SRX

Expand all | Collapse all

Best way to allow established connections from WAN to LAN on SRX?

Jump to Best Answer
  • 1.  Best way to allow established connections from WAN to LAN on SRX?

    Posted 10-08-2019 16:11

    Hello everyone,

    What would be the best method to set up a simple firewall rule for allowing established connections from the internet to a client machine?

    I have done this in my old router firewall configs no problem, but with the SRX there are different concepts, namely firewall policies vs firewall filters.  In setting up firewall policies from the WAN to LAN zone, I don't see anything that just allows established connections back in.

    Any insight would be most appreciated.

    Thank you,

    A.V.



  • 2.  RE: Best way to allow established connections from WAN to LAN on SRX?

     
    Posted 10-08-2019 20:48

    set security nat destination pool esxi address 192.168.55.33/32

    set security nat destination rule-set esxi from zone dmz
    set security nat destination rule-set esxi from zone untrust
    set security nat destination rule-set esxi rule esxi match source-address 0.0.0.0/0
    set security nat destination rule-set esxi rule esxi match destination-address 172.27.102.38/32
    set security nat destination rule-set esxi rule esxi then destination-nat pool esxi


    set security policies from-zone dmz to-zone untrust policy trust-to-untrust match source-address any
    set security policies from-zone dmz to-zone untrust policy trust-to-untrust match destination-address any
    set security policies from-zone dmz to-zone untrust policy trust-to-untrust match application any
    set security policies from-zone dmz to-zone untrust policy trust-to-untrust then permit

     

     

    these configue should help you get start.

     



  • 3.  RE: Best way to allow established connections from WAN to LAN on SRX?

     
    Posted 10-08-2019 22:07

    this is the whole confirguration for you.  it works like following,  traffic from untrust zone towards to dmz zone.

    with any source IP to  the interface's IP address of untruse zone (fe-0/0/0) and by openning tcp port 9900 for internal http server at tcp port 80 with IP address 172.27.103.2


     

    set interfaces fe-0/0/0 unit 0 family inet address 192.168.17.254/24

    set interfaces fe-0/0/1 unit 0 family inet address 172.27.103.2/24

     
    set routing-options static route 0.0.0.0/0 next-hop 192.168.17.250


    set security nat destination pool port9900 address 172.27.103.2/32
    set security nat destination pool port9900 address port 80

    set security nat destination rule-set port9900 from zone untrust
    set security nat destination rule-set port9900 rule 1 match source-address 0.0.0.0/0
    set security nat destination rule-set port9900 rule 1 match destination-address 192.168.17.254/32
    set security nat destination rule-set port9900 rule 1 match destination-port 9900
    set security nat destination rule-set port9900 rule 1 then destination-nat pool port9900

     

    set security policies from-zone untrust to-zone dmz policy permit_9900 match source-address any
    set security policies from-zone untrust to-zone dmz policy permit_9900 match destination-address int-9900
    set security policies from-zone untrust to-zone dmz policy permit_9900 match application junos-http
    set security policies from-zone untrust to-zone dmz policy permit_9900 then permit


    set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services all
    set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic protocols all
    set security zones security-zone dmz address-book address int-9900 172.27.103.2/32
    set security zones security-zone dmz interfaces fe-0/0/1.0 host-inbound-traffic system-services all
    set security zones security-zone dmz interfaces fe-0/0/1.0 host-inbound-traffic protocols all



  • 4.  RE: Best way to allow established connections from WAN to LAN on SRX?

    Posted 10-09-2019 09:42

    So basically, with the trust to untrust policy, it's implicit that the established connections will be allowed back in?



  • 5.  RE: Best way to allow established connections from WAN to LAN on SRX?
    Best Answer

     
    Posted 10-09-2019 11:00

    With the trust to untrust policy, when traffic is initiated from a source A in trust zone to dest B in untrust, the return traffic belonging to the same session is implicitly allowed back from untrust to trust.

     

    However, for traffic or a new session sourced from B to A, needs another policy from untrust to trust.

     

    Hope this helps.

     

    Thanks and Regards,

    Pradeep kumar M