SRX

Expand all | Collapse all

junos equivilant to screenos VIP port redirection

Jump to Best Answer
  • 1.  junos equivilant to screenos VIP port redirection

    Posted 03-22-2019 04:57

    junos equivilant to screenos VIP port redirection

     

    I'm not very familiar with Juniper; I’m trying to replicate a VIP config from ScreenOS device with a Junos srx 340 unit. but, still not working. Would it be possible to get your expertise about the config?

     

    in screen os we were able to open a port on the untrust and point it to another port on our trust using a VIP


    From ScreenOS example:

    " set interface ethernet0/3 description "SRDP" vip 172.21.24.30: 80 "Oracle4" 10.200.3.37:778

     

     

    We’ve figured out how to do a straight port mapping (thanks to the document: junos for the screenos user)

     

    set security nat destination pool SRDP-VIP-NAT address 10.200.3.37/32
    set security nat destination pool SRDP-VIP-NAT address port 7778

    set security nat destination rule-set VIP from zone SRDP
    set security nat destination rule-set VIP rule r1 match destination-address 172.21.24.30/32
    set security nat destination rule-set VIP rule r1 match destination-port 80
    set security nat destination rule-set VIP rule r1 then destination-nat pool SRDP-VIP-NAT


    set security zones security-zone trust address-book address HTS11 10.200.3.37/32

    set security policies from-zone SRDP to-zone Trust policy Allow-VIP match source-address VIP-172.21.24.30
    set security policies from-zone SRDP to-zone Trust policy Allow-VIP match destination-address HTS11
    set security policies from-zone SRDP to-zone Trust policy Allow-VIP match application Oracle4
    set security policies from-zone SRDP to-zone Trust policy Allow-VIP match application junos-http
    set security policies from-zone SRDP to-zone Trust policy Allow-VIP then permit

    set security nat proxy-arp interface "SRDP" ge-0/0/4.0 address 172.21.24.30/32

     

    Thank you

    Ismail



  • 2.  RE: junos equivilant to screenos VIP port redirection

    Posted 03-22-2019 12:53

    Hi,

    if to remove :

    del security policies from-zone SRDP to-zone Trust policy Allow-VIP match source-address VIP-172.21.24.30
    del security policies from-zone SRDP to-zone Trust policy Allow-VIP match application junos-http

     

    or set the first one as any



  • 3.  RE: junos equivilant to screenos VIP port redirection

    Posted 03-25-2019 03:53

    Hi,

    Many thanks for your reply, I don't want to delete my config, I just want to make sure it is the correct config to convert from Netscreen OS VIP to srx.



  • 4.  RE: junos equivilant to screenos VIP port redirection

     
    Posted 03-23-2019 06:07

    As Alex notes, your source in the policy will be the ultimate device requesting access to the  server, not the pre NAT status of your destination.  And since you are changing the port http you won't need that custom oracle port as it will be changed by the time it hits this policy.

     

    set security zones security-zone trust address-book address HTS11 10.200.3.37/32

    set security policies from-zone SRDP to-zone Trust policy Allow-VIP match source-address any <<< or restricted to devices you want
    set security policies from-zone SRDP to-zone Trust policy Allow-VIP match destination-address HTS11
    set security policies from-zone SRDP to-zone Trust policy Allow-VIP match application junos-http
    set security policies from-zone SRDP to-zone Trust policy Allow-VIP then permit

     

    you might consider adding logging as well.

    set security policies from-zone SRDP to-zone Trust policy Allow-VIP then log session-close

     

    This is a full set of examples on the nat variations

    https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

     



  • 5.  RE: junos equivilant to screenos VIP port redirection

    Posted 03-25-2019 04:00

    Hi Steve,

    Many thanks for your help. I'm a bit confused here.

    Would you please advice with my new config if it is still correct to apply?

