SRX

Hello all,

I am fairly new to JunOS and I am having a possible routing issue with an SRX device.

I have a small group of users at a branch office that are behing a SRX100 and are having some issues when connecting to the newly deployed SSL MAG device. They can get to the VPN and sign in with no problem. I have WSAM set to launch automatically and is configured to allow connections to a company intranet page through a browser. However, when the users open a new tab and attempt to browse to this page they receive a page cannot be found or link broken error. When the SRX is out of the picture the users have no problem opening the page. So it apeears that the SRX is not routing that particular traffic through the WSAM connection but I am not sure how this traffic should be routed. I have included my config below. Please note that in order to rule out any possible policy conflicts I currently have my inbound and outbound policies open.

Thanks in advance for any assistance on this.

Cole

version 11.4R8.4;
system {
    host-name SRX;
    domain-name;
    root-authentication {
        encrypted-password "$1$e3jLSXNt$bVRHQJUbF6x8YkHByd/AN/"; ## SECRET-DATA
    }
    name-server {
        " ip address";
        " ip address";
    }
    login {
        user jrgiadmin {
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "$1$dAok9NAm$Xr2iX4i3koeB1pZBNwsUo1"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        xnm-clear-text;
        web-management {
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            maximum-lease-time 86400;
            default-lease-time 86400;
            name-server {
                "ip address";
            }
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.100 high 192.168.1.200;
            }
            propagate-settings fe-0/0/7.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    fe-0/0/0 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        description "Connection to Internet";
        unit 0 {
            family inet {
                address "ip address";
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop "gateway";
    }
}
protocols {
    stp;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool Internale {
                routing-instance {
                    default;
                }
                address 192.168.1.0/24;
            }
            rule-set vpn {
                from zone untrust;
                rule r1 {
                    match {
                        destination-address "SRX IP";
                    }
                    then {
                        destination-nat pool Internale;
                    }
                }
            }
        }
        proxy-arp {
            interface fe-0/0/7.0 {
                address {
                    "gateway";
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy untrust_to_trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address Internal 192.168.1.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
                fe-0/0/3.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

Hi Cole,

I notice that you have a DHCP server configured, but you're not supplying the Name Server option to your clients - is the issue perhaps that they can't resolve the links you are providing through WSAM?

Hello dfex,

Thank you for your reply. I omitted the DNS name server IPs from the config for security reasons. The name servers are being supplied to the clients through DNS. As a test I directly connected the SRX to the network and gave it an IP then redirected my VLAN traffic through that. I verified that the client was receiving the correct IP and DNS then tried to access the intranet site without using the VPN. I was still unsuccesful in resolving the URL. I am fairly certain that there is some sort of routing or DNS issue going on but I have been unsuccessful in determining what is causing the issue.

Cole

It appears that source NAT will need to be turned off for requests going to the published application in WSAM. However, the URL still will not resolve through the SRX.

Hi Cole,

Your destination Nat configuration also does not look correct.

matching destination ip address and translating to /24 subnet?

Reconfigure the Destination nat and verify it helps .

Regards,
rparthi

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too] .....

I have completly removed the destination NAT and it made no difference. There appears to be a problem with the new comcast connection communicating with internal sites but I cannot figure out where the breakdown is.

It turns out that an additional firewall rule was necessary and not a new security policy.