SRX

Hello everyone,

I am sorry to post a new topic here as I feel I am asking a daft and obvious question.

I have installed an SRX240 with an AX411

I have 4 Zones:

untrust (WAN)

trust (LAN)

iDMZ (Servers)

eDMZ (Visitors)

Most of the config is fine for what I need to do.

My main issues, at present are 3:

1) I have been trying to set up an FTP flow from untrust to a server in iDMZ. Due to the fact that untrust gets a dynamic IP from the ISP and that I have NAT in place I need to have FTP Passive; which means I need to accept traffic on port 21 and ports 55536-55663.

The server is set to report with the flag PASV

I allow all sources to the iDMZ subnet with any application.

Nat destination is configured for port 21 as I would expect the ALG FTP to deal with the PASV flag

Yet I cannot connect to the server via FTP, which means I am missing something essential in my config.

Can someone give me some insight, please ?

2) As an extension to my issue 1) I couldn't find on any document how to allow specific port ranges in either UDP/TCP or both...

Unless I have to leave the nat destination without "destination-port" configured, create a custom policy object "application" with the set of ports I need and apply a policy between the needed zones permitting the specifically created "application" ?

3) I have an HP network printer in iDMZ.

I obviously can reach the printer web configuration page on the IP address, as I would expect.

I managed to set up a working NAT destination  rule to print via port 9100

And I created a proxy-arp entry in order to be able to use the "HP Solution Center" application to monitor the printer, as for this application the printer needs to be in the same subnet as the computer.

However this last part does not seem to work and the printer is never seen by the configuration tool (neither in its real IP nor in its proxy-arp IP)

More unsettling for me is the fact that the printing works fine on all the Windows and Linux based computers but not on the Mac OSX ones.

Again, if someone had some insight on this I would really appreciate.

I attached a full config just in case.

Thank you in advance

Andy

Attachment(s)

work in progress.txt   24 KB 1 version

Hi Andy,

For each of your issues:

1. Do you get any response at all from the FTP server eg: login and password?  If not, try adding the following command to your untrust zone:

set security-zones security zone untrust host-inbound traffic system-services ftp except

If you are getting a response, provide the output of the following command:

show security flow session application ftp

and see if your traffic is being detected correctly.

2. I've tried to get an enhancement request raised with my SE around this exact issue.  Currently it is not possible in the SRX to specify a range of ports for NATing, which is disappointing seeing as how most $30 ADSL routers can do this quite easily.

3. Your config looks fine, and clearly printing is working.  HP Solution Center uses UDP port 427 to detect printers, so try looking in the flow tables for any matching traffic eg:

show security flow session protocol udp destination-port 427

Hello dfex,

Thanks a lot for your answer 🙂

Concerning 2. it's indeed a bit of a disapointment, but i still hope for a future Junos release (by the way, i seem to remember that the MX routers with MS-DPC modules allowed to configure port ranges)

Concerning 3. thanks a lot ! 🙂

Adding the UDP 427 solved the printing issue 🙂

Concerning 1. though i am more and more puzzled...

The relevant Junos code is as follows:

[edit]
root@AltaBadia# show security
nat {
[...]
    destination {
        pool NAS {
            address 172.24.24.200/32;
        }
[...]
        rule-set RED_NAT {
            from zone untrust;
[...]
            rule NAS_FTP {
                match {
                    destination-address 0.0.0.0/0;
                    destination-port 21;
                }
                then {
                    destination-nat pool NAS;
                }
            }
		}
	}
}
screen {
    ids-option untrust-screen {
        icmp {
            ping-death;
        }
        ip {
            source-route-option;
            tear-drop;
        }
        tcp {
            syn-flood {
                alarm-threshold 1024;
                attack-threshold 200;
                source-threshold 1024;
                destination-threshold 2048;
                timeout 20;
            }
            land;
        }
    }
}
zones {
[...]
    security-zone untrust {
        screen untrust-screen;
        interfaces {
            ge-0/0/0.0 {
                host-inbound-traffic {
                    system-services {
                        dhcp;
                        tftp;
                        ftp {
                            except;
                        }
                        all;
                    }
                }
            }
        }
    }
[...]
    from-zone untrust to-zone idmz {
        policy untrust-to-idmz {
            match {
                source-address any;
                destination-address AMBER1_RANGE;
                application any;
            }
            then {
                permit;
            }
        }
    }
    default-policy {
        deny-all;
    }
}
alg {
    ftp ftps-extension;
}