     

    set security zones security-zone trust address-book address HTS11 10.200.3.37/32

    set security policies from-zone SRDP to-zone Trust policy Allow-VIP match source-address VIP-172.21.24.30
    set security policies from-zone SRDP to-zone Trust policy Allow-VIP match destination-address HTS11
    set security policies from-zone SRDP to-zone Trust policy Allow-VIP match application junos-http
    set security policies from-zone SRDP to-zone Trust policy Allow-VIP then permit
    set security policies from-zone SRDP to-zone Trust policy Allow-VIP then log session-close

    set security nat proxy-arp interface "SRDP" ge-0/0/4.0 address 172.21.24.30/32

     

    Regards,

    ismail



  • 6.  RE: junos equivilant to screenos VIP port redirection

     
    Posted 03-25-2019 14:27

    This is not right

    set security policies from-zone SRDP to-zone Trust policy Allow-VIP match source-address VIP-172.21.24.30

     

    The source address is the ip address of the client making the request NOT the pre-NAT address of the destination in the packet.  

     

    Policy is written to the post destination NAT address and the original destination address is NOT in the policy.

     

    Assuming you allow any internet address to acces this host the correct line is 

    set security policies from-zone SRDP to-zone Trust policy Allow-VIP match source-address any

     

    But you can restrict external hosts by creating address objects and using them here.  But it is the client requesting the connection nothing to do with your server or nat addresses.

     



  • 7.  RE: junos equivilant to screenos VIP port redirection

    Posted 03-26-2019 15:33

    Hello Ismail,

     

    In Junos the syntax for destination address and port translation can be understood simply as under.

     

    For simplicity , lets consider the following:-

     

    SIP1 = Source IP as seen by the Client.

    DIP1 = Destination IP as seen by the Client

    DPort1= Destination Port as seen by the Client

     

    SIP2 = Source IP as seen by the Server.

    DIP2= Destination IP as seen by the Server

    DPort2= Destination Port as seen by the Server

     

    In your case, because you are only looking to NAT the incoming service's port and IP, SIP1 & SIP2 have the same value.

     

    1. We create a pool of Destination IP and Destination Port as seen by server.

     

    set security nat destination pool SRDP-VIP-NAT address DIP2
    set security nat destination pool SRDP-VIP-NAT address port DPort2

     

    2. We define the destination nat rule to convert the DIP1/DPort1 into DIP2/DPort2. Assuming that the Client is located in SRDP zone.

     

    set security nat destination rule-set VIP from zone SRDP
    set security nat destination rule-set VIP rule r1 match destination-address DIP1 
    set security nat destination rule-set VIP rule r1 match destination-port DPORT1
    set security nat destination rule-set VIP rule r1 then destination-nat pool SRDP-VIP-NAT

     

    3. Define the security policy to allow the post natted Destination IP /Port and original source IP address combination.

     

     

    set security policies from-zone SRDP to-zone Trust policy Allow-VIP match source-address <Address book defining SIP1>
    set security policies from-zone SRDP to-zone Trust policy Allow-VIP match destination-address <Address-book defining DIP2>
    set security policies from-zone SRDP to-zone Trust policy Allow-VIP match application <Application defining DPort2>
    set security policies from-zone SRDP to-zone Trust policy Allow-VIP then permit

     

    4. You would need to configure proxy-arp on the "Client side" interface only if DIP1 falls in the same subnet asthe "Client side" interface.

     

    Hope this helps!


    Thanks,



  • 8.  RE: junos equivilant to screenos VIP port redirection

    Posted 03-27-2019 04:14

    Hi,

    Many thanks for your time and effort. Just to be honest with you, I'm very confused about that. this is what I have 

    From ScreenOS config:

    " set interface ethernet0/3 description "SRDP" vip 172.21.24.30: 80 "Oracle4" 10.200.3.37:778

     

    The IP: 172.21.24.30 is part of SRDP zone

    the Oracle4 application is part of the service application 

    The IP: 10.200.3.37 is part of Trust zone 

    The port 7778 is the  dst-port for Service Oracle4

     

    Note: Please see the attached PNG for more info.

    with regard to your example, I'm not sure if I reflected the right info to match your example.

