Security

 View Only
last person joined: 14 days ago 

Securing your network and related platform configuration and troubleshooting with Juniper security technologies including Advance Threat Prevention, Cloud-Based Management Services, Cloud-delivered Security, Cloud Workload Protection, DDoS, Juniper Secure and other solutions.
  • 1.  vSRX - configuration issues.

    Posted 07-21-2022 09:50
    Hi Guys,

    I am new in junipers. I have my home lab with Eve ng + vSRX. 

    I wanted to deploy some tests and seems I something do not work as expected.


    this is my lab schema:


    my vSRX configuration:
    groups {
        band-config {
            interfaces {
                ge-0/0/1 {
                    unit <*>;
                }
            }
        }
    }
    system {
        host-name juniper1.core;
        root-authentication {
            encrypted-password "$6$aQBfcfum$upB6GogFCmc9UfQAyIQDYGdR4CLjlMPBRUNPfp/RSVKKa2a0me30iA2zLEZYPXNL621.Mo5klfvCkD6FrN5Z6/"; ## SECRET-DATA
        }
        services {
            ssh {
                root-login allow;
                protocol-version v2;
                port 22;
            }
            web-management {
                http {
                    interface [ fxp0.0 ge-0/0/0.0 ];
                }
                https {
                    system-generated-certificate;
                    interface [ fxp0.0 ge-0/0/0.0 ];
                }
            }
        }
        name-server {
            8.8.8.8;
        }
        syslog {
            file interactive-commands {
                interactive-commands any;
            }
            file messages {
                any any;
                authorization info;
            }
        }
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    security {
        policies {
            global {
                policy internet-access {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                        from-zone Servers;
                        to-zone Internet;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone Internet {
                host-inbound-traffic {
                    system-services {
                        ssh;
                        ping;
                    }
                }
                interfaces {
                    ge-0/0/5.0;
                }
            }
            security-zone Servers {
                host-inbound-traffic {
                    system-services {
                        ping;
                        ssh;
                    }
                }
                interfaces {
                    ge-0/0/3.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                ssh;
                            }
                        }
                    }
                    ge-0/0/4.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                ssh;
                            }
                        }
                    }
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                ssh;
                            }
                        }
                    }
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            speed 100m;
            unit 0 {
                family inet {
                    address 192.168.45.1/24;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family inet {
                    address 192.168.20.1/24;
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family inet {
                    address 192.168.44.1/24;
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family inet {
                    address 93.42.40.1/8;
                }
            }
        }
        ge-0/0/4 {
            unit 0 {
                family inet {
                    address 93.42.50.1/8;
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family inet {
                    address 192.168.178.151/24;
                }
            }
        }
        fxp0 {
            disable;
            unit 0 {
                family inet {
                    address 192.168.178.150/24;
                }
            }
        }
    }
    routing-options {
        rib inet.0 {
            static {
                route 0.0.0.0/0 next-hop 192.168.178.1;
            }
        }
        static {
            route 192.168.44.0/24 next-hop 192.168.44.10;
            route 192.168.45.0/24 next-hop 192.168.178.1;
            route 0.0.0.0/0 next-hop 192.168.178.1;
        }
    }
    ​


    Problem is I can't ping internet via vSRX. From the machines I can ping default gateway but I can't ping for example 8.8.8.8 from the machine via vSRX.

    I am not sure if I did something bad in the configuration? Can you maybe guys check?  I would really appreaciate that. 

    Patryk

    ------------------------------
    PATRYK MICHNO
    ------------------------------


  • 2.  RE: vSRX - configuration issues.

    Posted 07-21-2022 10:19
    Since you are not doing any source nat on the vSRX do you have the return routes for your device subnets configured on the home router pointed back to the vSRX  192.168.178.150?

    And does the nat policy on the home router cover these other subnets when forwarded to the internet?

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: vSRX - configuration issues.

    Posted 07-21-2022 10:27
    Thanks, you actually point out something which I did not think threw. 

    I want those pulbic ips 93.0.0.0/8 subnet.  If I activate NAT it should work with the security zone I did? 

    something like that :

     nat {
            source {
                rule-set trust-to-untrust {
                    from zone Servers;
                    to zone Internet;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }


    ------------------------------
    PATRYK MICHNO
    ------------------------------