SRX

Hi Guys,

Could you please have a look and tell what am I doing wrong?
I need to restrict my dynamic VPN to accept connections only from within New Zealand.

That's how I do it.

JUNOS 12.1X46-D10.2 SRX-210

Created a whitelist for NZ which I generated on https://www.countryipblocks.net/country_selection.php.

show configuration policy-options prefix-list NZ
5.10.84.200/29;
14.1.32.0/19;
14.1.64.0/19;
14.128.4.0/22;
etc.

Here is a filter:

> show configuration firewall family inet filter INET-filter
term allow_NNOV_http {
from {
source-prefix-list {
NNOV;
}
protocol tcp;
destination-port http;
}
then accept;
}
term reject_unknown_http {
from {
source-address {
0.0.0.0/0;
}
destination-port http;
}
then {
discard;
}
}
term allow_NZ_vpn {
from {
source-prefix-list {
NZ;
}
destination-port [ 443 1723 53 ];
}
then accept;
}
term reject_UNKNOWN_vpn {
from {
source-address {
0.0.0.0/0;
}
destination-port [ 443 1723 53 ];
}
then {
discard;
}
}
term allow {
then accept;
}

Here is how filter attached to the incoming interface:

> show configuration interfaces at-1/0/0 unit 0 family inet
filter {
input INET-filter;
}
negotiate-address;
dhcp {
update-server;
}

And it seems like it is working - I asked my frien from Australia to check and he can't access login page.

But somehow I still get alerts from my syslog server like these:

Date/Time: Jul 18 15:02:01

KMD_VPN_PV_PHASE1: IKE Phase-1 Failure: No proposal chosen [spi=(null), src_ip=xxx.xxx.xxx.xxx, dst_ip=119.77.157.15]

IP Address: 192.168.232.1

Date/Time: Jul 18 08:12:27

KMD_VPN_PV_PHASE1: IKE Phase-1 Failure: No proposal chosen [spi=(null), src_ip=xxx.xxx.xxx.xxx, dst_ip=106.51.57.5]

Date/Time: Jul 17 14:17:28

IKE Phase-1: (Responder) Policy lookup failed [local_ip=xxx.xxx.xxx.xxx remote_ip=80.203.66.238

That usually happens when someone got to login page of Dynamic VPN.

Checked the IPs - Norway, India, Taiwan.
Checked my whitelist - there are no network ranges which could contain these addresses.

Can't figure out why my filter passes traffic on port 443 from these addresses. Would appreciate some ideas 🙂

Thanks,
Leo

Hi Leo,

You have applied the filter on input interface, this is not the right way to do block this traffic.

You need to configure firewall filter on loopback interface to restrict the ip addresses with corresponding pors abd application.

Please check the below KB article for RE loopback filter connection.

https://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfig-interfaces-and-routing/configuring-a-routing-engine-firewall-filter-to-protect-against-tcp-and-icmp-floods.html

http://www.dummies.com/how-to/content/how-to-protect-the-junos-routing-engine.html

Hi Deepakcr,

Even thought I am filtering that on incoming interface it still should prevent traffic from getting to https service. And as Mohamed pointed out it actualy filters it out. I just did not account for IPSEC ports.

But in general I think you are right - it is recommended practice to filter it on loopback interface.

Thank you for your advice. 

Hi,

You got alrert for IKE not https. Try to add IPSEC ports in your filter

http://kb.juniper.net/InfoCenter/index?page=content&id=KB5671

Right! Totally got this out of my view.Thanks a lot!!