SRX

Dear Masters,

New with Juniper and making progress with it. However some basic networking functions like web publishing (https on port 443), ping SRX across the internet, name resolution from the console, ping internet from console and etc, didn't work yet. I just couldn't think of any thing has not yet been configured for these functions. Here is the full config file:

## Last changed: 2011-10-29 20:34:04 EST
version 11.1R4.4;
system {
    host-name SRX210HX;
    domain-name mydomain.local;
    time-zone Australia/Melbourne;
    root-authentication {
        encrypted-password "mypassword";
    }
    name-server {
        208.67.222.222;
        208.67.222.220;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http;
            https {
                system-generated-certificate;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 49;
    max-configuration-rollbacks 49;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            description Port4Trust;
            family inet {
                filter {
                    input filter-based-forwarding;
                }
                address 10.20.3.254/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            description Port4DMZ1;
            family inet {
                filter {
                    input filter-based-forwarding;
                }
                address 192.168.3.1/26;
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            description Port4DMZ2;
            family inet {
                filter {
                    input filter-based-forwarding;
                }
                address 192.168.3.65/26;
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            description Port4DMZ3;
            family inet {
                filter {
                    input filter-based-forwarding;
                }
                address 192.168.3.129/26;
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            description Port4DMZ4;
            family inet {
                filter {
                    input filter-based-forwarding;
                }
                address 192.168.3.193/26;
                address 172.16.3.12/24;
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            description Port4AAPTMel;
            family inet {
                address 1.1.1.2/30;
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            description Port4OptusMel;
            family inet {
                address 2.2.2.2/29;
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet isp-instances;
    }
    rib-groups {
        isp-instances {
            import-rib [ inet.0 ISP-1.inet.0 ISP-2.inet.0 ISP-3.inet.0 ISP-4.inet.0 ];
        }
    }
}
protocols {
    stp;
}
security {
    alg {
        sccp disable;
        sip disable;
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set OUTGOING {
                from zone [ dmz1 dmz2 dmz3 dmz4 trust ];
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool DNATTest {
                address 192.168.3.66/32 port 443;
            }
            rule-set DNATTest {
                from interface fe-0/0/7.0;
                rule DNATTest {
                    match {
                        destination-address 2.2.2.3/32;
                    }
                    then {
                        destination-nat pool DNATTest;
                    }
                }
            }
        }
        proxy-arp {
            interface fe-0/0/7.0 {
                address {
                    2.2.2.3/32;
                }
            }
        }
    }
    policies {
        from-zone dmz2 to-zone untrust {
            policy dmz2-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone dmz4 to-zone untrust {
            policy dmz4-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone dmz2 {
            policy ISP2-http-incoming {
                match {
                    source-address any;
                    destination-address web-server;
                    application [ junos-https junos-http ];
                }
                then {
                    permit;
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone dmz2 {
            address-book {
                address web-server 192.168.3.66/32;
            }
            interfaces {
                fe-0/0/2.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone trust {
            tcp-rst;
            address-book {
                address mail-server 10.20.3.5/32;
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            interfaces {
                fe-0/0/6.0;
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                    }
                }
            }
        }
        security-zone dmz1 {
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
        security-zone dmz4 {
            interfaces {
                fe-0/0/4.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone dmz3 {
            interfaces {
                fe-0/0/3.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
    }
}
firewall {
    family inet {
        filter filter-based-forwarding {
            term jweb {
                from {
                    destination-address {
                        10.20.3.254/32;
                        192.168.3.1/32;
                        192.168.3.65/32;
                        192.168.3.129/32;
                        192.168.3.193/32;
                    }
                }
                then accept;
            }
            term VoIP {
                from {
                    source-address {
                        172.16.3.242/32;
                    }
                }
                then {
                    routing-instance ISP-1;
                }
            }
            term Subnet-10.20.3.0-ISP-1 {
                from {
                    source-address {
                        10.20.3.0/24;
                    }
                }
                then {
                    routing-instance ISP-1;
                }
            }
            term DMZ2-ISP-2 {
                from {
                    source-address {
                        192.168.3.64/26;
                    }
                }
                then {
                    routing-instance ISP-2;
                }
            }
            term default {
                then accept;
            }
        }
    }
}
routing-instances {
    ISP-1 {
        description AAPTMel;
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 1.1.1.1;
            }
        }
    }
    ISP-2 {
        description OptusMel;
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 2.2.2.1;
            }
        }
    }
    ISP-3 {
        description PacNetMel;
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 3.3.3.1;
            }
        }
    }
    ISP-4 {
        description PacNetVoIP;
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 4.4.4.1;
            }
        }
    }
}
applications {
    application junos-ssh inactivity-timeout never;
}

Could you please shed some lights on it.

Many thanks,

Bob

Hi Bob,

To address your issues in order:

- web publishing (https on port 443)

You'll need to change the port that web-management is running on before you can port forward 443.  Use something like:

set system services web-management https port 8443

- Ping SRX across the internet

- name resolution from the console, ping internet from console

From the looks of your config, only port fe-0/0/7 will respond to ping (Port4OptusMel).  You need to make sure that the host-inbound-traffic is configured under each interface, or globally for the zone.  If it is configured for both, the services you enable for a specific interface will override the zone settings:

set security zones security-zone untrust host-inbound-traffic system-services ping

Another issue that will be causing the ping to fail is your routing - you have 4 default routes configured, but none of them is present in the inet.0 global routing table - this is the table that the Routing Engine uses to send the ping response and by the looks of your config it doesn't have a default route in it.  

This will also be the cause of your next issue - name resolution won't work because you have no route in inet.0 to the two DNS servers you have configured, and similarly pinging the internet from the SRX will fail.

Set a default route out one of your ISPs in the global table to confirm this (it won't affect your filter-based forwarding configuration):

set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1

Just be aware that for inbound ICMP to the SRX if the request comes in on an interface that is not the same as your active default route, the flow engine will most likely drop the return packet because it doesn't match the existing session.

Hope this helps

You are a super star for sure, dfex

thank you very much for your detailed reply.

All are working based on your solution with a minor issue:

web publishing require changing all the default ports for the SRX. I had experience of using Draytek devices and similar process is needed to have internal servers published with its management ports (http, https, ftp, ssh and telnet). My question is how do your change the SRX ssh access if a ssh access to an internal server is needed? web management on http https can be changed, but the rest may not be.

Thanks again and it really helps.

Bob

Hi Bob,

Thanks for the kudos - glad it solved your issues.

With regards to port-forwarding (or publishing) - you are correct, services like SSH ports aren't adjustable in Junos.

Usually what I do in these situations is "publish" a higher port (say 8022) and forward that to 22 on the internal host.  This also helps in situations where you need to map multiple identical services through to different internal services.

It has the added side-benefit of dodging most of the bot-generated SSH traffic that seeks out public IPs with port 22 open.

Hope this helps

thanks heaps, dfex,

now i know how to deal with it.

Cheers,

Bob