SRX

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Security policies not passing traffic

    Posted 03-29-2016 17:15
      |   view attached

    We have an SRX100H2 that I'm trying to lock down. Basically, it's a branch VPN, and I only want to pass limited traffic thru the tunnel.

     

    I've set everything up (VPN, NAT, etc.), and traffic passes fine as long as the default policy is accept, but nothing passes through the SRX when I change it to deny-all.

     

    As an example, when I try to ping from 10.12.7.2 to 10.252.253.5, I get the following in the traffic log:

     

    Mar 30 00:07:55 VPN-Test-01 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.12.7.2/1->10.252.253.5/23388 icmp 1(8) default-deny(global) vpn trust UNKNOWN UNKNOWN N/A(N/A) st0.0 UNKNOWN policy deny

     

    I've included what I hope are the relevant sections of the config. Again, everything works just how I want it if the default policy is set to accept-all, but not with deny-all.

     

    Thanks!

     

    ...Ralph Johnston

    Attachment(s)

    txt
    support.txt   5 KB 1 version


  • 2.  RE: Security policies not passing traffic

    Posted 03-29-2016 21:38

    Hi

     

    From a short look into your config this is my assumption;

     

    your security policies did not honor the fact, that the SRX has a specific sequence of first flow evaluation namely

     

    Screen

    Destination NAT or Static Nat

    Routing

    Policy Evaluation

    Source NAT

    ...

     

    so for the policies you need to mention the TRANSLATED address for the detination and the UNTRANSLATED for the source.

     

    Pls have a check on that, and either say No or confirm my assumption

     

    regards

     

    alexander



  • 3.  RE: Security policies not passing traffic

    Posted 03-30-2016 08:51

    alexander,

     

    Thank you! That did it.

     

    I was confused by the logs (which seem to show just the pre-NAT addresses), and the SRX flow diagram, because I assumed that the Static NAT step did both source and destination Static NAT. I "get it" now, and see that the Static NAT step just works on the dest IP, and Reverse Static NAT just works on the source IP.

     

    The logs were what confused me the most, though.

     

    Thanks again!

     

    ...Ralph



  • 4.  RE: Security policies not passing traffic
    Best Answer

     
    Posted 03-30-2016 01:40

    address local-sys-prod-prenat 10.252.253.5/32;

    address local-sys-prod-postnat 10.2.2.5/32;
    address remote-sys-prenat 10.12.7.2/32;

     

    policy vpn-to-sys-test-amqps {
    match {
    source-address remote-sys-prenat;
    destination-address local-sys-test-prenat;
    application test-abc;
    }
    then {
    permit;
    }
    }


    Here is you see the policy is for "local-sys-prod-prenat" . In JUNOS the Policy lookup happenes after destination NAT , so you need to creat policy for "local-sys-prod-postnat"
    Also if you see here the "test-abc" application does not have ICMP :

    application test-abc {
    protocol tcp;
    destination-port 671;
    }


    So thats why its taking the default deny policy . Correct this and it will work .



  • 5.  RE: Security policies not passing traffic

    Posted 03-30-2016 10:28

    Sam,

     

    Thanks for the extra info. Knowing that the policies are applied "half-way through" the NAT process was the key.

     

    Sadly, the logs made it worse, since they seem to use data from before any NAT.

     

    As far as the test-abc application, ICMP is allowed via other policies (all the policies that end in -icmp).

     

    Thanks!

     

    ...Ralph