     

    SIP1 = Source IP as seen by the Client: VIP-172.21.24.30  

    DIP1 = Destination IP as seen by the Client : 10.200.3.37/32

    DPort1= Destination Port as seen by the Client : 7778

     

    SIP2 = Source IP as seen by the Server. 10.200.3.37/32

    DIP2= Destination IP as seen by the Server 80

    DPort2= Destination Port as seen by the Server: 172.21.24.30/32

     

    Once again, thanks for your help

     

    Ismail



  • 9.  RE: junos equivilant to screenos VIP port redirection

    Posted 03-27-2019 14:50

    Hello Ismail,

     

    Let me try again!

     

    set interface ethernet0/3 description "SRDP" vip 172.21.24.30: 80 "Oracle4" 10.200.3.37:778 "

     

    converts a destination address of a packet (arriving in SRDP zone ) from 172.21.24.30 port 80 to 10.200.3.37 port 778.

     

    On Junos it is achieved by the destination NAT rule written as :- 

     

    set security nat destination pool SRDP-VIP-NAT address10.200.3.37
    set security nat destination pool SRDP-VIP-NAT address port 778

     

    set security nat destination rule-set VIP from zone SRDP
    set security nat destination rule-set VIP rule r1 match destination-address  172.21.24.30
    set security nat destination rule-set VIP rule r1 match destination-port 80
    set security nat destination rule-set VIP rule r1 then destination-nat pool SRDP-VIP-NAT

     

    Corresponding security policy would look like the following: -

     

    set security zones security-zone trust address-book address HTS11 10.200.3.37/32

    set security policies from-zone SRDP to-zone Trust policy Allow-VIP match source-address any   <<<<<<< You can use an address book with the client's subnet here.
    set security policies from-zone SRDP to-zone Trust policy Allow-VIP match destination-address HTS11 
    set security policies from-zone SRDP to-zone Trust policy Allow-VIP match application Oracle4 
    set security policies from-zone SRDP to-zone Trust policy Allow-VIP then permit

     

    P.S. :- I could not find any attachment with your last post.

    Thanks!



  • 10.  RE: junos equivilant to screenos VIP port redirection

    Posted 04-01-2019 01:55

    Hi mate,

    Once again, thank you for your help. I'll test the new config and I'll let you know.

     

    Cheers

    ismail



  • 11.  RE: junos equivilant to screenos VIP port redirection

    Posted 04-03-2019 05:38

    Hi Mate,

     

    With regards to your config for Dest nat, I would like to know if I must add a proxy-arp for the Interface SRDP (ge-0/0/4.0)?

    I've been adviced to add those two lines to the config. 

     

    set security nat static rule-set static-nat-SRDP from interface ge-0/0/4.0
    set security nat proxy-arp interface ge-0/0/4.0 address 172.21.24.30/32

     

    Please advice.

    Thanks,

    Ismail



  • 12.  RE: junos equivilant to screenos VIP port redirection

    Posted 04-03-2019 14:44

    Hello Ismail,

     

    You would only need to configure proxy-arp ONLY if the network of the ip address on ge-0/0/4.0 contains 172.21.24.30.

     

    eg. 

     

    If ge-0/0/4 has 172.21.24.1/24  --- then Yes, proxy arp is needed.

     

    If ge-0/0/4 has 1.1.1.1/8 --- then No, proxy-arp is NOT needed.

     

    Thanks!



  • 13.  RE: junos equivilant to screenos VIP port redirection
    Best Answer

    Posted 04-04-2019 02:32

    Morning Mate,

     

    Thank you so much for all your help and advice.

     

    Regards,

    Ismail



  • 14.  RE: junos equivilant to screenos VIP port redirection

    Posted 04-04-2019 15:41

    Hello Ismail,

     

    Good to know that your issues seem resolved.

     

    I also noticed that you have marked your own (Thanks You) comment as the "solution" to this thread.

     

    It will be highly appreciated if you can mark the post with the actual answer as "Solution" (if possible) for others to quickly find it.

     

    Thanks!