With this setup i can ftp my server/nas (which is configured to use the ports 21 + 55536-55663)

The "show security flow session application ftp" shows as follows:

root@AltaBadia> show security flow session application ftp
Total sessions: 0

root@AltaBadia> show security flow session application ftp
Session ID: 15433, Policy name: untrust-to-idmz/18, Timeout: 1800, Valid
Resource information : FTP ALG, 2, 0
  In: 193.247.250.49/47939 --> 77.58.93.121/21;tcp, If: ge-0/0/0.0, Pkts: 17, Bytes: 1211
  Out: 172.24.24.200/21 --> 193.247.250.49/47939;tcp, If: vlan.1, Pkts: 12, Bytes: 1731
Total sessions: 1

[...]

root@AltaBadia> show security flow session application ftp
Session ID: 15433, Policy name: untrust-to-idmz/18, Timeout: 1796, Valid
Resource information : FTP ALG, 2, 0
  In: 193.247.250.49/47939 --> 77.58.93.121/21;tcp, If: ge-0/0/0.0, Pkts: 35, Bytes: 2169
  Out: 172.24.24.200/21 --> 193.247.250.49/47939;tcp, If: vlan.1, Pkts: 25, Bytes: 3131
Total sessions: 1

###
#Login successful
#First layer of folders loads
#
#Selected a folder to load
###

root@AltaBadia> show security flow session application ftp
Session ID: 15433, Policy name: untrust-to-idmz/18, Timeout: 1798, Valid
Resource information : FTP ALG, 2, 0
  In: 193.247.250.49/47939 --> 77.58.93.121/21;tcp, If: ge-0/0/0.0, Pkts: 42, Bytes: 2597
  Out: 172.24.24.200/21 --> 193.247.250.49/47939;tcp, If: vlan.1, Pkts: 28, Bytes: 3474
Total sessions: 1

[...]

root@AltaBadia> show security flow session application ftp
Session ID: 15433, Policy name: untrust-to-idmz/18, Timeout: 1780, Valid
Resource information : FTP ALG, 2, 0
  In: 193.247.250.49/47939 --> 77.58.93.121/21;tcp, If: ge-0/0/0.0, Pkts: 42, Bytes: 2597
  Out: 172.24.24.200/21 --> 193.247.250.49/47939;tcp, If: vlan.1, Pkts: 28, Bytes: 3474
Total sessions: 1

root@AltaBadia> show security flow session application ftp
Session ID: 17609, Policy name: untrust-to-idmz/18, Timeout: 1782, Valid
  In: 193.247.250.49/22270 --> 77.58.93.121/21;tcp, If: ge-0/0/0.0, Pkts: 6, Bytes: 312
  Out: 172.24.24.200/21 --> 193.247.250.49/22270;tcp, If: vlan.1, Pkts: 5, Bytes: 271
Total sessions: 1

[...]

root@AltaBadia> show security flow session application ftp
Session ID: 17609, Policy name: untrust-to-idmz/18, Timeout: 1782, Valid
  In: 193.247.250.49/22270 --> 77.58.93.121/21;tcp, If: ge-0/0/0.0, Pkts: 19, Bytes: 876
  Out: 172.24.24.200/21 --> 193.247.250.49/22270;tcp, If: vlan.1, Pkts: 15, Bytes: 945
Total sessions: 1

###
#Page remains blank
###

And the FTP log on the client shows as follows:

