SRX

Hi, this is my SRX210BE with JUNOS Software Release [12.1X46-D55.3] conf:

## Last changed: 2016-10-18 20:22:27 CEST
version 12.1X46-D55.3;
system {
    host-name JuniperSRX210;
    time-zone Europe/Rome;
    root-authentication {
        encrypted-password "password";
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.5.1;
            }
            pool 192.168.5.1/24 {
                address-range low 192.168.5.180 high 192.168.5.254;
            }
            propagate-settings ge-0/0/0.0;
        }
        dynamic-dns {
            client myaddress.dyndns.com {
                server dyndns;
                agent dyndns;
                username username;
                password "password";
                interface ge-0/0/0.0;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    at-1/0/0 {
        encapsulation ethernet-over-atm;
        atm-options {
            vpi 8;
        }
        dsl-options {
            operating-mode auto;
        }
        unit 0 {
            encapsulation ppp-over-ether-over-atm-llc;
            vci 8.35;
        }
    }
    pp0 {
        traceoptions {
            flag all;
        }
        unit 0 {
            point-to-point;
            ppp-options {
                pap {
                    default-password "password";
                    local-name name;
                    local-password "password";
                    passive;
                }
            }
            pppoe-options {
                underlying-interface at-1/0/0.0;
                client;
            }
            no-keepalives;
            family inet {
                negotiate-address;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.5.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 {
            next-hop pp0.0;
            metric 0;
        }
    }
}
security {
    alg {
        ftp ftps-extension;
        mgcp disable;
        rsh;
        sccp disable;
        sip {
            disable;
            application-screen {
                unknown-message {
                    permit-nat-applied;
                }
            }
            traceoptions {
                flag all;
            }
        }
    }
    flow {
        tcp-mss {
            all-tcp {
                mss 1350;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        static {
            rule-set denon {
                from zone untrust;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    traceoptions {
        file flowtrace size 10m world-readable;
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                at-1/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                pp0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

It work correctly, no connection down or  voip issues but i'm really need any help to add some port forwards and dmz support.

I'm really like to add:

DMZ on fe-0/0/7 at least on one local ip, the 192.168.5.80

TCP 51413 from untrust zone any ip to local ip 192.168.5.160

TCP 21 from untrust zone any ip to local ip 192.168.5.160

TCP 57532 from untrust zone any ip to local ip192.168.5.160

TCP 47313 from untrust zone any ip to local ip ip 192.168.5.100

etc.

Any suggestion or examples applied on my conf?

Also, i've not understood if dynamic dns work correctly.

Many many Thanks.

You need to configure destination IP with these ports. You need to configure destination pools, for example:

set secutiy nat destination pool pool_51413 address 192.168.5.160 port 51413

then configure destination rule:

set security nat destination rule-set Nat-Inside from zone untrust

set security nat destination rule-set Nat-Inside rule rule_51413 match source-address 0.0.0.0/0

set security nat destination rule-set Nat-Inside rule rule_51413 match destination-address [your external IP]

set security nat destination rule-set Nat-Inside rule rule_51413 match destination-port 51413

set security nat destination rule-set Nat-Inside rule rule_51413 then destination-nat pool pool_51413

finally you need to configure security policies:

set security policies from zone untrust to zone trust policy pol_51413 match source-address any

set security policies from zone untrust to zone trust policy pol_51413 match destination-address 192.168.5.160

set security policies from zone untrust to zone trust policy pol_51413 match application 51413

set security policies from zone untrust to zone trust policy pol_51413 then permit

Try it, I hope this works.

emg.net, very similar problems, Thanks

I tried your command on my SRX and it worked fine:

set security nat destination rule-set dst-nat from zone untrust

I think your mistake would be on the ";" at the end of command, you should try it again without that

After some test:

set security nat destination pool pool_NAS address 192.168.5.160/32

   
set security nat destination rule-set Nat-Inside from zone untrust

set security nat destination rule-set Nat-Inside rule Torrent match source-address 0.0.0.0/0

set security nat destination rule-set Nat-Inside rule Torrent match destination-address 0.0.0.0/0

set security nat destination rule-set Nat-Inside rule Torrent match destination-port 51413

set security nat destination rule-set Nat-Inside rule Torrent then destination-nat pool pool_NAS


set security policies from-zone trust to-zone untrust policy pol_NAS match source-address any

set security policies from-zone trust to-zone untrust policy pol_NAS match destination-address any

set security policies from-zone trust to-zone untrust policy pol_NAS match application any

set security policies from-zone trust to-zone untrust policy pol_NAS then permit

 now my SRX210 accept the commit but port 51413 it's always closed.

