SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  1 to 1 Net is not passing the internet users IP (I see the Lan IP Instead)

    Posted 01-10-2023 18:52
    I am setting up my SRX345. I set up a bunch of web servers with static nat as I have a full range of public IPs. So for every server I setup destination XXX.182.158.199 to a prefix of 10.10.20.254 I also set upk ARP Proxy and Set a security rule to allow Http. 

    But when I see the web logs of the server for the internet traffic. I see only my Lan IP 10.10.20.254 as the source IP for all the web users that are hitting my servers. This is also violating our security because all hackers trying to login to wordpress are now coming from my trusted network and are not being banned.

    I have been asking about this for days but no one is responding.

    Here is the part in my config
    rule Win-server199-Nat {
    match {
    destination-address XXX.182.158.199/32;
    }
    then {
    static-nat {
    prefix {
    10.10.20.199/32;
    }
    }
    }
    }
    }
    }
    proxy-arp {
    interface ge-0/0/0.0 {
    address {
    XXX.182.158.1999/32;

    }
    }
    }
    }

    ------------------------------
    JAY ECHOUAFNI
    ------------------------------


  • 2.  RE: 1 to 1 Net is not passing the internet users IP (I see the Lan IP Instead)

    Posted 01-11-2023 02:58
    Edited by ARENTAS BUTKUS 01-11-2023 03:25

    hackers coming from the trusted network?
    Maybe you should do services in a separate zone, where you gradually segregate your zones.
    I'm not an expert, but I would do destination NAT and only allow ports required for services.
    Destination NAT

    Juniper remove preview
    Destination NAT
    Destination NAT changes the destination address of packets passing through the Router. It also offers the option to perform the port translation in the TCP/UDP headers. Destination NAT mainly used to redirect incoming packets with an external address or port destination to an internal IP address or port inside the network.
    View this on Juniper >




    (I have to delete my code example, just to not to show the bad example)




  • 3.  RE: 1 to 1 Net is not passing the internet users IP (I see the Lan IP Instead)

    Posted 01-11-2023 10:13
    No no I have my zones setup and my external ips are in the Untrust zone. But for some reason my web applications and log files are showing that trafic from my trust Ip interface I stead of the users' actual rip address. 

    Can anyone tell me how to fix this in Jweb.  I am not a cli Guy. 

    On Jan 11, 2023, at 08:59, ARENTAS BUTKUS via Juniper Networks <Mail@community.juniper.net> wrote:

    
    hackers coming from the trusted network? Maybe you should do services in a separate zone, where you gradually segregate your zones. I'm not an...
    Earn 6 Juniper certifications.
    Free training/Discounted exams
    Juniper Email Header

    SRX

    Post New Message
    Re: 1 to 1 Net is not passing the internet users IP (I see the Lan IP Instead)
    Reply to Group Reply to Sender
    Jan 11, 2023 2:58 AM
    ARENTAS BUTKUS

    hackers coming from the trusted network?
    Maybe you should do services in a separate zone, where you gradually segregate your zones.
    I'm not an expert, but I would do destination NAT and only allow ports required for services.

    I have a simple example of what I mean, but also this is incorrect as it is in the main trust zone, that's when I was just trying out things.

    set security address-book global address Nx-server description "//_____Nextcloud Server IP untill it's moved to DMZ______//" set security address-book global address Nx-server 192.168.0.200/32 set security nat source rule-set trust-to-untrust from zone trust set security nat source rule-set trust-to-untrust to zone untrust set security nat source rule-set trust-to-untrust rule trust-to-internet match source-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule trust-to-internet match destination-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule trust-to-internet then source-nat interface set security nat destination pool Nextcloud address 192.168.0.200/32 set security nat destination rule-set Dnat-untrst-to-trust from zone untrust set security nat destination rule-set Dnat-untrst-to-trust rule reach-nextcloud match destination-address 0.0.0.0/0 set security nat destination rule-set Dnat-untrst-to-trust rule reach-nextcloud match destination-port 80 set security nat destination rule-set Dnat-untrst-to-trust rule reach-nextcloud match destination-port 443 set security nat destination rule-set Dnat-untrst-to-trust rule reach-nextcloud then destination-nat pool Nextcloud set security policies from-zone untrust to-zone trust policy Untrust-to-nextcloud match source-address any set security policies from-zone untrust to-zone trust policy Untrust-to-nextcloud match destination-address Nx-server set security policies from-zone untrust to-zone trust policy Untrust-to-nextcloud match application junos-http set security policies from-zone untrust to-zone trust policy Untrust-to-nextcloud match application junos-https set security policies from-zone untrust to-zone trust policy Untrust-to-nextcloud then permit set security zones security-zone trust description "//________Inside of the wall_______//" set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/14.0 set security zones security-zone untrust description "//________Internet side of the wall______//" set security zones security-zone untrust interfaces pt-4/0/0.101
      Reply to Group Online   View Thread   Recommend   Forward   Flag as Inappropriate  




     
    You are receiving this message because you followed the '1 to 1 Net is not passing the internet users IP (I see the Lan IP Instead)' message thread. To unsubscribe from this message thread, go to Unsubscribe.

