SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
GRJ
Contributor
Posts: 43
Registered: ‎08-08-2012
0

NAT and security policis etc.

Hello,

 

I am havin trouble understanding Destination NAT.

 

As i read everywhere nat is not a subject to security rules, is that correct.

 

I jyst want to create a publishing rule from a public IP i.e 130.185.128.146 to 10.3.1.113.

 

I have tried the example: http://www.juniper.ie/techpubs/en_US/junos11.4/information-products/topic-collections/security/softw...

 

That does not work.

 

i do have a Virtual router from my internal network that does source nat to the internet.

 

If you have any commands to help monitoring the packet way in and bac from the internet to the juniper srx 240 and backup, i will be glad to see it.

 

if you have any examples or i need to post some of my config, please tell me. Smiley Happy.

 

all i have for monitoring is: show security flow session

 

Session ID: 37298, Policy name: test-inbound/6, Timeout: 4, Valid
  In: 188.182.202.222/62436 --> 130.185.128.146/3389;tcp, If: ge-0/0/15.0, Pkts: 3, Bytes: 152
  Out: 10.3.1.113/3389 --> 188.182.202.222/62436;tcp, If: vlan.1, Pkts: 0, Bytes: 0

all i get from this is 10.3.1.113 does not respond.. ? but where do i go wrong..

 

all help i apressiated.. Smiley Surprised)

 

Kind regards

Gert

 

 

Distinguished Expert
Posts: 666
Registered: ‎07-20-2010
0

Re: NAT and security policis etc.

Hi,

 

As I assume you are using destination NAT you can use the following to check if there are any translation hits on the NAT rule

 

user@srx>show security nat destination pool <your_pool_name>

 

If translation hits = 0 then your NAT is not working.

 

This is a good KB also: http://kb.juniper.net/InfoCenter/index?page=content&id=KB15758

 

Can you post your config?

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
GRJ
Contributor
Posts: 43
Registered: ‎08-08-2012
0

Re: NAT and security policis etc.

Hello again,

Smiley Happy,3

 

all i want it to have an rdp session to a host int the trust-victoriaproperties lan... Smiley Happy

 

 


## Last changed: 2012-08-16 23:50:30 CEST
version 11.2R4.3;
system {
    host-name juniper1;
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface [ vlan.0 ge-0/0/0.0 ];
            }
            https {
                system-generated-certificate;
                interface [ vlan.0 ge-0/0/0.0 ];
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp;
}
interfaces {
    ge-0/0/0 {
        unit 0;
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members all;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members all;
                }
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-victoria;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/8 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/9 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/10 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/11 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/12 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/13 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/14 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/15 {
        unit 0 {
            family inet {
                address 130.185.128.145/24;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 172.19.0.4/16;
            }
        }
        unit 1 {
            family inet {
                filter {
                    input classify-vlans;
                }
                address 10.3.1.1/24;
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet victoria-router-rib;
    }
    rib-groups {
        victoria-router-rib {
            import-rib [ inet.0 victoria-router.inet.0 ];
        }
    }
}
protocols {
    gvrp {
        disable;
        join-timer 200;
        leave-timer 600;
        leaveall-timer 10000;
    }
    stp;
}
security {
    flow {
        inactive: traceoptions {
            file flow-trace;
            flag basic-datapath;
            packet-filter filter1 {
                destination-prefix 130.185.128.146/32;
            }
            packet-filter f0 {
                destination-prefix 130.185.128.146/32;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 172.19.6.0/24;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set trust-untrust-victoria {
                from zone trust-victoriaproperties;
                to zone untrust-victoriaproperties;
                rule no-sourcenat {
                    match {
                        source-address 10.3.1.113/32;
                        destination-address 0.0.0.0/0;
                        destination-port 3389;
                    }
                    then {
                        source-nat {
                            off;
                        }
                    }
                }
                rule victoria-internet {
                    match {
                        source-address 10.3.1.0/24;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool rdp-server1 {
                routing-instance {
                    victoria-router;
                }
                address 10.3.1.113/32 port 3389;
            }
            rule-set rule-rdp-server1 {
                from interface ge-0/0/15.0;
                rule portforward-rdp-1 {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 130.185.128.145/32;
                        destination-port 3389;
                    }
                    then {
                        destination-nat pool rdp-server1;
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust-victoriaproperties to-zone untrust-victoriaproperties {
            policy trust-untrust-victoriaproperties {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust-victoriaproperties to-zone trust-victoriaproperties {
            policy victoria-lok {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust-victoriaproperties to-zone trust-victoriaproperties {
            policy test-Inbound {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        destination-address {
                            drop-untranslated;
                        }
                    }
                }
            }
        }
        default-policy {
            deny-all;
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            tftp;
                            dhcp;
                        }
                    }
                }
            }
        }
        security-zone trust-victoriaproperties {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.1 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust-victoriaproperties {
            interfaces {
                ge-0/0/15.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
    }
}
firewall {
    family inet {
        filter classify-vlans {
            term victoriaproperties-route {
                from {
                    source-address {
                        10.3.1.0/24;
                    }
                    destination-address {
                        10.3.1.1/32 except;
                        0.0.0.0/0;
                    }
                }
                then {
                    routing-instance victoria-router;
                }
            }
            term default {
                then accept;
            }
        }
    }
}
routing-instances {
    victoria-router {
        instance-type virtual-router;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 130.185.128.1;
                route 192.168.1.0/24 next-hop 10.3.1.4;
                route 10.3.1.0/24 next-hop 10.3.1.1;
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        interface {
            ge-0/0/9.0;
        }
        l3-interface vlan.0;
    }
    vlan-victoria {
        vlan-id 33;
        interface {
            ge-0/0/6.0;
            ge-0/0/7.0;
            ge-0/0/4.0;
            ge-0/0/5.0;
        }
        l3-interface vlan.1;
    }
}

