Junos OS

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about Junos OS.
  • 1.  SRX300 InterZone traffic

    Posted 01-26-2022 09:30

    Hi All

    I have an SRX300 the we will use as a firewall/switch

    I have it configured and am testing all is working besides.
    I have two ports in a Vlan

    I would like the devices plugged into those two ports (2 servers) to be able to talk to each other

    Can someone please advise why it doesn't work currently

    I have posted the config below

    services {
            ssh {
                root-login deny;
            }
            netconf {
                ssh;
            }
            dhcp-local-server {
                group jdhcp-group {
                    interface irb.0;
                }
            }
            web-management {
                https {
                    system-generated-certificate;
                    interface [ ge-0/0/0.0 irb.30 ];
                }
            }
        }
        name-server {
            8.8.8.8;
            8.8.4.4;
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
        phone-home {
            server https://redirect.juniper.net;
            rfc-compliant;
        }
    }
    security {
        address-book {
            global {
                
                }
                address-set RDP {
                    address rdp1;
                    address rdp2;
                    address rdp4;
                    address rdp5;
                }
                address-set ftp {
                    address rdp4;
                    address rdp5;
                }
            }
        }
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
            static {
                rule-set 194 {
                    from zone untrust;
                    rule 194 {
                        match {
                            destination-address Internet IP.194/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                    192.168.30.194/32;
                                }
                            }
                        }
                    }
                    rule 191 {
                        match {
                            destination-address Internet IP.191/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                    192.168.30.191/32;
                                }
                            }
                        }
                    }
                    rule 192 {
                        match {
                            destination-address Internet IP.192/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                    192.168.30.192/32;
                                }
                            }
                        }
                    }
                    rule 196 {
                        match {
                            destination-address Internet IP.196/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                    192.168.30.196/32;
                                }
                            }
                        }
                    }
                    rule 23 {
                        match {
                            destination-address Internet IP.23/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                    192.168.30.23/32;
                                }
                            }
                        }
                    }
                    rule 195 {
                        match {
                            destination-address Internet IP.195/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                    192.168.30.195/32;
                                }
                            }
                        }
                    }
                }
            }
            proxy-arp {
                interface ge-0/0/0.0 {
                    address {
                        Internet IP.23/32 to Internet IP.23/32;
                        Internet IP.191/32 to Internet IP.191/32;
                        Internet IP.192/32 to Internet IP.192/32;
                        Internet IP.194/32 to Internet IP.194/32;
                        Internet IP.195/32 to Internet IP.195/32;
                        Internet IP.196/32 to Internet IP.196/32;
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy trust-to-trust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone untrust to-zone trust {
                policy rdp {
                    match {
                        source-address support;
                        destination-address RDP;
                        application junos-rdp;
                        dynamic-application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
                policy filezilla {
                    match {
                        source-address any;
                        destination-address ftp;
                        application [ junos-ftp junos-ftp-data ];
                        dynamic-application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
                policy webserver {
                    match {
                        source-address any;
                        destination-address webserver;
                        application [ junos-http junos-https ];
                        dynamic-application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
                policy openvpn {
                    match {
                        source-address any;
                        destination-address openvpn;
                        application OpenVPN;
                        dynamic-application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
            }
            default-policy {
                deny-all;
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    irb.0;
                    irb.30;
                    ge-0/0/5.0;
                }
            }
            security-zone untrust {
                screen untrust-screen;
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                tftp;
                                https;
                            }
                        }
                    }
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address Internet IP.190/24;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                    vlan {
                        members vlan30;
                    }
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                    vlan {
                        members vlan30;
                    }
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family inet {
                    address 192.168.200.28/24;
                }
            }
        }
        irb {
            unit 0 {
                family inet {
                    address 192.168.1.1/24;
                }
            }
            unit 30 {
                family inet {
                    address 192.168.30.222/24;
                }
            }
        }
    }
    access {
        address-assignment {
            pool junosDHCPPool {
                family inet {
                    network 192.168.1.0/24;
                    range junosRange {
                        low 192.168.1.2;
                        high 192.168.1.254;
                    }
                    dhcp-attributes {
                        router {
                            192.168.1.1;
                        }
                        propagate-settings ge-0/0/0.0;
                    }
                }
            }
        }
    }
    applications {
        application OpenVPN {
            term port1194 protocol udp source-port 0-65353 destination-port 1194-1194 inactivity-timeout 30;
            term port943 protocol tcp source-port 0-65353 destination-port 943-943 inactivity-timeout 30;
            term port443 protocol tcp source-port 0-65353 destination-port 443-443 inactivity-timeout 30;
            term port80 protocol tcp source-port 0-65353 destination-port 80-80 inactivity-timeout 30;
        }
    }
    vlans {
        vlan-trust {
            vlan-id 3;
            l3-interface irb.0;
        }
        vlan30 {
            vlan-id 30;
            l3-interface irb.30;
        }
    }
    protocols {
        l2-learning {
            global-mode switching;
        }
        rstp {
            interface all;
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop Internet IP.1;
        }
    }



    ------------------------------
    CHAYNE CHILES
    ------------------------------



  • 2.  RE: SRX300 InterZone traffic

    Posted 01-28-2022 09:31
    bump

    ------------------------------
    CHAYNE CHILES
    ------------------------------



  • 3.  RE: SRX300 InterZone traffic

    Posted 01-28-2022 09:34
    On first look, your config is fine.  But seen it many times where the servers have a their Windows firewalls enabled and it blocks the traffic.  So check you have disabled the firewalls or configured the rules on them correctly to allow the services you need through.

    ------------------------------
    KRISTIAN DURVIN
    ------------------------------



  • 4.  RE: SRX300 InterZone traffic

    Posted 01-28-2022 12:22

    I feel Like such and idiot 

    I disabled windows firewall but didn't disable the avast that was installed on the laptop 

    It does connect successfully after i disable that 

    thank you for you help



    ------------------------------
    CHAYNE CHILES
    ------------------------------