    Update your email preferences to choose the types of email you receive




    Original Message:
    Sent: 1/11/2023 2:58:00 AM
    From: ARENTAS BUTKUS
    Subject: RE: 1 to 1 Net is not passing the internet users IP (I see the Lan IP Instead)

    hackers coming from the trusted network?
    Maybe you should do services in a separate zone, where you gradually segregate your zones.
    I'm not an expert, but I would do destination NAT and only allow ports required for services.
    Destination NAT

    Juniper remove preview
    Destination NAT
    Destination NAT changes the destination address of packets passing through the Router. It also offers the option to perform the port translation in the TCP/UDP headers. Destination NAT mainly used to redirect incoming packets with an external address or port destination to an internal IP address or port inside the network.
    View this on Juniper >




    (I have to delete my code example, just to not to show the bad example)



  • 4.  RE: 1 to 1 Net is not passing the internet users IP (I see the Lan IP Instead)

    Posted 01-11-2023 10:15
    I did a destination NAT im vein (Which requires you to set a NET to IP and to port number) which will not work for me as I have over 20 servers behind the SRX and I control access to the different port via Security Policies,


    I still see the web traffic in the web logs as if it was coming from my Lan Port of the Firewall 10.10.20.254 see logs below

    2023-01-11 12:57:17 10.10.20.199 GET /DesktopModules/LiveSlider/Themes/v5/skin.png - 80 - 10.10.20.254 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_15_7)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36 http://XXX.182.158.199/DesktopModules/LiveSlider/Themes/v5/skin.css 200 0 0 144
    2023-01-11 12:57:17 10.10.20.199 GET /Portals/0/slide-bg.png - 80 - 10.10.20.254 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_15_7)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36 http://XXX.182.158.199/ 200 0 0 299
    2023-01-11 12:57:22 10.10.20.199 GET /Portals/0/favicon_20150724100627.ico - 80 - 10.10.20.254 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_15_7)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36 http://XXX.182.158.199/ 200 0 0 153




  • 5.  RE: 1 to 1 Net is not passing the internet users IP (I see the Lan IP Instead)

    Posted 01-11-2023 10:15
    You did not understand my request. because we have multiple ports allowed based on source IP For example any source has http and http and ping allowed while trusted ips have ssh, ftp  we need to identify the incoming IP which is not working as we see all traffic destined to the NATed server as coming from the LAN port IP of the trusted Zone instead of their own IP address.

    I did a destination NAT im vein (Which requires you to set a NET to IP and to port number) which will not work for me as I have over 20 servers behind the SRX and I control access to the different port via Security Policies.
    I still see the web traffic in the web logs as if it was coming from my Lan Port of the Firewall 10.10.20.254 see logs below
    2023-01-11 12:57:17 10.10.20.199 GET /DesktopModules/LiveSlider/Themes/v5/skin.png - 80 - 10.10.20.254 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_15_7)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36 http://XXX.182.158.199/DesktopModules/LiveSlider/Themes/v5/skin.css 200 0 0 144
    2023-01-11 12:57:17 10.10.20.199 GET /Portals/0/slide-bg.png - 80 - 10.10.20.254 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_15_7)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36 http://XXX.182.158.199/ 200 0 0 299
    2023-01-11 12:57:22 10.10.20.199 GET /Portals/0/favicon_20150724100627.ico - 80 - 10.10.20.254 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_15_7)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36 http://XXX.182.158.199/ 200 0 0 153


    ------------------------------
    JAY ECHOUAFNI
    ------------------------------



  • 6.  RE: 1 to 1 Net is not passing the internet users IP (I see the Lan IP Instead)

    Posted 01-11-2023 10:15
    Found the problem there was a source NAT that messed everything up as soon as I deleted it the traffic is now showing the web users real IP

    2023-01-11 13:55:22 10.10.20.199 GET /portals/0/img/starter.jpg - 80 - XXX.153.56.212 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_15_7)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36 http://XXX.182.158.199/About.html 200 0 0 147
    2023-01-11 13:55:22 10.10.20.199 GET /portals/0/img/2006.jpg - 80 - XXX.153.56.212 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_15_7)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36 http://XXX.182.158.199/About.html 200 0 0 149
    2023-01-11 13:55:22 10.10.20.199 GET /portals/0/img/2003.jpg - 80 - XXX.153.56.212 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_15_7)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36 http://XXX.182.158.199/About.html 200 0 0 151

    ------------------------------
    JAY ECHOUAFNI
    ------------------------------