My updated full conf:

## Last changed: 2016-10-22 04:33:09 CEST
version 12.1X46-D55.3;
system {
 host-name JuniperSRX210;
 time-zone Europe/Rome;
 root-authentication {
 encrypted-password "password";
 }
 name-server {
 8.8.8.8;
 8.8.4.4;
 208.67.222.222;
 208.67.220.220;
 }
 services {
 ssh;
 telnet;
 xnm-clear-text;
 web-management {
 http {
 interface vlan.0;
 }
 https {
 system-generated-certificate;
 interface vlan.0;
 }
 }
 dhcp {
 router {
 192.168.5.1;
 }
 pool 192.168.5.1/24 {
 address-range low 192.168.5.180 high 192.168.5.254;
 }
 propagate-settings ge-0/0/0.0;
 }
 dynamic-dns {
 client myaddress.dyndnsaddress.com {
 server dyndns;
 agent dyndns;
 username username;
 password "password";
 interface ge-0/0/0.0;
 }
 }
 }
 syslog {
 archive size 100k files 3;
 user * {
 any emergency;
 }
 file messages {
 any critical;
 authorization info;
 }
 file interactive-commands {
 interactive-commands error;
 }
 }
 max-configurations-on-flash 5;
 max-configuration-rollbacks 5;
 license {
 autoupdate {
 url https://ae1.juniper.net/junos/key_retrieval;
 }
 }
}
interfaces {
 ge-0/0/0 {
 unit 0 {
 family inet {
 dhcp;
 }
 }
 }
 ge-0/0/1 {
 unit 0 {
 family ethernet-switching {
 vlan {
 members vlan-trust;
 }
 }
 }
 }
 fe-0/0/2 {
 unit 0 {
 family ethernet-switching {
 vlan {
 members vlan-trust;
 }
 }
 }
 }
 fe-0/0/3 {
 unit 0 {
 family ethernet-switching {
 vlan {
 members vlan-trust;
 }
 }
 }
 }
 fe-0/0/4 {
 unit 0 {
 family ethernet-switching {
 vlan {
 members vlan-trust;
 }
 }
 }
 }
 fe-0/0/5 {
 unit 0 {
 family ethernet-switching {
 vlan {
 members vlan-trust;
 }
 }
 }
 }
 fe-0/0/6 {
 unit 0 {
 family ethernet-switching {
 vlan {
 members vlan-trust;
 }
 }
 }
 }
 fe-0/0/7 {
 unit 0 {
 family ethernet-switching {
 vlan {
 members vlan-trust;
 }
 }
 }
 }
 at-1/0/0 {
 encapsulation ethernet-over-atm;
 atm-options {
 vpi 8;
 }
 dsl-options {
 operating-mode auto;
 }
 unit 0 {
 encapsulation ppp-over-ether-over-atm-llc;
 vci 8.35;
 }
 }
 pp0 {
 traceoptions {
 flag all;
 }
 unit 0 {
 point-to-point;
 ppp-options {
 pap {
 default-password "password";
 local-name Ispname;
 local-password "password";
 passive;
 }
 }
 pppoe-options {
 underlying-interface at-1/0/0.0;
 client;
 }
 no-keepalives;
 family inet {
 negotiate-address;
 }
 }
 }
 vlan {
 unit 0 {
 family inet {
 address 192.168.5.1/24;
 }
 }
 }
}
routing-options {
 static {
 route 0.0.0.0/0 {
 next-hop pp0.0;
 metric 0;
 }
 }
}
security {
 alg {
 ftp ftps-extension;
 mgcp disable;
 rsh;
 sccp disable;
 sip {
 disable;
 application-screen {
 unknown-message {
 permit-nat-applied;
 }
 }
 traceoptions {
 flag all;
 }
 }
 }
 flow {
 tcp-mss {
 all-tcp {
 mss 1350;
 }
 }
 }
 screen {
 ids-option untrust-screen {
 icmp {
 ping-death;
 }
 ip {
 source-route-option;
 tear-drop;
 }
 tcp {
 syn-flood {
 alarm-threshold 1024;
 attack-threshold 200;
 source-threshold 1024;
 destination-threshold 2048;
 timeout 20;
 }
 land;
 }
 }
 }
 nat {
 source {
 rule-set trust-to-untrust {
 from zone trust;
 to zone untrust;
 rule source-nat-rule {
 match {
 source-address 0.0.0.0/0;
 }
 then {
 source-nat {
 interface;
 }
 }
 }
 }
 }
 destination {
 pool pool_NAS {
 address 192.168.5.160/32;
 }
 rule-set Nat-Inside {
 from zone untrust;
 rule Torrent {
 match {
 source-address 0.0.0.0/0;
 destination-address 0.0.0.0/0;
 destination-port 51413;
 }
 then {
 destination-nat {
 pool {
 pool_NAS;
 }
 }
 }
 }
 }
 }
 }
 policies {
 from-zone trust to-zone untrust {
 policy default-permit {
 match {
 source-address any;
 destination-address any;
 application any;
 }
 then {
 permit;
 }
 }
 policy pol_NAS {
 match {
 source-address any;
 destination-address any;
 application any;
 }
 then {
 permit;
 }
 }
 }
 }
 traceoptions {
 file flowtrace size 10m world-readable;
 }
 zones {
 security-zone trust {
 host-inbound-traffic {
 system-services {
 all;
 }
 protocols {
 all;
 }
 }
 interfaces {
 vlan.0;
 }
 }
 security-zone untrust {
 screen untrust-screen;
 host-inbound-traffic {
 system-services {
 all;
 }
 protocols {
 all;
 }
 }
 interfaces {
 at-1/0/0.0 {
 host-inbound-traffic {
 system-services {
 all;
 }
 protocols {
 all;
 }
 }
 }
 pp0.0 {
 host-inbound-traffic {
 system-services {
 all;
 }
 protocols {
 all;
 }
 }
 }
 }
 }
 }
}
vlans {
 vlan-trust {
 vlan-id 3;
 l3-interface vlan.0;
 }
}

