SRX Services Gateway
Reply
Contributor
Manzano
Posts: 24
Registered: ‎03-22-2011
0
Accepted Solution

RDP and VPN -- FW policy...

Hello Everyone!!

 

I went back to basics and test environment because I can't figure out what I am doing wrong.

 

Any guidance is much appreciated!

 

Here is the config...

 

Have a goon one!

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: RDP and VPN -- FW policy...

You haven't exactly described what the issue is that you're having... so I'm just going to take a guess based on your config -- it's probably your NAT configuration.

 

If you don't need NAT, then take out the source NAT rules.  If you do need NAT, then you'll need to configure NAT to allow your incoming connections (destination NAT or static NAT).

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Contributor
Manzano
Posts: 24
Registered: ‎03-22-2011
0

Re: RDP and VPN -- FW policy...

Hi kr!

 

You are right... I got jumpy and didn't describe properly my issue.. which is this:

 

I got an SRX210, my outside address being 192.168.1.10/29

 

traffic that hits that address (192.168.1.10) with a VPN request needs to go to 10.0.1.198

 

traffic that hits that address (192.168.1.10) with a Remote Desktop request needs to go to 10.0.1.196

 

... I was told that it could be achieved by just configuring a FW policy matching the traffic type (i.e junos-gre junos-pptp) and it would send it to the correct internal IP..

 

I am doing something wrong or missing something because it is not happening...

 

Many thanks for replying!

 

 

Super Contributor
Aigarz
Posts: 59
Registered: ‎02-21-2011
0

Re: RDP and VPN -- FW policy...

For sure you should also configure 'destination nat' to do IP address translation

 

For RDP, rule might look like this

 

set security nat destination pool 10-0-1-196--3389 address 10.0.1.196/32
set security nat destination pool 10-0-1-196--3389 address port 3389
set security nat destination rule-set destination from zone untrust
set security nat destination rule-set destination rule r1 match destination-address 192.168.1.10/32
set security nat destination rule-set destination rule r1 match destination-port 3389
set security nat destination rule-set destination rule r1 then destination-nat pool 10-0-1-196--3389

 

 

For VPN connections - could be more tricky as there are several types of vpn around...

 

 

more on NAT configuration

http://kb.juniper.net/InfoCenter/index?page=content&id=TN81&actp=LIST

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009

Re: RDP and VPN -- FW policy...

You definately would need some kind of destination NAT.  The firewall would have no way to know which traffic to send to which internal host otherwise.

 

Aigarz gave a suggestion for a starting point to cover your RDP connection, however, the VPN termination is more difficult.  You cannot match a NAT rule on GRE, as it is a protocol and not a port number.  The SRX has a PPTP ALG that I believe is supposed to handle the necessary magic for translating GRE sessions.

 

For a starting suggestion, try setting up your destination NAT (incoming connections) something like this:

security {
  nat {
    destination {
      pool srv-RDP {
        address 10.0.1.196/32;
      }
      pool srv-PPTP {
        address 10.0.1.198/32;
      }
      rule-set untrust-to-trust {
        from zone untrust;
        rule RDP {
          match {
            source-address 0.0.0.0/0;
            destination-address 192.168.1.10/32;
            destination-port 3389;
          }
          then {
            destination-nat pool srv-RDP;
          }
        }
        rule PPTP {
          match {
            source-address 0.0.0.0/0;
            destination-address 192.168.1.10/32;
            destination-port 1723;
          }
          then {
            destination-nat pool srv-PPTP;
          }
        }
      }
    }
  }
}

 

You'll also want to make sure that your PPTP ALG is enabled:

 

user@srx> show security alg status | match PPTP 
  PPTP     : Enabled

 

Set your security policies to allow the junos-pptp service, but you don't need the junos-gre service since the ALG takes care of that (as far as I know):

 

from-zone untrust to-zone trust {
  policy VPN-Test {
    match {
      source-address any;
      destination-address addr_10_0_1_198;
      application junos-pptp;
    }
    then {
      permit;
      log {
        session-init;
        session-close;
      }
    }
  }
}

 

That should get you going in the right direction. I can't promise that that's 100% of what you need to make it work, I have not done this exact configuration and I don't have a place where I can build it to test it.

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Contributor
Manzano
Posts: 24
Registered: ‎03-22-2011
0

Re: RDP and VPN -- FW policy...

Thank you Aigarz and Keith for your posts... they have been MOST helpfull!!

 

Aigiraz solution worked as a charm. I had misunderstood the concept when it was explained to me but after seeing the lines it was clear!

 

Keith, your solution seems simple yet elegant! I will reset my test lab and give it a shot!! I will post soon!!

 

again.... THANKS!

Contributor
Manzano
Posts: 24
Registered: ‎03-22-2011
0

Re: RDP and VPN -- FW policy...

.... WORKED LIKE A CHARM!!

 

MANY THANKS FOR YOUR POSTS, TIME AND PATIENCE!!

 

on the test environment working with the same computer I was able to REMOTE IN ... AND VPN IN at the same time with NO PROBLEMS!!

 

KUDOS GENTLEMEN!!

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.