Hello,
As I am new to network technology, I need some help. I have an SRX300 in the office which receives a public IP address on WAN7 via DHCP (BOOTP). A /29 network from the ISP is routed to this WAN7 IP. This network is then to be statically assigned to various firewalls and servers. This also works perfectly, so my config works. However, I have the problem that the config is not secure. The SSH port and all possible services are open. I want the SSH service to be accessible only from my external static home IP, and all other system services (such as NTP, DNS...) of the SRX should be closed, but at the same time all traffic from the rear devices should pass through unfiltered. The SRX should only serve as a gateway.
I have already experimented a little with the zones but I lock myself out or it stops working. I have the config below as it works.
login {
retry-options {
tries-before-disconnect 3;
backoff-threshold 2;
backoff-factor 10;
}
}
services {
ssh {
root-login allow;
protocol-version v2;
max-sessions-per-connection 1;
client-alive-interval 30;
}
netconf {
inactive: ssh;
}
inactive: web-management {
https {
system-generated-certificate;
}
}
}
domain-name root;
time-zone Europe/Amsterdam;
name-server {
8.8.8.8;
8.8.4.4;
}
name-resolution {
no-resolve-on-input;
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file interactive-commands {
interactive-commands any;
}
file messages {
any notice;
authorization info;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url
https://ae1.juniper.net/junos/key_retrieval; }
}
}
security {
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone untrust to-zone trust {
policy untrust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
ssh;
ping;
}
protocols {
all;
}
}
interfaces {
irb.0;
}
}
security-zone untrust {
interfaces {
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
ssh;
dhcp;
ping;
bootp;
}
protocols {
all;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
description WAN;
unit 0 {
family inet {
dhcp {
vendor-id Juniper-srx300;
}
}
}
}
irb {
unit 0 {
family inet {
address 37.37.x.x/29;
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface irb.0;
}
}
protocols {
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
------------------------------
PASCAL DENGG
------------------------------