SRX

We have a server (192.168.149.194) is located in my local Data Center and client server (10.225.238.189 15000) located at client location.

we need to create connectivity for my end. per the client confirmation they have provided the connectivity from their end.

I created like this...

set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP description "COSTARICA to OCMP"
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP match source-address Costarica-10.225.138.189
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP match destination-address H_192.168.149.194
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP match application TCP_15000
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP then permit
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP then log session-init
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP then log session-close

set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica description "OCMP to COSTARICA"
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica match source-address H_192.168.149.194
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica match destination-address Costarica-10.225.138.189
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica match application TCP_15000
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica then permit
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica then log session-init
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica then log session-close

set security address-book global address Costarica-10.225.238.189 10.225.238.189/32

but I am not getting connectivity till now.

what are the things, i missed here..how we create connectivity. Please provide the creation if I any miss or my configuration totally wrong.

Regards,

Rakesh

We have a server (192.168.149.194) is located in my local Data Center and client server (10.225.238.189 15000) located at client location.

we need to create connectivity for my end. per the client confirmation they have provided the connectivity from their end.

I created like this...

set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP description "COSTARICA to OCMP"
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP match source-address Costarica-10.225.138.189
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP match destination-address H_192.168.149.194
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP match application TCP_15000
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP then permit
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP then log session-init
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP then log session-close

set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica description "OCMP to COSTARICA"
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica match source-address H_192.168.149.194
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica match destination-address Costarica-10.225.138.189
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica match application TCP_15000
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica then permit
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica then log session-init
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica then log session-close

set security address-book global address Costarica-10.225.238.189 10.225.238.189/32

but I am not getting connectivity till now.

what are the things, i missed here..how we create connectivity. Please provide the creation if I any miss or my configuration totally wrong.

Regards,

Rakesh

Hello Rakesh,

The information you provided is very limited to exactly understand your topology. But here are a few pointers that might help you :

• As pointed out by Ben, internet would not route the private subnets and hence you would need to look at the NAT based solution (assuming there is no VPN involved in this path).
• When NAT based solution is used, you will have to rewrite your security policies to accommodate the NAT rules. For example, if you are using a source NAT , then the security policy will use a pre-NAT source IP whereas in case of a destination nat being used, security policy will have to use a post-NAT destination IP. 
• If there is a site-to-site VPN between the local datacenter and the client location, then you probably would like to check VPN status and traffic through it.

As you can see the solution may change based on what kind of topology and network design you have.

Hope this is helpful.

Thanks!

We have a server (192.168.149.194) is located in my local Data Center and client server (10.225.238.189 15000) located at client location.

we need to create connectivity for my end. per the client confirmation they have provided the connectivity from their end.

I created like this...

set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP description "COSTARICA to OCMP"
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP match source-address Costarica-10.225.138.189
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP match destination-address H_192.168.149.194
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP match application TCP_15000
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP then permit
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP then log session-init
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP then log session-close

set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica description "OCMP to COSTARICA"
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica match source-address H_192.168.149.194
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica match destination-address Costarica-10.225.138.189
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica match application TCP_15000
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica then permit
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica then log session-init
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica then log session-close

set security address-book global address Costarica-10.225.238.189 10.225.238.189/32

but I am not getting connectivity till now.

what are the things, i missed here..how we create connectivity. Please provide the creation if I any miss or my configuration totally wrong.

Regards,

Rakesh

Hi bkamen and TheDisciple,

Thanks for your replay.

We are not using a VPN between the end points.

could you please give the configuration of above screenshot or scenario.

We have a server (192.168.149.194) is located in my local Data Center and client server (10.225.238.189 15000) located at client location.

Source ip:192.168.149.194

Destination ip:10.225.238.189 and port  15000.

please give configuration, how can i write above using above IP's .Please.Approciate your help.

Regards,

Rakesh

------------------------------
Rakesh A

Original Message:
Sent: 08-10-2023 01:15
From: TheDisciple
Subject: PORT CONNECTIVITY FROM Local SERVER TO CLIENT SERVER

Hello Rakesh,

The information you provided is very limited to exactly understand your topology. But here are a few pointers that might help you :

• As pointed out by Ben, internet would not route the private subnets and hence you would need to look at the NAT based solution (assuming there is no VPN involved in this path).
• When NAT based solution is used, you will have to rewrite your security policies to accommodate the NAT rules. For example, if you are using a source NAT , then the security policy will use a pre-NAT source IP whereas in case of a destination nat being used, security policy will have to use a post-NAT destination IP. 
• If there is a site-to-site VPN between the local datacenter and the client location, then you probably would like to check VPN status and traffic through it.

As you can see the solution may change based on what kind of topology and network design you have.

Hope this is helpful.

Thanks!

Original Message:
Sent: 08-09-2023 13:40
From: Rakesh A
Subject: PORT CONNECTIVITY FROM Local SERVER TO CLIENT SERVER

We have a server (192.168.149.194) is located in my local Data Center and client server (10.225.238.189 15000) located at client location.

we need to create connectivity for my end. per the client confirmation they have provided the connectivity from their end.

I created like this...

set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP description "COSTARICA to OCMP"
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP match source-address Costarica-10.225.138.189
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP match destination-address H_192.168.149.194
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP match application TCP_15000
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP then permit
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP then log session-init
set security policies from-zone Dedicated-Untrust to-zone OCMP policy Costarica-OCMP then log session-close

set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica description "OCMP to COSTARICA"
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica match source-address H_192.168.149.194
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica match destination-address Costarica-10.225.138.189
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica match application TCP_15000
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica then permit
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica then log session-init
set security policies from-zone OCMP to-zone Dedicated-Untrust policy OCMP-TO-DEDICATED-UNTRUST-Costarica then log session-close

set security address-book global address Costarica-10.225.238.189 10.225.238.189/32

but I am not getting connectivity till now.

what are the things, i missed here..how we create connectivity. Please provide the creation if I any miss or my configuration totally wrong.

Regards,

Rakesh

------------------------------
Rakesh A
------------------------------