Junos OS

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  host-inbound-traffic IKE

    Posted 20 days ago
    Hello,
    I'm playing with SRX300 and I didn't find in guides so...
    I wanna have interface ge-0/0/3 in Untrusted security zone (exposed to internet).
    For this security zone, I've set host-inbound-traffic system-services ike.
    From security perspective, I want to  have whitelist for this 'ike' service, so only my "home office" public IP is able to access and connect via IPsec.
    On the other hand, I wish to disable potential port scanning to get response for that (eg. isakmp) service.
    My goal is to have ike service that will only reply when packets coming in from my "home office" public IP.

    I hope I explained enough what I wish to achieve.

    Thank you.

    ------------------------------
    VM
    ------------------------------


  • 2.  RE: host-inbound-traffic IKE

     
    Posted 20 days ago
    The addition of the host inbound traffic alone is just for the protocol itself without any restrictions on the connections further than the protocol itself.

    You can add the further restrictions you want using security policies for the the default junos-host zone assigned to self traffic as outlined in this kb article.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB24227

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: host-inbound-traffic IKE

    Posted 18 days ago
    Based on kb article from link you gave me, I did some modification but I'm not sure if applications IKE and IKE-NAT. Would this be enough to limit access to IKE (500 or 4500) only from My_Public_IP addresses or port 500 would still show up on nmap scan from anywhere on the internet?

    policies {
    from-zone Untrust to-zone junos-host {
    policy selfpolicy {
    match {
    source-address [ My_Public_IP_1 My_Public_IP_2 ];
    destination-address any;
    application [ IKE IKE-NAT ];
    }
    then {
    permit;
    }
    }



    Thank you.


    ------------------------------
    Vedran Milicevic
    ------------------------------



  • 4.  RE: host-inbound-traffic IKE

     
    Posted 15 days ago
    You also need the second policy called out in the kb article after the first one to deny all for other ip addresses on these application ports.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: host-inbound-traffic IKE

    Posted 14 days ago
    Gotcha. Thank you.
    I've added deny-all and fixed junos application names. I guess this should work now. Will give it a try and get back if i bump into issues.

    policies {
    from-zone test to-zone junos-host {
    policy selfpolicy {
    match {
    source-address [ My_Public_IP_1 My_Public_IP_2 ];
    destination-address any;
    application [ junos-ike junos-ike-nat ];
    }
    then {
    permit;
    }
    }
    policy denyall {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    reject;
    }
    }
    }
    }


    ------------------------------
    Vedran Milicevic
    ------------------------------