Search

1 to 10 of 252
Sort by

Discussion Thread 10
Public IP address for a server behind an SRX5800

Focus Search - Public IP address for a server behind an SRX5800


Discussion Post
Public IP address for a server behind an SRX5800

We give the client a public IP address on which they can reach their servers in the "cloud". We create a static route for these server with the next hop being the private address of the destination server in the client's VR, so something like this: set routing-options static route 99.99.99.99/32 next-hop 172.16.1.2 set routing-options static route 99.99.99.99/32 no-resolve Then this route is advertised into the Internet VR and that is how the server becomes reachable from the Internet. (also, fw policies and NAT polices) But yesterday another client told us that they didn't want NAT, they want to give the public IP address directly to their server and it should be reachable from the Internet just like the other servers in this VLAN. (there are a few other servers in this VLAN with private addresses.)


Discussion Post
address/address-set under nat destination

I'm configurig a nat destination rule: set security nat destination rule-set PFW-RASPI rule PFW-8080 match source-address-name ASET-YOTI-OFFICE but when I commit: root@SRX210# commit [edit security nat destination rule-set PFW-RASPI rule PFW-8080 match] 'source-address-name ASET-YOTI-OFFICE' Can not find address/address-set(ASET-YOTI-OFFICE) in default global address book error: configuration check-out failed However I have that address book configured root@SRX210# show | display set | match ASET-YOTI-OFFICE set security address-book YOTI-OFFICE address-set ASET-YOTI-OFFICE address YOTI-1 set security address-book YOTI-OFFICE address-set ASET-YOTI-OFFICE address YOTI-2 Question 1: What is the reason of that error? Question 2: Why JunOS gives the opportunity to restrict the access to a range of IP under NAT as well as under the security policy for that nat rule?



Discussion Reply
RE: SRX 5800 NAT logging - too much info

Jan 7 08:16:14 efw4 1 2011-01-07T08:18:23.525 srx0 RT FLOW - RT FLOW SESSION CLOSE [junos@2636.1.1.1.2.50 reason="TCP RST" source-address="10.79.35.48" source-port="49293" destination-address="X.X.X.X" destination-port="80" service-name="junos-http" nat-source-address="X.X.X.X" nat-source-port="49293" nat-destination-address="X.X.X.X" nat-destination-port="80" src-nat-rule-name="POOL" dst-nat-rule-name="None" protocol-id="6" policy-name="ALLOW-TO-INET" source-zone-name="ZONE" destination-zone-name="untrust" session-id-32="440051213" packets-from-client="6" bytes-from-client="681" packets-from-server="5" bytes-from-server="1084" elapsed-time="2152000"] This is an example of the log. We do not want to log the destination IP, nor the destination PORT. For STRM, sure, send the info there, but this particular logging server is used to identify DMCA/RIAA violators, and we only want to log the source-address= and the nat-source-address= on the NAT create, and the NAT release. #NAT #SRX #log


Discussion Post
New to SRX, NAT policies and scripting...

Hello, I have 2 questions regarding srx firewall: - If I do a nat from public address A to public address B, doing a nat which replaces B by private address C (destination NAT), do I have to create a firewall policy?


Discussion Post
Lan1 to Lan2 Nat config

Hi I have 2 interfaces setup ge-0/0/1 is where most of my network servers are


Discussion Post
Juniper SRX220H - Outbound Mail Flow

With the default source-Nat statement below to allow for internet traffic flow, do I need to add a static Nat entry as well to accommodate the external IP of my Exchange server. Will the Exchange server on the other end be able to accept mail if it comes from the External IP of my SRX. rule-set inet1 from zone trust; to zone untrust; rule test ( match destination-address 0.0.0.0/0 ) then source-nat ( interface Let me know if you need more info



Discussion Reply
RE: Security Policies and Policy Elements

Hi Dan, You will need to configure a static nat for your mail server in [edit security nat] static ( rule-set nat-dmz ( from interface ge-0/0/5.0; rule mailserver ( match ( destination-address 200.200.200.25/32 ) then ( static-nat prefix 10.0.0.25/32 ) ) ) ) To get the same proxy arp functionality as ScreenOS provides with a MIP add something like below as well. proxy-arp ( interface ge-0/0/5.0 ( address ( 200.200.200.25 ) ) ) The firewall policy is completely separated from your nat policies and contains the natted address as a destination. policy smtp-inbound ( match ( source-address any; destination-address Address 10 0 0 25; application junos-smtp; ) then ( permit ) ) ) When your mail server needs to reach the outside you need it to configure this way. policy smtp-outbound ( match ( source-address Address 10 0 0 25; destination-address any; application junos-smtp; ) then ( permit ) ) ) #static #policy #MIP #NAT #SRX