SRX

Hey everyone.

 

I am a lot more familiar with ScreenOS than I am with JunOS so this is causing a few problems for me.

 

Here is what I am trying to accomplish.

I have two internet connections. One is DHCP and the other has three static IP addresses.  I would also like to have a trusted network 172.16.0.0/24 and a DMZ network 172.16.10.0/24.  I would like to have routing between the DMZ and the trust network which is controlled by policies only allowing required services like the ability to route mail from my spam filter in the DMZ and my mail server in the trusted network. 

 

For internet access I will use the DHCP wan connection on fe-0/0/7.0 for web browsing on the trust network and use the static addresses on fe-0/0/6.0 for services in the DMZ(email, webserver, etc)

 

Only the trust network has a DHCP server but I will be offloading DHCP to another server soon.

 

Attached is a sanitized

It looks like you need to put in the vlan.1 interface into the DMZ zone. You have a layer 2 interface in there instead, and this is a routed firewall not a transparent firewall.  You also have lots of inactive policies, so it is difficult to discern what you are  attempting to accomplish. But to answer your question about allowing smtp traffic between the DMZ and trust zones. Basically, if you want to allow traffic between the trust and dmz zones you will need to have a policy and appropriate rules on the side that will initiate the flow. Here is an example to allow smtp to go from the dmz spam relay to the mail server in the trusted zone. I'm assuming smtp will be 25/TCP so we can use junos-smtp as the application.

 

In the security policies hierarchy:

from-zone DMZ to-zone trust {

   policy smtp-from-spam-filter {

       match {

            source-address spam-filter-address;

            destination-address mail-srv-address;

            application junos-smtp;

        }

        then {

            permit;

        }

   }

}

 

 The return traffic from the mail server in the trusted zone will go back to the dmz. Make sure you create the address book entries for the above servers. FYI, you also have a layer2 interface in the untrust zone. fe-0/0/6.0. These need to be layer 3 interfaces.

 

If you are new to the SRX, I recommend the SRX day one book:

https://www.juniper.net/us/en/community/junos/training-certification/day-one/dynamic-services-series/deploying-srx-series/

 

I also recommend the Junos Security book as a good reference:

http://www.amazon.com/JUNOS-Security-Rob-Cameron/dp/1449381715

Yes, while I was driving home from work I realized that I didn't expliain where my current problems are.  I disabled the policies becasue I was trying to get traffic to pass from the DMZ to the internet through fe-0/0/7.0.

 

Right now my first problem is just trying to get devices in the DMZ to get out to the internet.

 

I also know that fe-0/0/6.0 is layer two in the config but it isn't any longer in my running config.

 

Everything else in that config is accurate though.

 

So first problem, need to get devices in the DMZ to connect to the internet.

 

Thanks.

You will need to put interface vlan.1 in the DMZ security zone. If you want to test ping to the interface from a DMZ host you will need to configure ping under the DMZ security zone.

 

The default behavior for interzone traffic is deny-all. (This can be changed,fwiw ) You have your entire "from-zone DMZ to-zone untrust" deactivated. You also have individual policies within that hierarchy deactivated. I'm pointing that out, because I think you might have deactivated the top level inadvertantly. Activate the "from-zone DMZ to-zone untrust" and then deactivate/activate individual policies within that group if you want to test different rules. If you want to allow DMZ initiated traffic with destination ports smtp, http, https, dns(tcp/udp), then you would need something like this:

policy allowDMZ {

  match {

    source-address any;  (or an address book reference)

    destination-address any; (or an address book reference)

   application [ junos-smtp junos-http junos-https junos-dns-tcp junos-dns-udp ];

  }

  then {

    permit;

  }

}

 

As you make your rules, you might find the "insert" command useful for reordering policies. 

 

If you want to allow traffic initiated from the untrust zone to get to the DMZ hosts, you will need another policy and you will need destination nat. Let me know if you need that...

 

This is what you had in your config:

 

        inactive: from-zone DMZ to-zone untrust {
            inactive: policy AllowedDMZ {
                match {
                    source-address DS-EDGE-1;
                    destination-address any;
                    application [ junos-smtp junos-http junos-https junos-dns-tcp junos-dns-udp ];
                }
                then {
                    permit;
                }
            }
            inactive: policy defaultDMZ {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
            policy DMZANY {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }

Thank you for that information.  I made all of those changes and can't quite ge it to work still.

 

I created a VR for the DMZ.  Is that needed and is that configured correctly?

No you don't need that per your requirements that you listed. Can you post the latest config?

Here is the config.  I accidently hit accept but I am sure it will work out still.

delete this routing instance DMZrtr. Then test your DMZ connection to the untrust zone. 

 

No joy unfortunately.

Can you ping your DMZ gateway ip from your DMZ host? You should be able to, unless something is wrong in between your host and the srx. 

 

If you can't ping it... 

 

If you do a show interface on the srx interfaces, are the DMZ interfaces up? (vlan.1 and the DMZ layer 2 interface)

 

If they are up, is the Mac address of your dmz host being learned?

 

show ethernet-switching table

 

do you see your DMZ host MAC address learned out the correct port?

 

There are no mac addresses being learned in the DMZ.

