Routing

last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

  • 1.  configuring access list on juniper 4200ex

    Posted 10-06-2015 11:08

    actually we have cisco 3750 in production need to replace with juniper 4200ex;

    confused with access list part...will you please help me:

     

    ip access-list extended CA_Access_IN

    permit udp any eq snmp host 172.17.1.6

    permit icmp any any

    permit tcp any host 172.17.1.240 eq 13000

    permit udp host 172.17.7.10 host 172.17.1.13 eq 9995

    permit tcp host 192.168.129.24 eq 8933 host 172.17.1.9

    permit tcp host 192.168.129.25 eq 3389 host 172.17.1.240 eq 3389

    permit tcp host 192.168.129.25 eq 3389 host 172.17.1.241 eq 3389

     

    interface Vlan99

    ip access-group CA_Access_IN in

     

    these are cisco access-lists i need to convert all for juniper.

     

    will you please help me...

    i m confused to use term parameter in this case; when same source with different destinations or port for source ip or port for destination ip...

     

    S@ndy.



  • 2.  RE: configuring access list on juniper 4200ex

     
    Posted 10-06-2015 15:56

    Hi,

     

    To help you get started I have converted it line for line.

     

    set firewall family inet filter CA_Access_IN term 1 from protocol udp
set firewall family inet filter CA_Access_IN term 1 from source-port snmp
set firewall family inet filter CA_Access_IN term 1 from destination-address 172.17.1.6/32
set firewall family inet filter CA_Access_IN term 1 then accept
set firewall family inet filter CA_Access_IN term 2 from protocol icmp
set firewall family inet filter CA_Access_IN term 2 then accept
set firewall family inet filter CA_Access_IN term 3 from protocol tcp
set firewall family inet filter CA_Access_IN term 3 from destination-address 172.17.1.240/32
set firewall family inet filter CA_Access_IN term 3 from destination-port 13000
set firewall family inet filter CA_Access_IN term 3 then accept
set firewall family inet filter CA_Access_IN term 4 from protocol udp
set firewall family inet filter CA_Access_IN term 4 from source-address 172.17.7.10/32
set firewall family inet filter CA_Access_IN term 4 from destination-address 172.17.1.13/32
set firewall family inet filter CA_Access_IN term 4 from destination-port 9995
set firewall family inet filter CA_Access_IN term 4 then accept
set firewall family inet filter CA_Access_IN term 5 from protocol tcp
set firewall family inet filter CA_Access_IN term 5 from source-address 192.168.129.24/32
set firewall family inet filter CA_Access_IN term 5 from source-port 8933
set firewall family inet filter CA_Access_IN term 5 from destination-address 172.17.1.9/32
set firewall family inet filter CA_Access_IN term 5 then accept
set firewall family inet filter CA_Access_IN term 6 from protocol tcp
set firewall family inet filter CA_Access_IN term 6 from source-address 192.168.129.25/32
set firewall family inet filter CA_Access_IN term 6 from source-port 3389
set firewall family inet filter CA_Access_IN term 6 from destination-address 172.17.1.240/32
set firewall family inet filter CA_Access_IN term 6 from destination-port 3389
set firewall family inet filter CA_Access_IN term 6 then accept
set firewall family inet filter CA_Access_IN term 7 from protocol tcp
set firewall family inet filter CA_Access_IN term 7 from source-address 192.168.129.25/32
set firewall family inet filter CA_Access_IN term 7 from source-port 3389
set firewall family inet filter CA_Access_IN term 7 from destination-address 172.17.1.241/32
set firewall family inet filter CA_Access_IN term 7 from destination-port 3389
set firewall family inet filter CA_Access_IN term 7 then accept
set firewall family inet filter CA_Access_IN term 100 then discard

set interfaces vlan.99 family inet filter input CA_Access_IN

    In junos I find it works better to name the terms rather than number, as you can move the terms up/down and the numbering would then get out of sync and not make sense. 

     

    Also you can optimise the firewall filter by combining terms 6 and 7as the only difference is the dst addr. 

     

    ie

     

    set firewall family inet filter CA_Access_IN term 6 from protocol tcp
set firewall family inet filter CA_Access_IN term 6 from source-address 192.168.129.25/32
set firewall family inet filter CA_Access_IN term 6 from source-port 3389
set firewall family inet filter CA_Access_IN term 6 from destination-address 172.17.1.240/32
set firewall family inet filter CA_Access_IN term 6 from destination-address 172.17.1.241/32
set firewall family inet filter CA_Access_IN term 6 from destination-port 3389
set firewall family inet filter CA_Access_IN term 6 then accept

    Tim