SRX

Hi.

I have a problem. When I configure policy all_temp  - I can connect from inet to address x.x.157.24 on port 80:

root@ROUTER_TOP# show security policies from-zone untrust to-zone trust policy all_temp

match {

    source-address any;

    destination-address any;

    application any;

}

then {

    permit;

}

If I deactivate this rule and configure as bellow I can't connect to 80 port to address x.x.157.24:

root@ROUTER_TOP# show security policies from-zone untrust to-zone trust policy TO_157_24

match {

    source-address any;

    destination-address 157.24;

    application [ WWW junos-http ];

}

then {

    permit;

}

[edit applications application WWW]

root@ROUTER_TOP# show

protocol tcp;

destination-port 80;

root@ROUTER_TOP# show security zones security-zone trust address-book address 157.24

x.x.157.24/32;

What deference if I configure to permit all - I can connect. If I try to configure to permit traffic to 157_24 port 80 - I can't connect. 

Thanks!

Hello,

Can you please check your NAT policy for this particular trust zone IP address ? You can also enable logging on this new policy (then log session-init session-close) and count  to see if incoming traffic getting processed by this policy. 

Regards

Satya

So x.x.157.24/32 is your public IP address right?

Just one simple question – are you doing NAT?

If yes, then you have to use private address within security policies as NAT is being processed before security policies and your destination IP address has already changed to private one once box reaches security policy matching.

Assuming your inside host is 10.0.0.10/32:

Set zones security-zone trust address-book address 10.0.0.10  10.0.0.10/32

And security policy

match {

    source-address any;

    destination-address 10.0.0.10  ;

    application junos-http ;

}

then {

    permit;

}

Yes, 157.24 is public address. I am configured policy with private address - and NAT is worked.

Thanks.