Junos OS

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SSH to a device behind an SRX Firewall

    Posted 09-25-2021 19:14
    I have a device that is sitting on the trusted side of a Juniper SRX.  I have a NAT built in the SRX for that device.  When I try to SSH to that device I get the following error, 

    ssh_exchange_identification: Connection closed by remote hos

    I do not believe it is and issue with the device, because from the local LAN I can SSH into the device just fine.

    Any ideas on the root cause of this error message?

    Thanks

    ------------------------------
    RICK HOPKIN
    ------------------------------


  • 2.  RE: SSH to a device behind an SRX Firewall

     
    Posted 09-25-2021 19:24
    There are at least two elements needed for the nat setup and possibly a third.

    As you have done the destination nat is setup.

    You also need a security policy from the ingress zone to the egress zone, this uses the post destination nat address and not the pool address.

    Finally, you may also need to add proxy-arp of the public address is not the physical interface address.

    Full examples are in this document.
    https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: SSH to a device behind an SRX Firewall

    Posted 09-26-2021 05:58

    Steve,

     

    Thank you for your response let me share some config snippets.  IP Addresses have changed for security reasons.

     

    set security nat static rule-set rs1 from zone untrust

    set security nat static rule-set rs1 rule Genband match destination-address 2.2.2.2/32

    set security nat static rule-set rs1 rule Genband then static-nat prefix 1.1.1.2/32

    set security nat static rule-set rs1 rule EX4200 match destination-address 2.2.2.3/32

    set security nat static rule-set rs1 rule EX4200 then static-nat prefix 1.1.1.3/32

    set security nat proxy-arp interface ge-0/0/3.0 address 2.2.2.2/32

    set security nat proxy-arp interface ge-0/0/3.0 address 2.2.2.3/32

    set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any

    set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any

    set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any

    set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit

    set security policies from-zone untrust to-zone trust policy Genband match source-address any

    set security policies from-zone untrust to-zone trust policy Genband match destination-address Genband

    set security policies from-zone untrust to-zone trust policy Genband match application any

    set security policies from-zone untrust to-zone trust policy Genband then permit

    set security policies from-zone untrust to-zone trust policy EX4200 match source-address any

    set security policies from-zone untrust to-zone trust policy EX4200 match destination-address EX4200

    set security policies from-zone untrust to-zone trust policy EX4200 match application any

    set security policies from-zone untrust to-zone trust policy EX4200 then permit

    set security zones security-zone trust host-inbound-traffic system-services all

    set security zones security-zone trust host-inbound-traffic system-services ssh

    set security zones security-zone trust host-inbound-traffic system-services http

    set security zones security-zone trust host-inbound-traffic protocols all

    set security zones security-zone trust interfaces vlan.0

    set security zones security-zone trust interfaces ge-0/0/5.0 host-inbound-traffic system-services all

    set security zones security-zone trust interfaces ge-0/0/5.0 host-inbound-traffic protocols all

    set security zones security-zone untrust screen untrust-screen

    set security zones security-zone untrust host-inbound-traffic system-services ssh

    set security zones security-zone untrust host-inbound-traffic system-services ike

    set security zones security-zone untrust host-inbound-traffic system-services ping

    set security zones security-zone untrust interfaces ge-0/0/3.0

     

    As you can see, all 3 elements are there, I would also like to point out that the config for the ex4200 works with not issues.  The Genband only breaks when I ssh through the SRX, but even if I ssh to the SRX and then jump to the Genband it works.  So what is it about the NAT that the Genband does not like?

     

    Rick Hopkin
    Magna5
    Network Reliability Engineering Manager     

    469.409.1070 office                                                      
    469.360.4450 mobile
    rhopkin@magna5global.com
    www.magna5global.com 

    signature_1131737021

     






  • 4.  RE: SSH to a device behind an SRX Firewall

     
    Posted 09-26-2021 12:13
    What is the address object ex4200?  It needs to be the internal 1.1.1.3/32 address.

    You don't need to allow ssh for the inbound services on zones, this is for access to the actual SRX self traffic and does not affect transit.

    And when you attempt the ssh connection what is seen in the session table?
    show security flow session destination-prefix 1.1.1.3/32


    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------