*** FTP On The Go PRO 2.3
*** Connect To ravens.dnsdojo.net:21
220 RaVeNsDen FTP server ready.
>>> AUTH TLS
234 AUTH SSL command successful.
>>> PBSZ 0
200 PBSZ command successful (PBSZ=0).
>>> PROT P
200 Protection level set to Private.
>>> USER admin
331 Password required for admin.
>>> PASS [hidden]
230 User admin logged in.
>>> SYST
215 UNIX Type: L8
>>> FEAT
211- Extensions supported:
AUTH TLS
PBSZ
PROT
SIZE
MDTM
MFMT
REST STREAM
211 End.
>>> CLNT FTPOnTheGo 2.3
500 CLNT FTPOnTheGo 2.3: command not understood.
>>> PWD
257 "/" is current directory.
>>> PASV
227 Entering Passive Mode (77,58,93,121,217,22)
*** Data Connection OK
>>> LIST
150 Opening BINARY mode SSL data connection for 'file list'.
*** drwxr-xr-x  1 root users        12288 Apr 26 02:01 home
*** drwxr-xr-x  1 root users        4096 Apr  3 15:32 Work
*** drwxr-xr-x  1 root users        4096 Apr 23 17:15 Video
226 Transfer complete.
*** Got 10 Folder Items
>>> CWD /Work
250 CWD command successful.
>>> PWD
257 "/Work" is current directory.
>>> PASV
227 Entering Passive Mode (77,58,93,121,216,247)
!!! Data Connection Won't Open
*** Disconnected

*** FTP On The Go PRO 2.3
*** Connect To ravens.dnsdojo.net:21
220 RaVeNsDen FTP server ready.
>>> USER admin
331 Password required for admin.
>>> PASS [hidden]
230 User admin logged in.
>>> SYST
215 UNIX Type: L8
>>> FEAT
211- Extensions supported:
AUTH TLS
PBSZ
PROT
SIZE
MDTM
MFMT
REST STREAM
211 End.
>>> CLNT FTPOnTheGo 2.3
500 CLNT FTPOnTheGo 2.3: command not understood.
>>> PWD
257 "/" is current directory.
>>> PASV


------ Transfers ------

(null)

What is the strangest to me is that

- if i do things quietly and take my time to choose which folder to open i get nothing anymore

- if i pick a random folder as soon as i am on the FTP server i can get to see the subfolder content (if i am really fast even a sub-subfolder)

So i would suspect a timeout but when i look at the data on the SRX i am always well within the parameters of the timeout.

Any idea of what it could be ?

Cheers

Andy

I found the solution to the FTP Passive through NAT 🙂

I just cannot believe how slow i have been to find the solution...

Anyway... Here it is, if it can interest anyone:

root@AltaBadia# show | except SECRET-DATA
## Last changed: 2011-05-01 23:05:54 CEST
version 10.4R3.4;
system {
    services {
        ftp;
        dhcp {
            propagate-settings ge-0/0/0.0;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp {
                    update-server;
                }
            }
        }
    }
}
security {
    nat {
        destination {
            pool NAS {
                address 172.24.24.200/32;
            }
            rule-set RED_NAT {
                from zone untrust;
                rule NAS_FTP {
                    match {
                        destination-address 0.0.0.0/0;
                        inactive: destination-port 21;
                    }
                    then {
                        destination-nat pool NAS;
                    }
                }
			}
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone untrust to-zone idmz {
            policy test_untrust-to-idmz {
                match {
                    source-address any;
                    destination-address AMBER1_RANGE;
                    application junos-ftp;
                }
                then {
                    permit;
                }
            }
            policy untrust-to-idmz {
                match {
                    source-address any;
                    destination-address AMBER1_RANGE;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
    }
    alg {
        ftp disable;
    }
}

root@AltaBadia> show security alg status
ALG Status :
  DNS      : Enabled
  FTP      : Disabled
  H323     : Enabled
  MGCP     : Enabled
  MSRPC    : Enabled
  PPTP     : Enabled
  RSH      : Enabled
  RTSP     : Enabled
  SCCP     : Enabled
  SIP      : Enabled
  SQL      : Enabled
  SUNRPC   : Enabled
  TALK     : Enabled
  TFTP     : Enabled
  IKE-ESP  : Disabled

Cheers

Andy