SRX Services Gateway
Reply
Contributor
iamgnat
Posts: 21
Registered: ‎05-23-2010
0
Accepted Solution

Policy issue

Hello,

I have a SRX210b running 11.2R3.3 that I'm having a policy issue between 2 VLANs.

 

In this case it's my DMZ and Internal VLANs and the default rule is that the DMZ can't talk to anything Internal. There are two exceptions to this (specific ports on specific hosts) and one is working as expected, but the newer one is still blocked even though (as far as I can tell) it is setup identically. I know the target host and service are working as I can hit them fine from other hosts on the Internal VLAN.

 

Relevant zones:

security-zone dmz {
    tcp-rst;
    address-book {
        address server X.X.X.2/32;
    }
    interfaces {
        vlan.2 {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
        }
    }
}
security-zone internal {
    tcp-rst;
    address-book {
        address dvr X.X.Y.30/32;
        address camera1 X.X.Y.40/32;
    }
    interfaces {
        lo0.0 {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
        }
        vlan.4 {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
        }
    }
}

 

Relevant policy:

from-zone dmz to-zone internal {
    policy dvr-fetch {
        match {
            source-address server;
            destination-address dvr;
            application my-web;
        }
        then {
            permit;
        }
    }
    policy camera-fetch {
        match {
            source-address server;
            destination-address camera1;
            application my-web;
        }
        then {
            permit;
        }
    }
    policy default-deny {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            deny;
        }
    }
}

 Note that 'my-web' contains the TCP ports 80 and 443.

 

The 'dvr-fetch' rule is working fine as the server continues to talk to the DVR as expected. The 'camera-fetch' rule is the one that is not working.

 

Anyone see what I've done wrong?

 

Thanks,

-dave

Distinguished Expert
Screenie
Posts: 1,078
Registered: ‎01-10-2008
0

Re: Policy issue

Policy looks fine. Is the route back ok on the target devices? Otherwise fix it  or use sourcenat.

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
iamgnat
Posts: 21
Registered: ‎05-23-2010
0

Re: Policy issue


Screenie wrote:

Policy looks fine. Is the route back ok on the target devices? Otherwise fix it  or use sourcenat.


What do you mean about the route back? (sorry, the SRX is my first foray into networking so there is a lot I don't know/understand).
Both target devices are in the same VLAN and in fact connect via the same radio on my AX411. Neither have access that lets me do anything in depth from them (e.g. no shell).
The target device that isn't working is just a simple HTTP interface on port 80 which shouldn't need a reverse connection as HTTP is single channel. When I test (e.g. 'telnet camera_ip 80') it never establishes the connection. The same test from a computer on the Internal VLAN establishes the connection just fine. The DVR device is also HTTP based on 80 and 443 and test connections to it from the DMZ server establish their connections as expected.

 

Distinguished Expert
Screenie
Posts: 1,078
Registered: ‎01-10-2008
0

Re: Policy issue

Can you ping (or telnet to port 80) both device from the srx itself?

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
iamgnat
Posts: 21
Registered: ‎05-23-2010
0

Re: Policy issue


Screenie wrote:

Can you ping (or telnet to port 80) both device from the srx itself?


Yes, both work.

root@router% telnet X.X.Y.40 80
Trying X.X.Y.40...
Connected to X.X.Y.40.
Escape character is '^]'.
^]
telnet> close
Connection closed.
root@router% ping X.X.Y.40
PING X.X.Y.40 (X.X.Y.40): 56 data bytes
64 bytes from X.X.Y.40: icmp_seq=0 ttl=255 time=4.313 ms
64 bytes from X.X.Y.40: icmp_seq=1 ttl=255 time=3.824 ms
64 bytes from X.X.Y.40: icmp_seq=2 ttl=255 time=5.372 ms
64 bytes from X.X.Y.40: icmp_seq=3 ttl=255 time=3.877 ms
64 bytes from X.X.Y.40: icmp_seq=4 ttl=255 time=3.876 ms
^C
--- X.X.Y.40 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.824/4.252/5.372/0.587 ms
root@router% 

 

Distinguished Expert
Screenie
Posts: 1,078
Registered: ‎01-10-2008
0

Re: Policy issue

So probably the one device which isn't working doesn't use the srx as gateway. Try a sourcenat from dmz to internal. Example from trust to untrust is in factory default config..

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
iamgnat
Posts: 21
Registered: ‎05-23-2010
0

Re: Policy issue

Doh!

I was apparently too focused on what I could have done wrong on the router...

I apparently updated the camera's IP, but forgot to change it's gateway (the vlan split came since I used the camera last).

Thanks for the help. Sorry for being an idiot.

-dave
Distinguished Expert
Screenie
Posts: 1,078
Registered: ‎01-10-2008
0

Re: Policy issue

No problem at all, this what is meant with route bavk (:- We all run into this sometimes.

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.