 

All other commands ran successfully

 

The mac of my test host is being learned on default vlan but on the right phy interface.

  default           00:0c:29:96:4a:91 Learn          0 fe-0/0/3.0 <-----DMZ VM
 vlan-dmz          *                 Flood          - All-members
 vlan-dmz          00:de:ad:be:ef:00 Static         - Router

Okay, I fixed that.  I was making some test changes last night and didn't realize that they had kind of set me back. Undid those changes and I can ping .1 now and the mac address is learned on the right interface in the dmz vlan.

 

Still cannot connect or ping external IP address.

 

Do a traceroute from your host out to an untrust host you expect to get to. (Leave that permit all you had on for that DMZ to untrust policy)

 

post an output for a show route on the srx. I imagine your routing table is messed up based on looking at your default static pointing to the trust zone.. Id imagine you want  your default route pointing towards the untrust upstream router(s).

 

BTW, you mentioned fe-0/0/6.0 is providing the Internet access for your DMZ, but you have no ip addresses configured... That should be remedied. Do you want the static connection to ONLY service DMZ traffic? do you want the dhcp connection to ONLY service trust inception untrust traffic? or do you want something else? Do you want the capability for a backup connection? Explain in detail what you need.

 

Also post your latest config.

inet.0: 8 destinations, 8 routes (7 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Access-internal/12] 08:53:38
                    > to 98.190.63.1 via fe-0/0/7.0
98.190.63.0/24     *[Direct/0] 2d 20:53:43
                    > via fe-0/0/7.0
98.190.63.229/32   *[Local/0] 2d 20:53:43
                      Local via fe-0/0/7.0
172.16.0.0/24      *[Direct/0] 2d 20:53:51
                    > via vlan.0
172.16.0.254/32    *[Local/0] 2d 20:54:06
                      Local via vlan.0
172.16.10.0/24     *[Direct/0] 12:40:54
                    > via vlan.1
172.16.10.1/32     *[Local/0] 12:40:54
                      Local via vlan.1

 

Trace route dies with no reponding hops

 

 

You should be at least getting the gateway IP address of the srx In your trace route. Post the gateway, subnet mask, IP address, and route table from the host in the DMZ you are testing from.

 

You dont't need fe-0/0/3.0 in your zone hierarchy.  Only vlan.1 needs to go there.

Here you go.

 

I agree that I should see the gateway in the trace route.

 

I removed 3.0 from the zone.

One thing that bothers me is your loopback interface On your srx. Delete that. Lo.0 with an address of 127.0.0.1 and not in a zone isn't accomplishing much and is asking for issues.  See if your trace route changes.

 

Also, Rule out that the host based firewall (if you have one) isn't blocking icmp ttl exceeded messages. Traceroute hops would be sending TTL exceeded back to your host, I believe.

Well good news. I am not really sure when this happened but I can ping and traceroute to IP addresses now.

 

DNS appears to be the only thing broken now.

 

Not really sure where.

 

Here is the latest config.

 

With regard to the 6.0 providing internet for DMZ, this is later in the setup. I can make that work later but for now just want to get the DMZ connected to the internet.

 

I can add the static addresses at any point though.

what are the addresses of your dns servers?

BTW, You dont need those static routes. They arent necessary since you have those network connected to the vlans.

My gateway addreses are the DNS servers.  10.1 and 0.254

 

Why exactly do I not need the static routes? I am really used to screenOS and we always had to manually put the default route in there.

No, the gateway isn't setup to be your DNS.  Even if you configured it, DNS forwarding doesn't work well, and I believe it was pulled after 9.5... unless I'm misrembering. You will need to configure the DNS servers on the clients or propogate settings through dhcp. Here is the command: 

 

set system service dhcp name-server 68.10.16.30. 

 

You've got the above server configured, but you need to take out the name-server reference to 172.16.0.254. I think thats where your problem is. If 68.10.16.30 isn't a working dns server, pick one or more that will work.

 

You don't need the static routes under routing-options. You have those networks directly connected as vlan.0 and vlan.1. Take them out and then do a show route... you wil still have the routes.

 

I also notice you have a "propogate-settings ge-0/0/0.0" in your dhcp. Take it out or use the correct interface fe-0/0/7.0.

 

        dhcp {
            domain-name datserv.internal;
            name-server {
                172.16.0.254;
                68.10.16.30;
            }
            router {
                172.16.0.254;
            }
            pool 172.16.0.0/24 {
                address-range low 172.16.0.100 high 172.16.0.199;
            }
            propagate-settings ge-0/0/0.0;
        }

Okay buddy, you are correct.  Well now I need to get the routing between my subnets working, policies to secure it and then package the DMZ to the static IP addresses on my other untrusted interface.

 

If I have issues with any of this I will create a new thread rather than beating this dead horse.

 

Thanks again everyone. I have learned a lot.

 

Doug

No, problem, I'm happy to help.

 

Be sure to check out the SRX Day One guide (free)

https://www.juniper.net/us/en/community/junos/training-certification/day-one/dynamic-services-series/deploying-srx-series/

 

The Juniper Security book is a really good book for the SRX:

http://www.amazon.com/JUNOS-Security-Rob-Cameron/dp/1449381715/ref=sr_1_1?ie=UTF8&qid=1357171341&sr=8-1&keywords=junos+security