Hi,
Thanks for your quick reply !
I have bove interfaces in the Trust zone ( I needed to put the Internet Zone as trust to allow me to ssh to the device. ) there is no HQ zone ( this is purely a learning / Test device )john@JohnSRX# show security zones security-zone trust ?
Possible completions:
<[Enter]> Execute this command
> address-book Address book entries
> advance-policy-based-routing-profile Enable Advance Policy Based Routing on this zone
application-tracking Enable Application tracking support for this zone
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
description Text description of zone
enable-reverse-reroute Enable Reverse route lookup when there is change in ingress interface
> host-inbound-traffic Allowed system services & protocols
> interfaces Interfaces that are part of this zone
screen Name of ids option object applied to the zone
source-identity-log Show user and group info in session log for this zone
tcp-rst Send RST for NON-SYN packet not matching TCP session
| Pipe through a command
[edit]
john@JohnSRX# show security zones security-zone trust address-book
address network_100 192.168.10.0/24;
[edit]
john@JohnSRX# show security zones
security-zone trust {
address-book {
address network_100 192.168.10.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.0;
ge-0/0/6.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
ge-0/0/1.0;
lo0.0;
ge-0/0/0.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
dl0.0 {
host-inbound-traffic {
system-services {
tftp;
}
}
}
}
}
[edit]
john@JohnSRX# show security zones security-zone trust address-book
address network_100 192.168.10.0/24;
[edit]
john@JohnSRX# show security address-book
[edit]
john@JohnSRX#
Do I need to add my Home network 192.168.0.0 /24 to the address book ?
I spent a fair bit of time thinking NAT wasn't working, only when I put a Laptop on to do a Traceroute I found it does work just not from the SVI 192.168.10.1
I can console on if I need to move the internet port to untrusted
Internet port ge-0/0/0.0
Lan Port ge-0/0/1.0
------------------------------
John Kinnaird
------------------------------
Original Message:
Sent: 10-07-2022 10:34
From: Anonymous User
Subject: address book
This message was posted by a user wishing to remain anonymous
Hi everyone!
Could you please explain to me when we use the address book and what is it exactly, i can't imagine it , like what is it used for.
For example, I did my source NAT policy in the sense that my pc can access to internet and then, i was told to create an address book for my pc network, so that only my pc can access to internet with my Ethernet cable and not another user pc, but i can't understand why we did it and how it works with my nat policy.
Here is the configuration:
set security address-book global address HQ_net 192.168.2.0/24
set security nat source rule-set source_nat from zone hq
set security nat source rule-set source_nat to zone internet
set security nat source rule-set source_nat rule r1 match source-address 192.168.2.0/24
set security nat source rule-set source_nat rule r1 match destination-address 172.16.254.0/24
set security nat source rule-set source_nat rule r1 then source-nat interface
set security policies from-zone hq to-zone internet policy hq_internet_permit match source-address hq_net
set security policies from-zone hq to-zone internet policy hq_internet_permit match destination-address hq_net
set security policies from-zone hq to-zone internet policy hq_internet_permit match application junos-http
set security policies from-zone hq to-zone internet policy hq_internet_permit then permit
set security policies from-zone hq to-zone internet policy hq_internet_permit then log session-close
set security policies from-zone hq to-zone internet policy hq_internet_deny match source-address any
set security policies from-zone hq to-zone internet policy hq_internet_deny match destination-address any
set security policies from-zone hq to-zone internet policy hq_internet_deny match application any
set security policies from-zone hq to-zone internet policy hq_internet_deny then deny
set security policies from-zone hq to-zone internet policy hq_internet_deny then log session-init