SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Firewall filter configuration for loopback IP access

    Posted 12-05-2017 22:24
      |   view attached

    Hi,

     

    Our ISP want to monitor SRX(MPLS mode) loopback IP(Provided by ISP) from below given IP subnet.

    ISP has shared below Cisco router configuration and request us to configure the same on SRX.

     

    access-list 98 permit tcp 203.62.38.0 0.0.0.255
    access-list 98 permit tcp 203.62.39.0 0.0.0.255
    access-list 98 deny   any log
    snmp-server community rcuil RO 98
    snmp-server ifindex persist
    ip route 203.62.38.0 255.255.255.0 <PE WAN IP>
    ip route 203.62.39.0 255.255.255.0 <PE WAN IP>
    Advertize the loopback IP address in the BGP if BGP is running
    OR configure static route
    ip route <loopback ip> <subnet mask> <pe wan ip>

     

    Please find attached SRX configuration display set output. We are allowing only 203.62.3X.X/24 subnet for SNMP access using firewall filters for addon security. lo.15 interface will be monitor by ISP. Airtel link is terminated under "office" VRF interface ge-0/0/6.

     

    After commit this configuration BGP peer was up but network users could not get access (i.e. linc, email, web etc.)

    Kindly suggest how to fix it.

     

    Thank you...

     

     

     

    Attachment(s)

    txt
    Configuration on Juniper SRX.txt   3 KB 1 version


  • 2.  RE: Firewall filter configuration for loopback IP access
    Best Answer

    Posted 12-06-2017 02:53

    In the filter you need to drop just the affected protocols and then your final term is accept all at the end as show here for BGP add to the SNMP as well.

     

    set firewall family inet filter Airtel_snmp term BGP_filter from source-address 172.46.11.61/32
set firewall family inet filter Airtel_snmp term BGP_filter from source-address 172.56.27.35/32
set firewall family inet filter Airtel_snmp term BGP_filter from destination-port bgp
set firewall family inet filter Airtel_snmp term BGP_filter then accept
set firewall family inet filter Airtel_snmp term BGP_filter from protocol tcp
    
set firewall family inet filter Airtel_snmp term BGP_block from protocol tcp
    set firewall family inet filter Airtel_snmp term BGP_block from destination-port bgp
    set firewall family inet filter Airtel_snmp term BGP_block then reject
set firewall family inet filter Airtel_snmp term allow_rest then accept  

     



  • 3.  RE: Firewall filter configuration for loopback IP access

    Posted 12-06-2017 04:49

    Thank you for your reply.

    Where i need to add log statement.



  • 4.  RE: Firewall filter configuration for loopback IP access

    Posted 12-06-2017 22:35

    Hi Steve,

     

    Could you more light on "term BGP_block" and "term allow_rest"

    In "term BGP_filter"  we accept BGP traffic but in "term BGP_block" we reject BGP port  --> what will be happen

     

    In "term allow_rest"  --> which network traffic will be allow?

    Our purpose is -  The IP subnet 203.62.X.X/24 should get access of loopback IP with SNMP protocol only. And other network traffic should not impact.

     

    Thank you..

     

     



  • 5.  RE: Firewall filter configuration for loopback IP access

    Posted 12-07-2017 02:25

    sorry for the confusion.  The basic idea is that your filter is setup like this:

     

    Protocol Term 1:  Allow the specific protocol and ip address you want

    Protocol Term 2: block that same protocol as a whole so that nothing else can connect

     

    Continue for all the protocols you want to limit

     

    The last term is then allow all so that anything else will pass.

     

    Logging our counts can be added to any desired term.