SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Help configuring an srx for one-to-one NAT with firewall rules

    Posted 02-20-2015 18:27

    I am new to juniper.  Extensive experience with cisco/fortinet.  I am learning my way around the junos but having some trouble.  This should be overly simple but I am thinking some existing configuration may be stopping my changes from working.  I have set static nat for a web server.  This is working as I have tested "whats my ip" from google from the server.  I can not seem to get the firewall policy to open up the ports I need (81 and 82) to the web server.  I modified the policy for "any" and that still does not work. 

     

    My sanitized config is here.

     

    http://paste.ofcode.org/JrDv7r8F4dWr5WXBwbeCSD

     

    The external IP I am nating is 1.1.1.2 and the internal IP of the web server is 10.0.3.18  I am trying to forward ports 81 and 82 to this host.  Using

     

    static {
            rule-set forecastingRS1 {
                from zone untrust;
                rule forecastingR1 {
                    match {
                        destination-address 1.1.1.2/32;
                    }
                    then {
                        static-nat prefix 10.0.3.18/32;
                    }
                }
            }
        }
        proxy-arp {
            interface ge-0/0/3.0 {
                address {
                    1.1.1.2/32;
                }
            }
        }
    }

    policy forecastingpolicy {
                match {
                    source-address any;
                    destination-address forecastingserver;
                    application [ 81 82 ];
                }
                then {
                    permit;


  • 2.  RE: Help configuring an srx for one-to-one NAT with firewall rules
    Best Answer

     
    Posted 02-20-2015 21:21

    Hi billy@netswork.us,

     

    Please try placing forecastingpolicy before the any-any policy created for dynamic VPN. You can use the below command to do this.

     

    edit security policies from-zone untrust to-zone trust

    insert policy forecastingpolicy before policy Internet-Trust

    top

    commit

     

    The packets may be hitting the dynamic-VPN policy instead of forecastingpolicy .

     

    Thanks,

    Suraj

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

     



  • 3.  RE: Help configuring an srx for one-to-one NAT with firewall rules

    Posted 02-20-2015 21:27

    you sir...are my hero 🙂

     

    So it applies these polices top-down...



  • 4.  RE: Help configuring an srx for one-to-one NAT with firewall rules

     
    Posted 02-20-2015 21:30

    Yes, Junos do a hierarchical check, from top to bottom .

     

    Thanks,

    Suraj

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too