SRX Services Gateway
Reply
Visitor
dandufunk
Posts: 9
Registered: ‎05-21-2012
0

SRX ADSL and Port forwarding issues

Hey guys,

 

Have recently deployed a SRX210HE into our corporate network, mostly without any majour issues, but the following:

- internet browsing is flakey, some sites are allright, others nothing and times out, I've been experimenting with MTU sizes on our untrust interface with some success. ADSL syncs ok, checked with ISP, no drop outs either end.

- port fowarding is not working correctly for rule7 (below), rule is being hit no problems, but it won't forward correctly to the appropriate port

 

The way I've swapped over from our old P.O.S iiNet thing, is by using the same IP address as the old device, not having to change and re-publish DHCP to everyone, minimal impact (so i thought), I'm guessing this might cause arp issues? hence the flakey browing? 

Setup:  ISP line-->(ADSL PIM)SRX-->Dumb HT switch -->Cisco SG3000

FYI - I'm the new Sys Admin, haven't had a chance to re-cable and re-order the switched..... prob a loop in the cabling somewhere, cabling is a mess.... 

        

Check out the below config, is there something missing?

We're using Telstra Direct ADSL in Melbourne, Australia

 

 

Thank you for taking the time to have a look. Dan

 

 

===========================================

CONFIG:

===========================================

 

--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
admin@SRX210-XXX> configure
Entering configuration mode
 [edit]

[edit]
admin@SRX210-Teknocorp# show
## Last changed: 2012-05-21 13:07:15 GMT+10
version 12.1R1.9;
system {
host-name SRX210-XXX;
domain-name XXX;
time-zone GMT+10;
authentication-order password;
root-authentication {
encrypted-password "XXX"; ## SECRET-DATA
}
name-server {
203.50.2.71;
139.130.4.4;
}
login {
user admin {
full-name admin;
uid 101;
class super-user;
authentication {
encrypted-password "XXX"; ## SECR
ET-DATA
}
}
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.0.1;
}
pool 192.168.0.0/24 {
address-range low 192.168.0.200 high 192.168.0.201;
router {
192.168.0.1; ## DHCP for our 2 AX411 AP's
}
propagate-settings ge-0/0/1.0;
}
propagate-settings fe-0/0/2;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
##
## Warning: statement ignored: unsupported platform (srx210he)
##
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 192.168.0.4;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members default;
}
}
}
}
at-1/0/0 {
description "Telstra ADSL";
traceoptions {
flag all;
}
mtu 1500;## SEEM TO HAVE MOST SUCCESS WITH THIS MTU SIZE, MATCHED WITH LOCAL TELSTRA DSLAM
encapsulation atm-pvc;
atm-options {
vpi 8;
}
dsl-options {
operating-mode auto;
}
unit 0 {
description PPPoA;
encapsulation atm-ppp-vc-mux;
vci 8.35;
ppp-options {
chap {
default-chap-secret "XXX"; ## SECRET-DATA
local-name "XXX";
passive;
}
pap {
default-password "XXX"; ## SECRET-DATA
local-name "XXX";
local-password "XXX"; ## SECRET-DATA
passive;
}
}
family inet {
address "PUBLIC-IP"/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 127.0.0.1/32;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.0.1/24;
}
}
}
}
inactive: forwarding-options {
helpers {
inactive: bootp {
relay-agent-option;
description "Global DHCP relay service";
server 192.168.0.4;
maximum-hop-count 16;
minimum-wait-time 0;
client-response-ttl 255;
interface {
vlan.0;
}
}
}
}
snmp {
community public {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop at-1/0/0.0;
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set interface-nat {
from zone trust;
to zone untrust;
rule rule1 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool dnat-pool-2 {
address 192.168.0.5/32 port 89;## PORT FORWARDING TO THIS ADDRESS / PORT HASN"T WORKED YET
}
pool dnat-pool-1 {
address 192.168.0.4/32;
}
rule-set dst-nat {
from zone untrust;
rule rule1 {
match {
destination-address 120.151.96.74/32;
destination-port 80;
}
then {
destination-nat pool dnat-pool-1;
}
}
rule rule2 {
match {
destination-address 120.151.96.74/32;
destination-port 5060;
}
then {
destination-nat pool dnat-pool-1;
}
}
rule rule3 {
match {
destination-address 120.151.96.74/32;
destination-port 1723;
}
then {
destination-nat pool dnat-pool-1;
}
}
rule rule4 {
match {
destination-address 120.151.96.74/32;
destination-port 25;
}
then {
destination-nat pool dnat-pool-1;
}
}
rule rule5 {
match {
destination-address 120.151.96.74/32;
destination-port 443;
}
then {
destination-nat pool dnat-pool-1;
}
}
rule rule6 {
match {
destination-address 120.151.96.74/32;
destination-port 3389;
}
then {
destination-nat pool dnat-pool-1;
}
}
rule rule7 {## THIS RULE GETS HIT, BUT DOESN'T FORWARD CORRECTLY
match {
destination-address 120.151.96.74/32;
destination-port 89;
}
then {
destination-nat pool dnat-pool-2;
}
}
}
}
inactive: proxy-arp {## IGNORE
interface at-1/0/0.0 {
address {
192.168.0.4/32;
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy static-nat {
match {
source-address any;
destination-address servergroup;
application [ junos-http junos-sip junos-smtp junos-https RDPApps ];
}
then {
permit;
}
}
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
}
zones {
security-zone trust {
address-book {
address XXX-Server 192.168.0.4/32;
address XX-server-1 192.168.0.5/32;
address XX-server-2 192.168.0.6/32;
address local-network 192.168.0.0/24;
address-set servergroup {
address XXX-Server;
address XXX-server-1;
address XXX-server-2;
}
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0;
fe-0/0/2.0;
fe-0/0/3.0;
fe-0/0/4.0;
fe-0/0/5.0;
fe-0/0/6.0;
fe-0/0/7.0;
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ssh;
}
}
interfaces {
at-1/0/0.0;
}
}
}
}
applications {
application cust-RDP {
protocol tcp;
source-port 1-65535;
destination-port 3389;
}
application cust-pptp {
protocol tcp;
source-port 1-65535;
destination-port 1723;
}
application-set RDPApps {
application cust-RDP;
application cust-pptp;
}
}
wlan {
access-point AP-1 {
mac-address 78:fe:3d:c6:16:80;
external {
system {
ports {
ethernet {
management-vlan 1;
name-server 192.168.0.4;
}
}
console {
baud-rate 115200;
}
}
}
access-point-options {
country {
AU;
}
}
radio 2 {
virtual-access-point 0 {
ssid XXX_Wifi;
vlan 1;
security {
mac-authentication-type disabled;
none;
}
}
}
radio 1 {
virtual-access-point 0 {
ssid XXX_Wifi;
vlan 1;
security {
mac-authentication-type disabled;
none;
}
}
}
}
access-point AP-2 {
mac-address 78:fe:3d:c6:09:00;
external {
system {
ports {
ethernet {
management-vlan 1;
name-server 192.168.0.4;
}
}
console {
baud-rate 115200;
}
}
}
access-point-options {
country {
AU;
}
}
radio 2 {
virtual-access-point 0 {
ssid XXX_Wifi_2;
vlan 1;
security {
mac-authentication-type disabled;
none;
}
}
}
radio 1 {
virtual-access-point 0 {
ssid XXX_Wifi_2;
vlan 1;
security {
mac-authentication-type disabled;
none;
}
}
}
}
}
vlans {
default {
vlan-id 1;
l3-interface vlan.0;
}
}

