Our ISP want to monitor SRX(MPLS mode) loopback IP(Provided by ISP) from below given IP subnet.
ISP has shared below Cisco router configuration and request us to configure the same on SRX.
access-list 98 permit tcp 184.108.40.206 0.0.0.255access-list 98 permit tcp 220.127.116.11 0.0.0.255access-list 98 deny any logsnmp-server community rcuil RO 98snmp-server ifindex persistip route 18.104.22.168 255.255.255.0 <PE WAN IP>ip route 22.214.171.124 255.255.255.0 <PE WAN IP>Advertize the loopback IP address in the BGP if BGP is runningOR configure static routeip route <loopback ip> <subnet mask> <pe wan ip>
Please find attached SRX configuration display set output. We are allowing only 203.62.3X.X/24 subnet for SNMP access using firewall filters for addon security. lo.15 interface will be monitor by ISP. Airtel link is terminated under "office" VRF interface ge-0/0/6.
After commit this configuration BGP peer was up but network users could not get access (i.e. linc, email, web etc.)
Kindly suggest how to fix it.
In the filter you need to drop just the affected protocols and then your final term is accept all at the end as show here for BGP add to the SNMP as well.
set firewall family inet filter Airtel_snmp term BGP_filter from source-address 126.96.36.199/32
set firewall family inet filter Airtel_snmp term BGP_filter from source-address 188.8.131.52/32
set firewall family inet filter Airtel_snmp term BGP_filter from destination-port bgp
set firewall family inet filter Airtel_snmp term BGP_filter then accept
set firewall family inet filter Airtel_snmp term BGP_filter from protocol tcp
set firewall family inet filter Airtel_snmp term BGP_block from protocol tcpset firewall family inet filter Airtel_snmp term BGP_block from destination-port bgpset firewall family inet filter Airtel_snmp term BGP_block then reject
set firewall family inet filter Airtel_snmp term allow_rest then accept
Thank you for your reply.
Where i need to add log statement.
Could you more light on "term BGP_block" and "term allow_rest"
In "term BGP_filter" we accept BGP traffic but in "term BGP_block" we reject BGP port --> what will be happen
In "term allow_rest" --> which network traffic will be allow?
Our purpose is - The IP subnet 203.62.X.X/24 should get access of loopback IP with SNMP protocol only. And other network traffic should not impact.
sorry for the confusion. The basic idea is that your filter is setup like this:
Protocol Term 1: Allow the specific protocol and ip address you want
Protocol Term 2: block that same protocol as a whole so that nothing else can connect
Continue for all the protocols you want to limit
The last term is then allow all so that anything else will pass.
Logging our counts can be added to any desired term.