I think you miss the inside policy from zone untrust to zone trust:

set security policies from zone untrust to zone trust policy pol_NAS match source-address any

set security policies from zone untrust to zone trust policy pol_NAS match destination-address 192.168.5.160

set security policies from zone untrust to zone trust policy pol_NAS match application 51413

set security policies from zone untrust to zone trust policy pol_NAS then permit

Yes, i've posted a working conf here:

http://forums.juniper.net/jnet/board/message?board.id=srx&message.id=43004#M43004

Thanks

You would need to NAT the traffic.

First, create the pool:

set security nat destination pool 192.168.5.160/32 address 192.168.5.160/32

Then configure the NAT:

set security nat destination rule-set dst-nat from zone untrust;
set security nat destination rule-set dst-nat rule 51413 match destination-address 0.0.0.0/0 destination-port 51413

set security nat destination rule-set dst-nat rule 51413 then destination-nat pool 192.168.5.160/32;

Finally, configure applications and policies:

set application 51413 term term0 protocol tcp source-port 0-65535 destination-port 51413;

set security policies from-zone untrust to-zone trust match source-address any destination-address 192.168.5.160/32 application 51413

First attempt:

set security nat destination pool 192.168.5.160/32 address 192.168.5.160/32

root@JuniperSRX210# ....160/32 address 192.168.5.160/32
error: pool-name: '192.168.5.160/32': Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores.
error: statement creation failed: pool

so i've tried

set security nat destination pool NAS address 192.168.5.160/32 (NAS it's the pool name)

it work

after:

set security nat destination rule-set dst-nat from zone untrust;

root@JuniperSRX210# ...ation rule-set dst-nat from zone untrust;
error: zone-name: 'untrust;': Must be a string consisting of letters, numbers, dashes and underscores
error: statement creation failed: untrust;

But "internet" zone it's named as untrust, so why this error?