Security

 View Only
last person joined: yesterday 

Ask questions and share experiences with Juniper Connected Security. Discuss Advanced Threat Protection, SecIntel, Secure Analytics, Secure Connect, Security Director, and all things related to Juniper security technologies.
  • 1.  vSRX - configuration issues.

    Posted 07-21-2022 09:50
    Hi Guys,

    I am new in junipers. I have my home lab with Eve ng + vSRX. 

    I wanted to deploy some tests and seems I something do not work as expected.


    this is my lab schema:


    my vSRX configuration:
    groups {
        band-config {
            interfaces {
                ge-0/0/1 {
                    unit <*>;
                }
            }
        }
    }
    system {
        host-name juniper1.core;
        root-authentication {
            encrypted-password "$6$aQBfcfum$upB6GogFCmc9UfQAyIQDYGdR4CLjlMPBRUNPfp/RSVKKa2a0me30iA2zLEZYPXNL621.Mo5klfvCkD6FrN5Z6/"; ## SECRET-DATA
        }
        services {
            ssh {
                root-login allow;
                protocol-version v2;
                port 22;
            }
            web-management {
                http {
                    interface [ fxp0.0 ge-0/0/0.0 ];
                }
                https {
                    system-generated-certificate;
                    interface [ fxp0.0 ge-0/0/0.0 ];
                }
            }
        }
        name-server {
            8.8.8.8;
        }
        syslog {
            file interactive-commands {
                interactive-commands any;
            }
            file messages {
                any any;
                authorization info;
            }
        }
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    security {
        policies {
            global {
                policy internet-access {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                        from-zone Servers;
                        to-zone Internet;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone Internet {
                host-inbound-traffic {
                    system-services {
                        ssh;
                        ping;
                    }
                }
                interfaces {
                    ge-0/0/5.0;
                }
            }
            security-zone Servers {
                host-inbound-traffic {
                    system-services {
                        ping;
                        ssh;
                    }
                }
                interfaces {
                    ge-0/0/3.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                ssh;
                            }
                        }
                    }
                    ge-0/0/4.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                ssh;
                            }
                        }
                    }
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                ssh;
                            }
                        }
                    }
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            speed 100m;
            unit 0 {
                family inet {
                    address 192.168.45.1/24;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family inet {
                    address 192.168.20.1/24;
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family inet {
                    address 192.168.44.1/24;
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family inet {
                    address 93.42.40.1/8;
                }
            }
        }
        ge-0/0/4 {
            unit 0 {
                family inet {
                    address 93.42.50.1/8;
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family inet {
                    address 192.168.178.151/24;
                }
            }
        }
        fxp0 {
            disable;
            unit 0 {
                family inet {
                    address 192.168.178.150/24;
                }
            }
        }
    }
    routing-options {
        rib inet.0 {
            static {
                route 0.0.0.0/0 next-hop 192.168.178.1;
            }
        }
        static {
            route 192.168.44.0/24 next-hop 192.168.44.10;
            route 192.168.45.0/24 next-hop 192.168.178.1;
            route 0.0.0.0/0 next-hop 192.168.178.1;
        }
    }
    ​


    Problem is I can't ping internet via vSRX. From the machines I can ping default gateway but I can't ping for example 8.8.8.8 from the machine via vSRX.

    I am not sure if I did something bad in the configuration? Can you maybe guys check?  I would really appreaciate that. 

    Patryk

    ------------------------------
    PATRYK MICHNO
    ------------------------------


  • 2.  RE: vSRX - configuration issues.

    Posted 07-21-2022 10:19
    Since you are not doing any source nat on the vSRX do you have the return routes for your device subnets configured on the home router pointed back to the vSRX  192.168.178.150?

    And does the nat policy on the home router cover these other subnets when forwarded to the internet?

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: vSRX - configuration issues.

    Posted 07-21-2022 10:27
    Thanks, you actually point out something which I did not think threw. 

    I want those pulbic ips 93.0.0.0/8 subnet.  If I activate NAT it should work with the security zone I did? 

    something like that :

     nat {
            source {
                rule-set trust-to-untrust {
                    from zone Servers;
                    to zone Internet;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }


    ------------------------------
    PATRYK MICHNO
    ------------------------------