SRX

Hi Guys,

Customer says that they are unable to connect/telnet to 203.x.x.x and port 8022 from their IP 43.x.x.x

for this we need to allow below Ip and policies in a srx firewall. 

source ip :10.151.41.244 --This is my internal IP 
43.x.x.x - This is their IP
203.x.x.x.x - They will connect to this public IP on port 8022(this belongs to Celcom and they assigned to us)

Could you please tell, how to do this in my juniper srx firewall

Regards,

Rakesh

------------------------------
Rakesh A
------------------------------

What is "this" sitting on 203.x.x.x? Is it a host or another firewall?

Are you saying the 203.x.x.x is the public IP YOU'VE been assigned and that the client wants to connect to YOUR machine on 10.151.41.244?


If you're going to ask questions like this - it's very helpful to always think of the flow like this (and provide the information required) to avoid this kind of back and forth.

Source IP: Port Number -> (Firewall?->Public IP:port) -> Destination IP: Port (Firewall? -> Private IP:port)

Cheers,

 -Ben

------------------------------
Ben Kamen

Original Message:
Sent: 08-17-2023 05:48
From: Rakesh A
Subject: SMSC issue

Hi Guys,

Customer says that they are unable to connect/telnet to 203.x.x.x and port 8022 from their IP 43.x.x.x

for this we need to allow below Ip and policies in a srx firewall. 

source ip :10.151.41.244 --This is my internal IP 
43.x.x.x - This is their IP
203.x.x.x.x - They will connect to this public IP on port 8022(this belongs to Celcom and they assigned to us)

Could you please tell, how to do this in my juniper srx firewall

Regards,

Rakesh

------------------------------
Rakesh A
------------------------------

Hi Bkamen,

Thanks for your replay.

This is new requirement.

203 is ISP IP is sitting on firewall only.

we have a requirement like

customer  asking the access   from 43.x(server ) to public IP 203.x , request will automatically go to 10.151.41.244(my internal server)..

203.x is ISP provided IP, customer telnet to 203.x  from 43.x(server ),request will automatically go to 10.151.41.244(my internal server)..

43.x  server maintained by customer.

Source IP: Port Number -> (Firewall?->Public IP:port) -> Destination IP: Port 

10.151.41.244:3131-->(Srx Firewall---> 203.x.x.x:8022)-->43.xxx(server)

Regards,

Rakesh

What is "this" sitting on 203.x.x.x? Is it a host or another firewall?

Are you saying the 203.x.x.x is the public IP YOU'VE been assigned and that the client wants to connect to YOUR machine on 10.151.41.244?


If you're going to ask questions like this - it's very helpful to always think of the flow like this (and provide the information required) to avoid this kind of back and forth.

Source IP: Port Number -> (Firewall?->Public IP:port) -> Destination IP: Port (Firewall? -> Private IP:port)

Cheers,

 -Ben

------------------------------
Ben Kamen

Original Message:
Sent: 08-17-2023 05:48
From: Rakesh A
Subject: SMSC issue

Hi Guys,

Customer says that they are unable to connect/telnet to 203.x.x.x and port 8022 from their IP 43.x.x.x

for this we need to allow below Ip and policies in a srx firewall. 

source ip :10.151.41.244 --This is my internal IP 
43.x.x.x - This is their IP
203.x.x.x.x - They will connect to this public IP on port 8022(this belongs to Celcom and they assigned to us)

Could you please tell, how to do this in my juniper srx firewall

Regards,

Rakesh

------------------------------
Rakesh A
------------------------------

Ok.... your flow line is backwards from what you described. You started with the destination and worked your way back to the source. 

So following that flow I just presented to you .... you're saying

This flow line should start with the source/connection requestor to the destination and the target of the connection request
That would look like: 43.x --> 203.x.x.x:8022 (Firewall) -> 10.151.41.244:3131

So here's what you need:

Go into NAT and create a Destination NAT pool for 10.151.41.244/32 with a port defined of 3131
Then create a destination NAT Rule from your internet/external zone to the internal zone where 10.151.x.x is.
Then specify the connection can come from ANYHOST (to start with) or 0.0.0.0 to your 203.x and make sure to specify the port number 8022 -- then select your destination pool you just created of 10.151.x.x/32:3131

-- create a address book entry for your clients source IP address of 10.151.x.x (whatever it is) to have ready.
-- create a address book entry for your clients source IP address of 43.x.x.x (whatever it is) to have ready.
-- create a security policy from the internet zone to the zone of your 10.151.x.x target (whatever it is) to allow from ANY to your 10.151 host book entry you made that permits traffic. 

This should work and allow ANYONE on the internet to connect to your 10.151.x.x host on port 8022 (which is translated to 10.151.x.x:3131). 

Once you see that works, you can go back and EDIT the policy so that the SOURCE address is now the address book entry you made for your client's 43.x.x.x address. Once in place, now only THAT IP ADDRESS will be allowed to connect to your 203.x.x.x->10.151.x.x port mapping. 

If their IP address changes, you'll have to change the address book for the client. 

Additionally, that policy generally allows any source port (which you want to leave to be "any") to any port on 10.151.x.x which you  may NOT want. So you can add a destination service. But because there's no Destination NAT mapping from a port other than 8022, no other port attempt (like 8021 or 8080 or 22 or whatever) would work anyway.

I think I have all that right -- if I missed something, anyone is welcome to chime in.

Cheers,

 -ben

Hi Bkamen,

Thanks for your replay.

This is new requirement.

