SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Allowing a private network PC onto a domain network

    Posted 04-17-2019 06:51

    Hi All,

    We have a unique issue. We install Juniper SRX 300 firewalls at customer sites. We do not know what firewall they are using for their main network. We use a NAT to send from our Juniper (Private network) to thier network using a static IP (sometimes DHCP) that they provide. This particualr customer wants us to connect to thier network so they can push updates, and password changes to our PC behind the Juniper. The older PC we have onsite is using 2 - NICs for this with no firewall. My question is, how can I allow traffic through our Juniper so, that we can connect to their domain? We would not know any specifications in order to setup a VPN tunnel. 



  • 2.  RE: Allowing a private network PC onto a domain network

    Posted 04-17-2019 08:11

    Hi mwdaly,

     

    I'm not sure if I got your point, but it seems you have a central site which needs to get some sort of L2/L3 connectivity with your local site behind SRX. Is it correct?

    If so, why don't you establish an IPSEC VPN with Central Site?



  • 3.  RE: Allowing a private network PC onto a domain network

    Posted 04-17-2019 14:40

    Hello MwDaly,

     

    If I understand your requirement correctly, currently you have the following setup: -

     

    PC ----- Switching network ---- SRX ----- Internet ---- Main Network Firewall ------ Client Domain network

     

    - In this setup, SRX is using a source NAT to send the traffic out to the Domain network.

    - Now the requirement is to initiate the traffic from Domain Network towards PC.

     

    Please correct me if this is NOT what you mean in your question. [ And I will be sorry to write a long answer without understanding the question :)]

     

    Possible Solutions:-

     

    1.  This would require a Destination/Static NAT on SRX side to enable communication. But that would require Public block of IPs   on the SRX side too. 

     

    2. Use Persistent NAT feature. In this case, the traffic can be initiated from the other end as long as a session exists from the PC to the other network.

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-persistent-nat-and-nat64.html#id-understanding-session-traversal-utilities-for-nat-stun-protocol

     

    3. Create an IPSEC VPN between the clients and central site. (I know , you mentioned that you don't know the parameters but you can always ask them to create one for you).

     

    4. Use a Client VPN software (which is supported by the firewall at main site) on each of the PCs in question. 

     

    Personally, I would avoid the first 2 options because that leaves the communication unencrypted in the Internet. I would prefer option#3 as it is more scalable than option 4.

     

    Thanks!

     



  • 4.  RE: Allowing a private network PC onto a domain network

    Posted 04-18-2019 05:39

    Hi 

    Attachment(s)

    txt
    JuniperExampleConfig.txt   10 KB 1 version


  • 5.  RE: Allowing a private network PC onto a domain network

    Posted 04-19-2019 13:14

    Hi mwdaly,

     

    Based on the provided configuration you have source-nat and not static-nat; all the traffic in your network will be source-natted to the IP address configured on the SRX300's external interface. Does the external interface of the SRX300 has a public IP? is it connected to the Internet? I am asking this because in the diagram your network seems to be inside the main network and I am trying to confirm if this is true or if your network is actually on a separate location.

     

    If your network (behind SRX300) is on a separate location, then the best way to go will be to implement an IPsec VPN between your SRX300 and the Main Network firewall. This way the traffic from the internal PCs will be sent encrypted and protected over the VPN when it flows to the DC located on the Main Network over the Internet.

     

    In case your LAN's subnet (192.168.0.0/24) is the same subnet being used on the Main Network, you may want to implement static NAT over the IPsec VPN in order to avoid a duplicate subnets conflict:

     

    https://www.juniper.net/documentation/en_US/release-independent/nce/topics/concept/lan2lan-vpn-jseries-srx-series-overview.html

     

    Hope this helps.

     



  • 6.  RE: Allowing a private network PC onto a domain network

    Posted 04-23-2019 08:59

    Hi lpaniagua,

     

    Thanks for the reply. My network is not a seperate location. Same location. We always have our Private like 192.168.0.101 and NAT to a static that they provide. Could be an IP like: 192.168.199.160/32, or: 10.16.4.151/32



  • 7.  RE: Allowing a private network PC onto a domain network

    Posted 04-20-2019 10:29

    Hello MWDaly,

     

    It's an interesting diagram.  It appears that your Private network sits inside the customer network with limited access to outside world.

     

    In your configuration, there is no static NAT or destination NAT. Also, Source interface NAT is being used.

     

    That means all the traffic from zone 1 to Internet are being NAT-ed to only 1 IP i.e. on ge-0/0/0 interface. 

     

    Therefore, I believe generally there is no traffic initiated from outside to reach this PC.

     

    Also from your replies, I see that you are looking for a solution which does NOT involve talking to customer IT admins 🙂 .

     

    I think a proper solution will be  #3 in my previous update.

     

    But if you want , you can also try to see if "persistent-nat" may have a solution. It is different from already configured "address-persistent" which IMHO is not needed in your setup.

     

    Persistent NAT allows the firewall to maintain the IP/PORT mapping upto a configurable time-interval even after the initial session expires. This is NOT a true destination NAT and will need your PC to initiate a session once before the customer's domain can send updates to the PC.

     

    Take a look at it :- 

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB20711&act=login

     

    Be cautious while testing it as it may have some impact on the network which I can't predict without knowing the details of your network.

     

    Thanks! 

     

     



  • 8.  RE: Allowing a private network PC onto a domain network

    Posted 04-23-2019 09:05

    Hi 

     

     



  • 9.  RE: Allowing a private network PC onto a domain network
    Best Answer

    Posted 04-24-2019 08:50

    Hello MWDaly,

     

    Since you are inside the same main network, your assumption is correct.

     

    You should be able to add your PC to the domain and get it managed by the server.

     

    I am just unsure whether you would need the Domain controllers to initiate a session or NOT. 

     

    Therefore, I think STATIC NAT is the best option.

     

    Using Static NAT allows :- 

     

    1. PC will always use the same IP when talking to outside your SRX.

    2. Your incoming traffic (when initiated by the other side of SRX) will not have any issue reaching your PC.

     

    If your requirement does NOT include traffic initiation from the Domain Controller side, then a simple source NAT is fine.

     

    Hopefully it is useful.

    Thanks!



  • 10.  RE: Allowing a private network PC onto a domain network

    Posted 04-25-2019 11:01

    Hi mwdaly,

     

    I'm glad a solution was provided. Please note that the Static NAT will work if you only have 1 PC behind the SRX firewall, which I believe is the case. The traffic from that PC will be always translated to the address of the external interface of the SRX (assuming you will configure the NAT rule this way).

     

    If you have multiple PCs you could configure them within a subnet that is not used on the main network and just don't NAT the traffic when it is destined to the DC, using the "nat-off" option. See some examples of using the nat-off option:

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB24404 https://www.dummies.com/programming/networking/juniper/how-to-exclude-traffic-from-nat-on-a-junos-srx/

     

    A new security-policy might be needed to allow the communication between the Internal PCs and the DC. With the no-nat option, the traffic from your internal network can reach the DC and you could still provide security with the SRX300; the only thing you need to make sure is that you use a subnet that is not in use on the main network and configure the routing accordingly so that the main network routers point to the SRX when sending the traffic back to the PCs in your internal network. Now when the PCs send traffic to the Internet, the traffic will hit the same security-policies and NAT rules that you already have in place.

     



  • 11.  RE: Allowing a private network PC onto a domain network

    Posted 04-29-2019 07:16

    Thank you for the wonderful information.

     

    I will only have 1 pc behind the srx. That being said, are there any special security policies needed to reach the DC other than adding the IP as an object, e.g., ldap, or anything else?