Super Contributor
Posts: 210
Registered: ‎02-17-2011
0

Re: NAT and security policis etc.

Hi

 

I dont know why you are using virtual router instances on what appears to be a single setup.  Anyway.

 

You need to setup a source and destiantion NAT rule for the RDP traffic and a policy to allow traffic from the zone where the RDP server is to the internet and a rule that allows traffic from the internet/untrust (NAT) to the RDP server.  I have not yet had my coffee, but I could not see all of the ruiles.

 

I have a SSL VPN in a seperate zone, so apart from the TCP port number the setup is similar.  Please feel free to use my attached config as an example.

GRJ
Contributor
Posts: 43
Registered: ‎08-08-2012
0

Re: NAT and security policis etc.

Hello,

 

the reson i am using a routing instance is because i have to seperate some ports from each other, and have different

public ip addresses.

 

I think that that is part of my problem, but i just cant find any examples on routing instanses and destination nat.

 

 

I am wil have a look on you config thanks..

 

Kind regards

Gert

GRJ
Contributor
Posts: 43
Registered: ‎08-08-2012
0

Re: NAT and security policis etc.

Do i have to create a virtual router to get packages from ge-0.0.0.15.0 to vlan33 ?

 

does anybody have som commands so i can see the package from internet  to vlan33.

 

Kind regards

Gert

Super Contributor
Posts: 210
Registered: ‎02-17-2011
0

Re: NAT and security policis etc.

Hi

 

unless you have removed a large section of your config, I do not see any reason to use virtual routers.  This would simplify the configuration.

 

The config that I attached have several seperate networks and source/destination NAT configured. 

 

I can tell you that your destination NAT rules do not appear to be setup correctly.

