Okay, I deleted them and then added them back and did a commit full like:
from-zone data43 to-zone Internet {
policy data43 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy d43 {
match {
source-address 43;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internet to-zone data43 {
policy suite43nat {
match {
source-address any;
destination-address 43;
application [ d43-nas d43-nas5006 d43-nas6281 ];
}
then {
permit;
}
}
}
and
# show security policies from-zone Internet to-zone data43 | display set
set security policies from-zone Internet to-zone data43 policy suite43nat match source-address any
set security policies from-zone Internet to-zone data43 policy suite43nat match destination-address 43
set security policies from-zone Internet to-zone data43 policy suite43nat match application d43-nas
set security policies from-zone Internet to-zone data43 policy suite43nat match application d43-nas5006
set security policies from-zone Internet to-zone data43 policy suite43nat match application d43-nas6281
set security policies from-zone Internet to-zone data43 policy suite43nat then permit
also
> request pfe execute target fwdd command "show usp policy checksum"
SENT: Ukern command: show usp policy checksum
GOT:
LOCAL: End of file
> show security policies checksum
From zone To zone Checksum
core Internet 0x719779cf551608024ab0a792182fbc8f
core core_phone 0x25c5bb45213ebad01d17b0b58c6c37d
core data43 0xb6524e53b196f25670185954910f82da
core_phone Internet 0x1af7ce90e0012fc146035f30bd9e3732
core_phone core 0xe3b7243d712f24681c1e9afe5ea2cd6
data43 Internet 0xe200429cbc4c7144e5081227d4bc0c76
Internet data43 0xa8eec3e1effb781d814a7e958af6941
to make sure:
>show security match-policies from-zone Internet to-zone data43 source-ip 1.2.3.5 source-port 5001 destination-ip 192.168.43.50 destination-port 5001 protocol tcp
0
Policy Type: Configured
Sequence number: 1
From zone: Internet, To zone: data43
Source addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Destination addresses:
43: 192.168.43.50/32
Application: d43-nas
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
Source port range: [5001-5001]
Destination port range: [5001-5001]
Application: d43-nas5006
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
Source port range: [5006-5006]
Destination port range: [5006-5006]
Application: d43-nas6281
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
Source port range: [6281-6281]
Destination port range: [6281-6281]
Per policy TCP Options: SYN check: No, SEQ check: No
Then re-ran test:
Aug 30 03:22:36 03:22:35.1707744:CID-0:RT:<1.2.3.2/8032->1.2.3.5/5001;6> matched filter TEST:
Aug 30 03:22:36 03:22:35.1707744:CID-0:RT:packet [64] ipid = 0, @4231249c
Aug 30 03:23:33 03:23:31.1863102:CID-0:RT:flow_first_routing: call flow_route_lookup(): src_ip 1.2.3.2, x_dst_ip 192.168.43.50, in ifp ge-0/0/0.0, out ifp N/A sp 2817, dp 5001, ip_proto 6, tos 0
Aug 30 03:23:33 03:23:31.1863102:CID-0:RT:Doing DESTINATION addr route-lookup
Aug 30 03:23:33 03:23:31.1863102:CID-0:RT: routed (x_dst_ip 192.168.43.50) from Internet (ge-0/0/0.0 in 0) to ge-0/0/8.431, Next-hop: 192.168.43.50
Aug 30 03:23:33 03:23:31.1863102:CID-0:RT: policy search from zone Internet-> zone data43 (0x114,0xb011389,0x1389)
Aug 30 03:23:33 03:23:31.1863102:CID-0:RT: app 33, timeout 1800s, curr ageout 20s
Aug 30 03:23:33 03:23:31.1863102:CID-0:RT: packet dropped, denied by policy
Aug 30 03:23:33 03:23:31.1863102:CID-0:RT: packet dropped, policy deny.
Aug 30 03:23:33 03:23:31.1863102:CID-0:RT: flow find session returns error.
Aug 30 03:23:33 03:23:31.1863102:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
It seems like something in the policy is still blocking? Does it matter what order the rules are in JunOS? Is it possible I have something wrong in my custom applications definitions? here's what they look like:
# show applications
application d43-nas {
protocol tcp;
source-port 5001;
destination-port 5001;
}
application d43-nas5006 {
protocol tcp;
source-port 5006;
destination-port 5006;
}
application d43-nas6281 {
protocol tcp;
source-port 6281;
destination-port 6281;
}