SRX

I've read and I've searched... and I'm certain I'm doing something wrong.  I have an SRX240 that I'm trying to setup.  One port to the outside, the rest in... and I have been asked to setup addresses outside that can individually be used for different applications/access....  I've also been asked to setup NAT with port address shifting, but one thing at a time....

With a bunch of outside addresses on one port is it koscher to just assign all the addresses to that port?

I've been trying to setup a pass through and failing... I've stripped everything back down to a basic config to try and eliminate issues but haven't been able to do it.  Perhaps someone can enlighten me on what I'm missing.

Yes, I'm green..

Attachment(s)

mysetup.txt   7 KB 1 version

Hi,

Regarding your destination NAT,pool must be defined for your internal IP and in match conditions, you have to use the external IP . So the destination NAT config should look like this

nat {
        destination {
            pool RDP {
                address INTERNAL/32 port 3389;
            }
            rule-set External-Dst-NAT {
                from zone untrust;
                rule Dst-Nat {
                    match {
                        destination-address EXTERNAL/32;
                        destination-port 3389;
                    }
                    then {
                        destination-nat pool RDP;
                    }
                }
             }
         }

security policy is fine .

and regarding your source NAT, currently you are using interface based source nat (PAT enabled by default), you may check the following application note which provides some common NAT config examples -

http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf  (for address-shifting Source NAT,please check page 8 of this )

For pass-through firewall authentication config example  , please check

http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security-swconfig-security/topic-40755.html?searchid=1334018946876

If you have already  followed these documents and still facing issues , please provide  the exact requirement in detail, will  prepare the appropriate configuration .

Forgot to mention, as you are using /24 on your external interface and one of the IP in that network for your destination NAT purpose , you would need to configure proxy arp for this IP address.

user@host# set security nat proxy-arp interface ge-0/0/0.0 address EXTERNAL/32

Aright, so, next problem... Got the external access working.. but here's a more interesting problem.  We're demo-ing VDI-in-a-box.... and I can get to the main administrative page wich is a pass through on https... I just mirrored the config for the RDP test.  The problem I have is that I can't get past that and there is an internal range of IP addresses that are used for the virtual desktops. I believe once they are launched the citrix client uses 1494 to try and communicate to them... how would I allow their communication through given a pool of say 192.168.0.100-192.168.0.199 internally?

Also, when defining an application can I assign it multiple protocols in the protocol definition?

Thank you!

Hi ,

Based on the following article from Citrix (http://support.citrix.com/article/CTX118175) ,the SRX config would be like this(for 3 machines) -

nat {
        destination {
            pool VDI-1 {
                address INTERNAL-1/32 port 1494;
            }
            pool VDI-2 {
                address INTERNAL-2/32 port 1494;
            }
            pool VDI-3 {
                address INTERNAL-3/32 port 1494;
            }

            rule-set External-Dst-NAT {
                from zone untrust;
                rule Dst-Nat-1 {
                    match {
                        destination-address EXTERNAL/32;
                        destination-port 1491;
                    }
                    then {
                        destination-nat pool VDI-1;
                    }
                }
            
                rule Dst-Nat-2{
                    match {
                        destination-address EXTERNAL/32;
                        destination-port 1492;
                    }
                    then {
                        destination-nat pool VDI-2;
                    }
                }
             
                rule Dst-Nat-3{
                    match {
                        destination-address EXTERNAL/32;
                        destination-port 1493;
                    }
                    then {
                        destination-nat pool VDI-3;
                    }
                }
             }

         }

currently hows your security policy set for this VDI traffic ? Is this policy also  enabled for  pass-through authentication ? I  think pass-through authentication will be triggered by only telnet,http and ftp traffic .

Hi ,

To answer your question ,

when defining an application can I assign it multiple protocols in the protocol definition? Yes

set applications application myapp term 1 protocol tcp

set applications application myapp term 1 destination-port xxx

set applications application myapp term 2 protocol udp 

set applications application myapp term 2 destination-port yyy (or xxx or xxx-yyy for specifying range)

If you don't use separate terms, it will accept only one protocol .

Forgive me if you read this already.. answered my own question. ...

In answer, the vdi doesn't touch any of the passthrough verification at this point.

Alright... well, we've put some of the other stuff off for a while and decided just to try and get a standard Microsoft VPN to work.... Here's my config in relation to it trying to pass through the firewall to the server....

destination {

            pool MSVPN {
                address INTERNALSERVER/32 port 1723;
            }

.....

            rule-set External-Dst-NAT {
                from zone untrust;
                rule MSVPN-Nat {
                    match {
                        destination-address EXTERNAL/32;
                    }
                    then {
                        destination-nat pool MSVPN;
                    }
                }

---

    policies {
        from-zone untrust to-zone trust {

            policy MSVPN-Permit {
                match {
                    source-address any;
                    destination-address MSVPN;
                    application MSVPN;
                }
                then {
                    permit;
                }
            }

...

    zones {
        security-zone trust {

                address MSVPN INTERNALSERVER/32;

         }

...

applications {

    application MSVPN {
         term 1 {
             protocol gre;
         }
         term 2 {
             protocol tcp;
             destination-port 1723;
         }
    }

}






           

Got it all straightened out.  Thanks for your help. 🙂

Actually, for just a test I did was was detailed here but I think I may need an access gateway to tie these all together.  VDI in a box acts somewhat different than the full blown xen desktop.

Hey,

     You've been super helpful and I want to thank you for that, very much.  What in your opinion is the best way to setup a VPN to connect through my 240SRX device?  Just to become a part of the network from outside?  I've conversed with a juniper person through email and they suggested shrew rather than the dynamic tunnel integrated into the device.