SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  How to make web server with a public ip accessible from inside the LAN

    Posted 10-17-2013 16:37

    I have access to the webserver from outside of our network, but cant access it from inside. The webserver has an external ip assigned.

     

    ## Last commit: 2013-10-17 23:22:06 UTC by root
version 9.6R1.13;
system {
    host-name sz-pipe;
    root-authentication {

    }
    services {
        ssh;
        web-management {
            http;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching;
        }
    }
    fe-0/0/5 {
        unit 0 {
            family inet {
                address 192.168.0.1/24;
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family inet {
                address 37.xx.xx.137/29;
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family inet {
                address 83.xx.xx.38/30;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 127.0.0.1/32;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 83.xx.xx.37;
    }
}
security {
    nat {
        source {
            rule-set interface-nat {
                from zone trust;
                to zone untrust;
                rule rule1 {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                fe-0/0/5.0 {
                    host-inbound-traffic {
                        system-services {
                            http;
                            https;
                            ssh;
                            telnet;
                            dhcp;
                        }
                    }
                }
                fe-0/0/2.0;
                fe-0/0/3.0;
                fe-0/0/4.0;
                ge-0/0/0.0;
                ge-0/0/1.0;
                vlan.0;
                lo0.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                fe-0/0/7.0;
            }
        }
        security-zone server {
            interfaces {
                fe-0/0/6.0;
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone server {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone server to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone server {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
    }
}
vlans {
    default {
        vlan-id 1;
        interface {
            ge-0/0/0.0;
            ge-0/0/1.0;
            fe-0/0/2.0;
            fe-0/0/3.0;
            fe-0/0/4.0;
        }
        l3-interface vlan.0;
    }
}

     



  • 2.  RE: How to make web server with a public ip accessible from inside the LAN

    Posted 10-17-2013 22:12

    Hi, 

    Config seems to be good enough, only one confusion.

    Is server reachable from interface fe-0/0/6? I do see that nat rule is from trust to untrust not to zone server.

    May be you can try to configure that nat rule from trust to server.

     

    The best thing is run security flow traceoptions.

     

    root#set security flow traceoption file flowtrace.txt 

    root#set security flow traceoption flag all

    root#set security flow traceoption packet-filter P1 source-prefix x.x.x.x (inside ip address) destination-prefix y.y.y.y (server public ip address)

    root#set security flow traceoption packet-filter P2 source-prefix y.y.y.y (server ip address).

     

    Upload this flow trace, i will have a look.

     



  • 3.  RE: How to make web server with a public ip accessible from inside the LAN
    Best Answer

    Posted 10-18-2013 14:50

    Thank you for your help. The problem was this line in the pf firewall on the webserver:

     

    block in quick from urpf-failed