203 is ISP IP is sitting on firewall only.

we have a requirement like

customer  asking the access   from 43.x(server ) to public IP 203.x , request will automatically go to 10.151.41.244(my internal server)..

203.x is ISP provided IP, customer telnet to 203.x  from 43.x(server ),request will automatically go to 10.151.41.244(my internal server)..

43.x  server maintained by customer.

Source IP: Port Number -> (Firewall?->Public IP:port) -> Destination IP: Port 

10.151.41.244:3131-->(Srx Firewall---> 203.x.x.x:8022)-->43.xxx(server)

Regards,

Rakesh

What is "this" sitting on 203.x.x.x? Is it a host or another firewall?

Are you saying the 203.x.x.x is the public IP YOU'VE been assigned and that the client wants to connect to YOUR machine on 10.151.41.244?


If you're going to ask questions like this - it's very helpful to always think of the flow like this (and provide the information required) to avoid this kind of back and forth.

Source IP: Port Number -> (Firewall?->Public IP:port) -> Destination IP: Port (Firewall? -> Private IP:port)

Cheers,

 -Ben

------------------------------
Ben Kamen

Original Message:
Sent: 08-17-2023 05:48
From: Rakesh A
Subject: SMSC issue

Hi Guys,

Customer says that they are unable to connect/telnet to 203.x.x.x and port 8022 from their IP 43.x.x.x

for this we need to allow below Ip and policies in a srx firewall. 

source ip :10.151.41.244 --This is my internal IP 
43.x.x.x - This is their IP
203.x.x.x.x - They will connect to this public IP on port 8022(this belongs to Celcom and they assigned to us)

Could you please tell, how to do this in my juniper srx firewall

Regards,

Rakesh

------------------------------
Rakesh A
------------------------------

Hi Ben,

Thank you so much your reply.i configured like what you told.it is worked 

Thanks

Rakesh

Ok.... your flow line is backwards from what you described. You started with the destination and worked your way back to the source. 

So following that flow I just presented to you .... you're saying

This flow line should start with the source/connection requestor to the destination and the target of the connection request
That would look like: 43.x --> 203.x.x.x:8022 (Firewall) -> 10.151.41.244:3131

So here's what you need:

Go into NAT and create a Destination NAT pool for 10.151.41.244/32 with a port defined of 3131
Then create a destination NAT Rule from your internet/external zone to the internal zone where 10.151.x.x is.
Then specify the connection can come from ANYHOST (to start with) or 0.0.0.0 to your 203.x and make sure to specify the port number 8022 -- then select your destination pool you just created of 10.151.x.x/32:3131

-- create a address book entry for your clients source IP address of 10.151.x.x (whatever it is) to have ready.
-- create a address book entry for your clients source IP address of 43.x.x.x (whatever it is) to have ready.
-- create a security policy from the internet zone to the zone of your 10.151.x.x target (whatever it is) to allow from ANY to your 10.151 host book entry you made that permits traffic. 

This should work and allow ANYONE on the internet to connect to your 10.151.x.x host on port 8022 (which is translated to 10.151.x.x:3131). 

Once you see that works, you can go back and EDIT the policy so that the SOURCE address is now the address book entry you made for your client's 43.x.x.x address. Once in place, now only THAT IP ADDRESS will be allowed to connect to your 203.x.x.x->10.151.x.x port mapping. 

If their IP address changes, you'll have to change the address book for the client. 

Additionally, that policy generally allows any source port (which you want to leave to be "any") to any port on 10.151.x.x which you  may NOT want. So you can add a destination service. But because there's no Destination NAT mapping from a port other than 8022, no other port attempt (like 8021 or 8080 or 22 or whatever) would work anyway.

I think I have all that right -- if I missed something, anyone is welcome to chime in.

Cheers,

 -ben

Hi Bkamen,

Thanks for your replay.

This is new requirement.

203 is ISP IP is sitting on firewall only.

we have a requirement like

customer  asking the access   from 43.x(server ) to public IP 203.x , request will automatically go to 10.151.41.244(my internal server)..

203.x is ISP provided IP, customer telnet to 203.x  from 43.x(server ),request will automatically go to 10.151.41.244(my internal server)..

43.x  server maintained by customer.

Source IP: Port Number -> (Firewall?->Public IP:port) -> Destination IP: Port 

10.151.41.244:3131-->(Srx Firewall---> 203.x.x.x:8022)-->43.xxx(server)

Regards,

Rakesh

What is "this" sitting on 203.x.x.x? Is it a host or another firewall?

Are you saying the 203.x.x.x is the public IP YOU'VE been assigned and that the client wants to connect to YOUR machine on 10.151.41.244?


If you're going to ask questions like this - it's very helpful to always think of the flow like this (and provide the information required) to avoid this kind of back and forth.

Source IP: Port Number -> (Firewall?->Public IP:port) -> Destination IP: Port (Firewall? -> Private IP:port)

Cheers,

 -Ben

------------------------------
Ben Kamen

Original Message:
Sent: 08-17-2023 05:48
From: Rakesh A
Subject: SMSC issue

Hi Guys,

Customer says that they are unable to connect/telnet to 203.x.x.x and port 8022 from their IP 43.x.x.x

for this we need to allow below Ip and policies in a srx firewall. 

source ip :10.151.41.244 --This is my internal IP 
43.x.x.x - This is their IP
203.x.x.x.x - They will connect to this public IP on port 8022(this belongs to Celcom and they assigned to us)

Could you please tell, how to do this in my juniper srx firewall

Regards,

Rakesh

------------------------------
Rakesh A
------------------------------