SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Blocking RPD

    Posted 03-26-2015 09:17

    Working on configuring my first SRX100. I come from a Cisco background, and I am having a little trouble figuring this out. I have a new Zone created named Data. The Data Zone will have one server on it. I would like all services allowed on the Data Zone except RDP to that server. So I created a new application named MSFT_RDP with TCP 3389. I then created two new Policies for that Zone they are listed below. I can still RDP even with the policy applied. Any help would be greatly appreciated.

     

    Aaron

     

    from-zone Data to-zone Data {
        policy Data_To_Server_RDP_Deny {
            match {
                source-address any;
                destination-address CPARK_SERVER;
                application MSFT_RDP;
            }
            then {
                deny;
            }
        }
        policy DATA_TO_DATA_PERMIT {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }

     



  • 2.  RE: Blocking RPD
    Best Answer

     
    Posted 03-26-2015 09:40
    Your policy is from Data zone to Data zone? Are you doing Rdp to the server from same lan where server is located? If thats the case packet will not come to srx i blve.
    If you are connecting from some other zones, then we need to reconfigure policy with correct from zone


  • 3.  RE: Blocking RPD

    Posted 03-26-2015 09:50

    Yes, they are on the same LAN. How would one accomplish the interzone deny then? I know its as simple as an ACL Extended in Cisco, bit with JUNOS I am lost.



  • 4.  RE: Blocking RPD

     
    Posted 03-26-2015 10:30
    When they are on same lan, hows it reaching Srx? It will be communicating directly via l2 switch? Are you using any destination nat?


  • 5.  RE: Blocking RPD

    Posted 03-26-2015 10:37

    ROS setup with a Cisco Switch trunked to that interface. I guess the best way would be to create and ACL on the Catalyst switch then. Thank you for your help.



  • 6.  RE: Blocking RPD

     
    Posted 03-26-2015 10:43
    Please use th policy hit count command as in below url to confirmif packets hit srx

    http://www.juniper.net/documentation/en_US/junos12.1/topics/reference/command-summary/show-security-policies-hit-count.html


  • 7.  RE: Blocking RPD

    Posted 03-26-2015 11:36

    Currently I have  no policies applied and I can ping and RDP so it does appear to not use the SRX policies on an intrazone basis.



  • 8.  RE: Blocking RPD

     
    Posted 03-26-2015 11:59
    Intrazone policy is required if we have different igress and egress interfaces part of same zone. In your case i think its the same interface


  • 9.  RE: Blocking RPD

    Posted 03-26-2015 12:04

    Due to the fact of Router on a Stick config then? Must be only unicasting the RDP session to the computer on the same L2 Switch then, thus never reaching the SRX.