SRX

Hi. I am a new in Junos and SRX. Can some one help me with my question?

 

I have security zone UNTRUST with next allowed services:

security-zone untrust {
    inactive: screen untrust-screen;
    interfaces {
          ge-0/0/15.0 {
            host-inbound-traffic {
                system-services {
                    ssh;
                    ping;
                    ike;
                    https;
                }
            }
        }
    }
}

 And have interface in zone UNTRUST with two IPs:

ge-0/0/15 {
    unit 0 {
        family inet {
            address 172.27.9.9/24 {
                primary;
                preferred;
            }
            address 172.27.9.8/24;
        }
    }
}

 Can I in SRX allow inbound ssh only on IP 172.27.9.8, and on IP 172.27.9.9 only ping, ike, https using security policies?

 

Thanks.

Hi,

 

I've never done it that way, but what you could do is lock down SSH access from specific source IP's.  This is done using a Loopback and Firewall Filter, which protects the RE.  I know this isn't what you asked for, but I thought it may help, especially since your new to SRX.  Good luck.

 

jjudge@usisp1srx1> show configuration interfaces lo0 | display set     
set interfaces lo0 unit 0 family inet filter input manager-ip
set interfaces lo0 unit 0 family inet address 127.0.0.1/32

 

jjudge@usisp1srx1> show configuration firewall | display set
set firewall filter manager-ip term permit-ssh-ssl from source-address 10.100.1.0/24
set firewall filter manager-ip term permit-ssh-ssl from protocol tcp
set firewall filter manager-ip term permit-ssh-ssl from port ssh
set firewall filter manager-ip term permit-ssh-ssl from port https
set firewall filter manager-ip term permit-ssh-ssl then log
set firewall filter manager-ip term permit-ssh-ssl then accept
set firewall filter manager-ip term deny-ssh-ssl from protocol tcp
set firewall filter manager-ip term deny-ssh-ssl from port ssh
set firewall filter manager-ip term deny-ssh-ssl from port https
set firewall filter manager-ip term deny-ssh-ssl then log
set firewall filter manager-ip term deny-ssh-ssl then discard
set firewall filter manager-ip term else-accept then accept

Thanks for reply. It was very helpful for me

Just an FYI, the firewal configuration is depreciated and is configured per family. You may want to put this in place before later you find an update breaking things
set firewall family inet filter manager-ip term permit-ssh-ssl from source-address 10.100.1.0/24
set firewall family inet filter manager-ip term permit-ssh-ssl from protocol tcp
set firewall family inet filter manager-ip term permit-ssh-ssl from port ssh
set firewall family inet filter manager-ip term permit-ssh-ssl from port https
set firewall family inet filter manager-ip term permit-ssh-ssl then log
set firewall family inet filter manager-ip term permit-ssh-ssl then accept
set firewall family inet filter manager-ip term deny-ssh-ssl from protocol tcp
set firewall family inet filter manager-ip term deny-ssh-ssl from port ssh
set firewall family inet filter manager-ip term deny-ssh-ssl from port https
set firewall family inet filter manager-ip term deny-ssh-ssl then log
set firewall family inet filter manager-ip term deny-ssh-ssl then discard
set firewall family inet filter manager-ip term else-accept then accept