SRX

Hi All

can someone help me with the configuration to restricting the management access of SRX from external interface.

i want to restrict the management IP Address who can access ssh and web GUI.

Regards

Rajesh 

There's no such thing as manager-ip like ScreenOS. But: you could write a stateless packet filter:

create an prefix-list under policy options

write a packet filter under firewall

  - accept only from prefix list to outside interface IP if port is 443 or 22.

  - accept all other traffic!

apply this as input filter on interface

If you don't know how I'll try to write an example later.

root@SRX# show
family inet {
    filter ITFilter {
        term small-offset-term {
            from {
                fragment-offset 1-5;
            }
            then {
                syslog;
                discard;
            }
        }
        term ssh-term {
            from {
                source-address {
                    x.x.x.x/x;
                }
                protocol tcp;
                destination-port [ ssh http ];
            }
            then accept;
        }
        term discard-rest-term {
            then {
                log;
                syslog;
                discard;
            }
        }
    }
}

at-4/0/0 {
        description ADSL;
 family inet {
                filter {
                    input ITFilter;
                }

worked for me, thanks.

Another way of doing this is to build a firewall filter and applying the lo0.0

In this way it is most like an access-class on a IOS device

Ensure that after accepting ssh traffic from the permitted prefixes and denying ssh from all other addresses, ensure that the default term is accept as you will block other traffic such as routing protocols

Here is an example

[edit policy options]

prefix-list mgmtaddress {

     192.168.50.0/24;

     10.1.5.87/32;

}

[edit firewall]

filter mgmt-filter {

     term accept-ssh {

          from {

               source-prefix-list {

                    mgmtaddress;

               }

               protocol tcp;

               destination-port ssh;

          }

          then accept;

     }

     term deny-ssh {

          from {

               protocol tcp;

               destination-port ssh;

          }

          then {

               discard;

          }

     }

     term default-accept {

          then accept;

     }

}

[edit interfaces]

lo0 {

     unit 0 {

          family inet {

               filter {

                    input mgmt-filter;

               }

          }

     }

}

I don't think you even need to IP the Loopback interface

And once again note the default accept all. You can carry on and lock it down with additional terms, perhaps accepting OSPF/BGP traffic from only certain IP addresses to prevent DDoS etc