 

   nat {
        source {
            pool WAN_IP_0 {
                address {
                    xxx.xxx.xxx.xx5/32;
                }
            }
            pool ADSL_WAN_IP_1 {
                address {
                    xxx.xxx.xxx.xx6/32;
                }
            }


########## The NAT rule above is for my outbound main LAN traffic  192.168.253.0/24 to WAN IP 0
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule trust-source-nat-rule {
                    match {
                        source-address 192.168.253.0/24;
                    }
                    then {
                        source-nat {
                            pool {
                                ADSL_WAN_IP_0;
                            }
                        }
                    }
                }
            }


########## The NAT rule above is for my Test network traffic to the internet 192.168.25.0/24 to WAN IP 1
            rule-set DMZ_to_untrust {
                from zone DMZ_ZONE;
                to zone untrust;
                rule dmz-source-nat-rule {
                    match {
                        source-address 192.168.25.0/24;
                    }
                    then {
                        source-nat {
                            pool {
                                ADSL_WAN_IP_1;
                            }
                        }
                    }
                }
            }
        }


        destination {
################This needs to be set to the internet server IP/port
            pool DSTNAT-TEST-HTTP {
                address 192.168.25.101/32 port 80;
            }

            rule-set PAT_FROM_UNTRUST {
############## This need to be from the internet security zone.  Default is untrust unless you changed it.
                from zone untrust;
                inactive: rule PAT_HTTP_TEST_SERVER {
                    match {
################# The destiantion address is very important.  It must be the public WAN IP address with port/protocol
                        destination-address xxx.xxx.xxx.xx9/32;
                        destination-port 80;
                        protocol tcp;
                    }
                    then {
                        destination-nat pool DSTNAT-TEST-HTTP;
                    }
                }

            }
        }
 

 

 

You must also setup policy rules to allow this traffic.

 

You also need to simply your config.

 

One untrust zone on your WAN interface.

Define zones and VLAN ID for your networks that need to be isolated.

Create simile rules that allow traffic in and out of zones as needed. 

 

Your config had several rules that could have been matched.

 

 

 

GRJ
Contributor
Posts: 43
Registered: ‎08-08-2012
0

Re: NAT and security policis etc.

Hello Johnrbaker,

 

I know i seems a litle overkill,

 

I have 2 different subnets 192.168.1.0/24 (User1) and 192.168.1.0/24 (user2) which need to go though our,

and of course must not see each other.

 

so my idea is allocate 4 phusical ports 4-7 for their network, allocate 1 physical port each (port 14 and 15) for their internet traffic.

 

that seems to work, now i just want to be able to publish a server on physical port15 (user1) ip 192.168.1.113/32,

and perhaps a server on physical port 14 (user2) 192.168.1.112).

 

Smiley Happy

 

if there are any way easyer to maintain than a virtual router or another config there is easyer, please tell, i want to

learn Smiley Happy

 

but the network need to be seperate.

 

I will have a look on the config you wrote thanks..

 

Kind regards

Gert

 

 

 

 

 

 

 

Super Contributor
Posts: 210
Registered: ‎02-17-2011
0

Re: NAT and security policis etc.

Dont forget that the SRX has two dynamic VPN licences installed as default.  If you need secure access in, why not try it.

GRJ
Contributor
Posts: 43
Registered: ‎08-08-2012
0

Re: NAT and security policis etc.

Hello,

 

I did not think of that, but the serveres are 5m from the firewall so..

 

And i would like to use the vpn from my home to connect etc.. Smiley Happy

 

And if i can get this to work, i think we can remove approx. 3 TMGs replaced by 1 srx.

When i can read and understand the config, and why it works... Smiley Happy

 

But as I am using TMG which does most of the config for you, it is a litle confusing, when the gui does not work, and the trace is pretty hard to find - I think it is... Smiley Happy .

 

I dont know if that explained or confused you more...

 

Kind regards

Gert

GRJ
Contributor
Posts: 43
Registered: ‎08-08-2012
0

Re: NAT and security policis etc.

Hello again,

 

can you point me in the right direction, on where my destination nat goes wrong, i would apressiate

it a lot..

 

At the moment i am trying all posibillities, but it takes a while.. Smiley Happy

 

I just can not figure out if i need som kind of route for inboud traffic internet->130.185.128.145->10.3.1.113,

or it knows the route as i have a virtual route the other way trust->untrust.

 

Do i have to create a firewall rule for inbound traffic attach a virtual ruter. ???

 

I you know of an example with a destination nat and a virtual router inbound and outbound, great i just

cant find it... Smiley Happy

 

 

Kind regards

Gert

 

 

 

Super Contributor
Posts: 210
Registered: ‎02-17-2011
0

Re: NAT and security policis etc.

