRX (whch has both interfaces connected to servers as members) and if it is YES then is it one sided lag OR should i have switch for this solution (southbound of SRX)

c)Another solution as i understand is that i can have Ethernet Switch configured (in SRX with both the interfaces as members ) and then have a swfab interface .. is this right?

If the above is right then is there any other solution without lag and swfab ?   and is there any caveats to these options?

 

Thanks in Advance

 

 

 

 

 

 

Re: Config Dynamic DNS on SRX300

October 1, 2017, 7:12 am

Re: Help with NAT configuration.

October 1, 2017, 8:03 am
$
0
0
jonashauge wrote:

Your issue is that you haven't defined a destination port on your destination nat rule. That way all traffic to the IP is being nat'ed.

 

Try add this command and let us know of the result :-)

 

set security nat destination rule-set internal-to-wan rule siege-wan match destination-port 6015

I will try this here in a minute, I really hope it doesnt break ping though, could you explain to me why that would happen? I am very green when it comes to Junos and the SRX platform Smiley Happy hence why I picked out an old one from work and am using it at the top of my home network.

Re: Help with NAT configuration.

October 1, 2017, 10:14 am
$
0
0

That did it! now I am onto an interesting security policy issue... I'll make another post for that as it does not deal with NAT.

Search

Security policy Untrust to zone Trust is denying traffic.

October 1, 2017, 10:23 am
$
0
0

So! this is an interesting one, the untrust to trust policy is blocking traffic from untrust to untrust. 

I am using a port scanning utility on the internet to test for open ports on my network I am currently attempting to forward some ports in my home network.

 

Oct 1 13:09:21 srx-240 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 198.199.98.246/57893->73.x.x.x/6015 None 6(0) default-deny untrust trust UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny

 

so for testing purposes I figured ok let me try to allow that port through.

set security policies from-zone untrust to-zone trust policy siege match source-address WAN
set security policies from-zone untrust to-zone trust policy siege match destination-address any
set security policies from-zone untrust to-zone trust policy siege match application siege
set security policies from-zone untrust to-zone trust policy siege then permit

Here is the application configuration 

set applications application-set siege application siege_tcp
set applications application-set siege application siege_udp
set applications application siege_udp protocol udp
set applications application siege_udp destination-port 6015
set applications application siege_tcp protocol tcp
set applications application siege_tcp destination-port 6015

and here is the address book definition for WAN

set security zones security-zone untrust address-book address WAN 73.x.x.x/32

am I missing something here or should this untrust to trust policy not be blocking untrust to untrust traffic?

 

 

Re: Security policy Untrust to zone Trust is denying traffic.

October 1, 2017, 11:17 am
$
0
0
Security policies are post-NAT so your policy should be source any, destination <internal IP>.

Session creation and Security Policy on SRX

October 1, 2017, 12:09 pm
$
0
0

Hi everyone.

 

Is it correct SRX creates " Session" for new flow that passes Security policy? 

 

I am confused about at what point Session is created in session table, please see the example below:

 

 

PC( 199.199.199.10)---199.199.199.1-f0/1-SRX-f0/2-200.200.200.1-----PC 200.200.200.20

 

SET UP:

SRX has  vlan 199, vlan.199 in Zone TRUST ,199.199.199.1/24, f0//1 access port

SRX has vlan 200, vlan.200 in Zone UNTRUST , 200.200.200.1/24 f0/2 access port

SRC has STATIC Destination NAT which translate all traffic received from ZONE TRUST and destined to 100.100.100.10, will have DEST natted to 200.200.200.20

We know Security policy is evaluated after STATIC DEST NAT. Therefore we write a policy on POST NAT IP.

 

Config is under additional info at the bottom of this post.

 

PC ( 199.199.199.10) issues ping to 100.100.100.10

 

I see session table on SRX:

 

root> show security flow session


Session ID: 29032, Policy name: A/5, Timeout: 2, Valid
In: 199.199.199.10/26998 --> 100.100.100.10/1;icmp, If: vlan.199, Pkts: 1, Bytes: 60
Out: 200.200.200.20/1 --> 199.199.199.10/26998;icmp, If: vlan.200, Pkts: 1, Bytes: 60

 

 

1) Above we " IN"  SRC IP is 199.199.199.10 DST 100.100.100.10 is created before " Security Policy " is evaluated , I based this because DST IP is still 100.100.100.10 not the NATTED IP 200.200.200.20

2) It also shows Sesson is created in session table even before STATIC DEST NAT is attempted before DST IP is still 100.100.100.10 not 200.200.200.20

 

What am i mssing ?  I know the whole lot but I am trying to get the logic down.

 

 

Thanks and have a nice weekend!!

