SRX

Hey guys, I'm in desperate need of help properly configuring a SRX100. I've got it routing, at least, which is an achievement for me, but I also need to be able to accept SSH and HTTP/HTTPS connections for remote management. I would also need to be able to port forward 1723 to an internal server, which is something I have yet to start messing with. Can someone take a look at the attached config file and tell me what I'm doing wrong?

Attachment(s)

srx100config.txt   5 KB 1 version

You shoul be able to manage the device with http /https and ssh from the inside. From the outside you permited access for  http /https, but the web servers runs only ony vlan.0 not on fe-0/0/0. So no web management from the outside.

For the port forwarding: you need to configure a destination nat for that, and a policy to allow the traffic.

This would be a good start I think http://kb.juniper.net/InfoCenter/index?page=content&id=TN81&actp=LIST 

Under NAT add

destination {
    pool INTERNAL_SERVER_1723 {
        address 192.168.1.10/32 port 1723;
    }
    rule-set PAT_FROM_UNTRUST_TO_TRUST {
        from zone untrust;
        rule INT_SRV_1753 {
            match {
                ################make this IP address your WAN interface IP address
                destination-address xxx.xxx.xxx.xx7/32;
                destination-port 1723;
                ################change to TCP or UDP depending on your port/protocol
                protocol TCP;
            }
            then {
                destination-nat pool INTERNAL_SERVER_1723;
            }
        }
    }
} 

and you will need to add a policy

from-zone untrust to-zone trust {
    policy WAN_SSL_ALLOW {
        match {
            source-address any;
            destination-address 192.168.1.10;
            application MYAPP_1753;
        }
        then {
            permit;
        }
    }
} 

 and you will need to add a custom application

applications {
    application MYAPP_1753 {
        ############ Change protocol/port to match NAT rule
        protocol tcp;
        destination-port 1753;
    }
} 

Have a look at my standard forum SRX config.  (attached)

Attachment(s)

SRX config with comments.txt   33 KB 1 version

Hey guys, I really appreciate all the help so far. I have very little experience with these enterprise class security devices,  but the help here and the various guides and books are allowing me to slowly get a grip on this thing.

I'm under a tremendous amount of pressure to get this working the way my company needs it to work (at least for now) and that's not helping any, but I've got SSH working so I'm at it from home today. Unfortunately, even though I enabled web-management, I can't get that to work, so I'm stuck using the CLI.

I would really, really appreciate it if one of you gurus would look over my config and see what I'm doing wrong. Like I said, HTTP/HTTPS web management doesn't work (gives a 403), and I still can't get PPTP through it to our sever, so I need advice on how to fix this using the CLI (or enough to get me up and running with jweb).

Attachment(s)

pptpconfig.txt   6 KB 1 version

Hi,

Firstly HTTPs Access is enabled on vlan.0 but this VLAN has no interfaces associated with it.  Can you add this:

vlans {
    vlan-trust {
        vlan-id 3;
	interface {
		fe-0/0/1.0
	}
        l3-interface vlan.0;
    }
}

 I use fe-0/0/1.0.  Change to whatever interface is connected to your internal switching / devices.

Your Destination NAT is also incorrect as it does not specify the external WAN interface as suggested above by johnrbaker.

destination {
            pool Our_nat_pool {
                address 192.168.1.250/32; ## INTERNAL SERVER
            }
            rule-set Our_vpn_ruleset {
                from zone untrust;
                rule Our_vpn_rule {
                    match {
                        destination-address 222.222.222.178/32; ## WAN Interface
                        destination-port 1723;
                    }
                    then {
                        destination-nat pool Our_nat_pool;
                    }
                }
            }
        }