Hi

 

Do your "customers/user" have private or public addressing?

 

I am not going to try to fix your config.  I will write you a nice clean config(assuming that you are running private adressing and no .1Q tagging).

 

1. I need the interface that you use for your WAN connection and how it connects to the internet.  Does the SRx get its IP via DHCP?  How many public IP addresses do you have/

2. For each "Customer/User" that you want to have seperate networks, let me know their IP address range (private), and what IP SRX  needs.

3.  If you need any DST NAT rules, then let me know the external IP and the internet Ip that it needs to go to.  protocol and port number on both sides.

 

 

Customer/User 1

Ports on SRX that you want to allocate

SRX LAN IP/Prefix

 

Customer/User 2

Ports on SRX that you want to allocate

SRX LAN IP/Prefix

 

WAN Information

IP and interface that you want to use

 

Any other routes that you need, excliding any directly connected (private IP) subnets.

 

The policy will allow each customer out to the internet, but not to each other.

 

If not, then I suggest finding a Juniper partner and purchasing a their service to setup your SRX.

 

Super Contributor
Posts: 210
Registered: ‎02-17-2011
0

Re: NAT and security policis etc.

Hi

 

I have created, but not tested, an example config for you.

 

You will need to check the IP addresses ranges and interface assignement, plus making sure that you add your roou-authentication line.

 

It has been setup for two customers, plus a default network, to go to the internet, but not each other.  RDP has been setup to an internat IP address on CUSTOMER1 network.

 

I hope this helps.

GRJ
Contributor
Posts: 43
Registered: ‎08-08-2012
0

Re: NAT and security policis etc.

Hello John,

 

Thank you,

 

i will try your config, and thank you for you effort, but you are right i will try a local juniper partner, monday.

 

But before that i will try your config Smiley Happy

 

I just change customer1 and customer2 to have the same ip range (192.168.1.0/24 ) and have a go, then i will see

if i can change the internet adapter for customer1 to be ge-0/0/15 and for customer2 ge/0/0/14.

the entire setup has to be seperate nics and vlans and customer1 and customer2 do have the same vlan, so

i can not seperate them just using routes.. Smiley Happy

 

Kind regards

Gert

 

 

 

 

 

 

 

 

 

 

 

 

GRJ
Contributor
Posts: 43
Registered: ‎08-08-2012
0

Re: NAT and security policis etc.

Sorry,

 

customer1 and customer2 do NOT have the same vlan, they have the same IP range (192.168.1.0)..

 

Kind regards

Gert

Super Contributor
Posts: 210
Registered: ‎02-17-2011
0

Re: NAT and security policis etc.

Hi

You first post did not indicate that you had your customers on one subnet. Your first post was about RDP and NAT.

Can I suggest that when you contact a juniper partner, you detail your exact requirements and network topology.

My first config had vpn, multiple networks, and destination NAT setup. By the sound of it, it may be closer to your requirements.
GRJ
Contributor
Posts: 43
Registered: ‎08-08-2012
0

Re: NAT and security policis etc.

Hello,

 

yes i can see that now when i read i again, i am sorry i was not clear,

i have attached a pdf file with the network.

 

what i was trying to say that i have it working from inside out, now i just want to publish

1-2 servers..

 

 

Kind reagrds

Gert

 

 

Super Contributor
Posts: 210
Registered: ‎02-17-2011
0

Re: NAT and security policis etc.

So you have two internet IP addresses, in same subnet range.

You have two internal service with rdp and http that you want destination NAT setup.

If they are for different customers, then they should be on separate IP networks and interfaces.

Please can you provide more detail and context when you speak to the partner.

Highlighted
GRJ
Contributor
Posts: 43
Registered: ‎08-08-2012
0

Re: NAT and security policis etc.

Yes i will do, thanks.

 

Kind regards

Gert

GRJ
Contributor
Posts: 43
Registered: ‎08-08-2012
0

Re: NAT and security policis etc.

Got it to work yesturday.. Smiley Happy

 

I just hat to put in which nic the vr was attached...

 

Kind regards

Gert