 

Additional info:

root> show configuration | display set


set version 11.4R7.5
set system root-authentication encrypted-password "$1$K8pkQCB3$PMhEh2V68NzABTnuUWOiv0"
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members all
set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan199
set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan200
set interfaces fe-0/0/3 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan199
set interfaces fe-0/0/4 unit 0
set interfaces fe-0/0/5 unit 0
set interfaces fe-0/0/6 unit 0
set interfaces fe-0/0/7 unit 0
set interfaces vlan unit 199 family inet address 199.199.199.1/24
set interfaces vlan unit 200 family inet address 200.200.200.1/24
set security address-book global address ZEE 200.200.200.20/32
set security address-book global address GIGI 100.100.100.10/32
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat static rule-set ZEE1 from zone TRUST
set security nat static rule-set ZEE1 rule RULE1 match destination-address 100.100.100.10/32
set security nat static rule-set ZEE1 rule RULE1 then static-nat prefix 200.200.200.20/32
set security policies from-zone TRUST to-zone UNTRUST policy A match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy A match destination-address GIGI
set security policies from-zone TRUST to-zone UNTRUST policy A match destination-address ZEE
set security policies from-zone TRUST to-zone UNTRUST policy A match application any
set security policies from-zone TRUST to-zone UNTRUST policy A then permit
set security policies from-zone UNTRUST to-zone TRUST policy A match source-address GIGI
set security policies from-zone UNTRUST to-zone TRUST policy A match destination-address any
set security policies from-zone UNTRUST to-zone TRUST policy A match application any
set security policies from-zone UNTRUST to-zone TRUST policy A then permit
set security zones security-zone TRUST host-inbound-traffic system-services all
set security zones security-zone TRUST interfaces vlan.199
set security zones security-zone UNTRUST host-inbound-traffic system-services all
set security zones security-zone UNTRUST interfaces vlan.200
set vlans vlan199 vlan-id 199
set vlans vlan199 l3-interface vlan.199
set vlans vlan200 vlan-id 200
set vlans vlan200 l3-interface vlan.200

 

 

 

 

 

 

Re: Security policy Untrust to zone Trust is denying traffic.

October 1, 2017, 1:04 pm
$
0
0

No cigar, from the log it is an external ip to my public facing ip that is being denied, should i create an untrust to untrust policy? However I am still confused as to why it is hitting on the untrust to trust if it isn't going into my internal network.

 

Re: Subinterfaces vs VLAN interfaces

October 1, 2017, 2:01 pm
$
0
0

Thanks for the diagram makes it easier to understand.  Your configuration looks good, putting the gateway for each of those three subnets onto the SRX and since there is only one port in each VLAN the addressing goes right on the interface.

 

For the security policies you mention, you will create zone names for each of the subnets and assign the interfaces to those zones.

 

then you will write polcies from zone to zone for the traffic you wish to permit.  No policy means not traffic, the default is to deny.  And the policy is needed in the direction that initiates the ip traffic.

Re: SYSLOG and Control plane on SRX 650

October 1, 2017, 2:15 pm
$
0
0

The SRX650 is a branch model SRX.  The difficulty discussed in the paragraph is how the High End SRX handle logs due to combination of two factors mentioned volume + physical separation of control and data plane.

 

Neither of these is a factor for the SRX650 or any other branch SRX so there is no issue to overcome.

Re: SRX GATEWAY Cluster with VLAN

October 1, 2017, 2:21 pm
$
0
0

Assuming your SRX cluster is Active/Passive, you will be configuring these connections are RETH interfaces (redundant ethernet).  These are similar to AE but only one interface is active passing traffic at a time.  When failover occurs the interface on the secondary SRX takes over.

 

With RETH interfaces no special configuration is needed on the switch side as only one port is active at a time so these are simply access ports.

 

On the servers you will need to research with the vendor OS redundant ethernet binding for the two NIC connected to the SRX.  On VMware you simply add both physical interfaces to the same vSwitch.  With other OS the process is similar and varies also with the specific NIC vendor installed as well.

Search

Re: Session creation and Security Policy on SRX

October 1, 2017, 2:27 pm
$
0
0

Check out the flow chart in this kb article for the details.  You do have this correct that destination NAT drives the security policy while source NAT does not.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

 

The session table entry is not about the policy evaluation but letting you know what is happening to the packet on the SRX.  This gives us both the pre and post nat addresses in the flow so we can understand the packet flow.  There is no session created until the full flow chart is evaluated on the first packet and setups the session.

Re: Security policy Untrust to zone Trust is denying traffic.

October 1, 2017, 2:30 pm

Re: SRX GATEWAY Cluster with VLAN

October 1, 2017, 6:38 pm
$
0
0

Thanks for the reply and advice..   I have attached the sample topo  (SRV-1 and SRV-2 in the same vlan)

a) can i have more than one interface in a RETH (so in my case two interfaces each  -- SRX-A and SRX-B)?

b) If the above is Yes then i need to create a L3 interface and then configure RETH to that right?

                  

c)    if a) is NO then the solution is only to create a AE in SRX-A and SRX-B and then configure RETH ?  and so LAG should be supported by the Server... right?

d) If AE is not a option for me then can i use SWFAB for this solution with Ethernet Switching enabled on SRX-A and SRX-B?

Re: Security policy Untrust to zone Trust is denying traffic.

October 1, 2017, 6:49 pm
$
0
0

If that is the case then why didn't the source-address any rule work? Or do you mean I need to set an untrust to untrust rule with the destination being my WAN address definition?

Re: SYSLOG and Control plane on SRX 650

October 1, 2017, 7:08 pm
$
0
0

Thanks for your response.

 

This is what I understand:

 

1) Branch office SRX can use " revenue port" i.e the port is used by transit traffic  to source SYSLOG since this port exists in data plane . 

 

Same recommendation is made for high end SRX to use revenue port to source syslog rather than using managemnet port.

 

My question is: If we use MGMT port to source syslog rather than Revenue port on Branch SRX such as 650 , does it not have any impact on control plane versus when using Revenue port?

 

 

Viewing all 17645 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>