[edit]

 

 

===========================================

END

===========================================

Distinguished Expert
dfex
Posts: 783
Registered: ‎04-17-2008
0

Re: SRX ADSL and Port forwarding issues

Hi Dan,

 

with regards to your MTU issue:

 

delete interfaces at-1/0/0 mtu 1500
set security flow tcp-mss all-tcp mss 1350

 

This will adjust all transit TCP traffic's MSS (and thus MTU) on the fly.  The reason we go to 1350 is to cover off the situation where you have IPSEC tunnels terminating on the SRX (which reduce the maximum packet size even further).

 

As for your port-forwarding issue, the security policy you have in place (static-nat) doesn't have an application that uses port 89 defined, so you'll need to do:

 

set applications application TCP-89 protocol tcp
set applications application TCP-89 destination-port 89
set security policy from-zone untrust to-zone trust policy static-nat match application TCP-89

 and you should be good to go

 

Hope this helps

Ben Dale
JNCIP-ENT, JNCIS-SP, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Visitor
dandufunk
Posts: 9
Registered: ‎05-21-2012
0

Re: SRX ADSL and Port forwarding issues

Awesome thanks for that dfex, I'll test it out tonight and hopefully everything will be alright

Thanks again 

Visitor
dandufunk
Posts: 9
Registered: ‎05-21-2012
0

Re: SRX ADSL and Port forwarding issues

Thanks for the fix dfex, everything is 100% for port forwarding now :smileyhappy:

 

-Dan

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.