SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Policies and configuration of SRX 110

    Posted 01-20-2013 15:29

    Have some problem allowing access to the trust side - I have.

     

    Created the policy rule:

     

    set security policies from-zone untrust to-zone trust policy NAS_8080 match source-address any
    set security policies from-zone untrust to-zone trust policy NAS_8080 match destination-address NAS_serv
    set security policies from-zone untrust to-zone trust policy NAS_8080 match application NAS_port_8080
    set security policies from-zone untrust to-zone trust policy NAS_8080 then permit
    set security policies from-zone untrust to-zone trust policy NAS_8080 then log session-init
    set security policies from-zone untrust to-zone trust policy NAS_8080 then log session-close


    I have created the application:

     

    set applications application NAS_port_8080 protocol tcp
    set applications application NAS_port_8080 source-port 1-65535
    set applications application NAS_port_8080 destination-port 8080

     

    I have created address book entry:

     

    set security zones security-zone trust address-book address NAS_serv description NAS-server
    set security zones security-zone trust address-book address NAS_serv 192.168.1.105/32

     

    Here is my complete configuration:

    http://pastebin.com/7Fyir5jU

     

    What am i missing. Cant reach the server on the trusted zone from the untrusted.

     

    Thank you for helping.


    #open
    #SRX
    #Port
    #JUNOS


  • 2.  RE: Policies and configuration of SRX 110
    Best Answer

    Posted 01-20-2013 16:24

    While the policies look right the SRX doesn't have destination NAT configured.  That'll instruct it how to forward TCP8080 traffic to the NAS.  This configuration may help you (assuming that the VDSL is your WAN).

     

    set security nat destination pool NAS_serv address 192.168.1.105/32
set security nat destination rule-set untrust-to-trust from interface pt-1/0/0.0
set security nat destination rule-set untrust-to-trust rule NAS_Serv match destination-address 0.0.0.0/0
set security nat destination rule-set untrust-to-trust rule NAS_Serv match destination-port 8080
set security nat destination rule-set untrust-to-trust rule NAS_Serv then destination-nat pool NAS_serv

    Please keep in mind that your current configuration allows management traffic to the SRX and traffic to the NAS from anywhere in the world.  My suggestion would be to limit the scope of services available and the networks that can access those services.

     

    Thanks!



  • 3.  RE: Policies and configuration of SRX 110

    Posted 01-21-2013 00:59

    Just what i needed.

     

    Thank you so much - its working now after applying the NAT rules.



  • 4.  RE: Policies and configuration of SRX 110

    Posted 01-21-2013 01:38

    Regarding the management traffic:

     

    If I apply a default deny policy at the bottom of my policy/terms. I would be fine - right? like this:

     

        set security policy from-zone untrust to-zone trust policy untrust-trusty-denyall match source-address any

        set security policy from-zone untrust to-zone trust policy untrust-trusty-denyall match destination-address any

        set security policy from-zone untrust to-zone trust policy untrust-trusty-denyall match application any

        set security policy from-zone untrust to-zone trust policy untrust-trusty-denyall match then deny

        set security policy from-zone untrust to-zone trust policy untrust-trusty-denyall match then log session-init



  • 5.  RE: Policies and configuration of SRX 110

    Posted 01-21-2013 05:45

    I'm glad to hear that the NAT configuration worked!

     

    And in regards to your second question, by default Junos denies all traffic that doesn't match a policy.  The advantage of creating a policy to do this is that you can log what traffic is blocked.  It certainly doesn't hurt anything!

     

    My suggestion would be to remove the ability to manage the SRX from your untrust zone.  For example, this would involve delete the following lines from your configuration:

     

    set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
    set security zones security-zone untrust interfaces pt-1/0/0.0 host inbound-traffic system-services tftp
set security zones security-zone untrust interfaces pt-1/0/0.0 host inbound-traffic system-services ssh
set security zones security-zone untrust interfaces pt-1/0/0.0 host inbound-traffic system-services traceroute
    set security zones security-zone untrust interfaces pt-1/0/0.10 host-inbound-traffic system-services traceroute

     If you need to gain management access consider implementing Dynamic VPN.



  • 6.  RE: Policies and configuration of SRX 110

    Posted 01-21-2013 07:30

    Okay, I see. You were referring to 'system-services'. I will delete some of those entries.

     

    Thanks you for your help. Much appreciated.