SRX

Hi Everyone,

When I am trying to set a policy based on an IP I am having the following error:

    policy domain_com {
        match {
            source-address any;
            destination-address x.y.z.226/32;
            application junos-http;
        }
        then {
            permit;
        }
    }

    # commit
    [edit security policies from-zone untrust to-zone trust]
      'policy domain_com'
        Address or address_set (x.y.z.226/32) not found.
    error: configuration check-out failed

How could I avoid this error ? (please note that x.y.z are valid and working public internet ips)

This is my full configuration:

    ## Last changed: 2013-09-02 14:00:00 UTC
    version 11.4R7.5;
    groups {
        node0 {
            system {
                host-name trunks;
            }
            interfaces {
                fxp0 {
                    unit 0 {
                        family inet {
                            address 172.16.20.1/24;
                        }
                    }
                }
            }
        }
        node1 {
            system {
                host-name goten;
            }
            interfaces {
                fxp0 {
                    unit 0 {
                        family inet {
                            address 172.16.20.2/24;
                        }
                    }
                }
            }
        }
    }
    apply-groups "${node}";
    system {
        root-authentication {
            encrypted-password "$1$"; ## SECRET-DATA
        }
        name-server {
            208.67.222.222;
            208.67.220.220;
        }
        services {
            ssh;
            xnm-clear-text;
            dns {
                forwarders {
                    8.8.8.8;
                }
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any critical;
                authorization info;
            }
            file interactive-commands {
                interactive-commands error;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    chassis {
        cluster {
            reth-count 2;
            redundancy-group 0 {
                node 0 priority 100;
                node 1 priority 1;
            }
            redundancy-group 1 {
                node 0 priority 100;
                node 1 priority 1;
                interface-monitor {
                    ge-0/0/5 weight 255;
                    ge-5/0/5 weight 255;
                    ge-0/0/6 weight 255;
                    ge-5/0/6 weight 255;
                }
            }
        }
    }
    interfaces {
        ge-0/0/5 {
            gigether-options {
                redundant-parent reth1;
            }
        }
        ge-0/0/6 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        ge-5/0/5 {
            gigether-options {
                redundant-parent reth1;
            }
        }
        ge-5/0/6 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        fab0 {
            fabric-options {
                member-interfaces {
                    ge-0/0/4;
                }
            }
        }
        fab1 {
            fabric-options {
                member-interfaces {
                    ge-5/0/4;
                }
            }
        }
        reth0 {
            redundant-ether-options {
                redundancy-group 1;
            }
            unit 0 {
                family inet {
                    address 172.17.1.1/24;
                }
            }
        }
        reth1 {
            redundant-ether-options {
                redundancy-group 1;
            }
            unit 0 {
                family inet {
                    address 10.26.1.90/30;
                    address 10.26.1.94/30;
                }
            }
        }
    }
    routing-options {
        static {
            route x.y.z.224/27 discard;
        }
        autonomous-system 65400;
    }
    protocols {
        bgp {
            export public-to-bgp;
            group external-peers {
                type external;
                peer-as 65300;
                neighbor 10.26.1.89;
                neighbor 10.26.1.93;
            }
        }
        stp;
    }
    policy-options {
        policy-statement public-to-bgp {
            from {
                protocol static;
                route-filter x.y.z.224/27 exact;
            }
            then accept;
        }
    }
    security {
        nat {
            source {
                pool pool-pat {
                    address {
                        x.y.z.225/32;
                    }
                }
                rule-set nat-trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule pat-interface {
                        match {
                            source-address 172.17.1.0/24;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                pool {
                                    pool-pat;
                                }
                            }
                        }
                    }
                }
            }
            static {
                rule-set nat-public-ip {
                    from zone untrust;
                    rule backup-ssh {
                        match {
                            destination-address x.y.z.252/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                    172.17.1.252/32;
                                }
                            }
                        }
                    }
                    rule domain1_com {
                        match {
                            destination-address x.y.z.226/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                    172.17.1.226/32;
                                }
                            }
                        }
                    }
                    rule domain2_com {
                        match {
                            destination-address x.y.z.227/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                    172.17.1.227/32;
                                }
                            }
                        }
                    }
                    rule tmp-ssh-gateway {
                        match {
                            destination-address x.y.z.235/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                    172.17.1.235/32;
                                }
                            }
                        }
                    }
                }
            }
            proxy-arp {
                interface reth1.0 {
                    address {
                        x.y.z.224/27;
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone untrust {
                policy from-trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone untrust to-zone trust {
                policy from-untrust-to-trust {
                    match {
                        source-address any;
                        destination-address any;
                        application [ junos-ssh junos-http junos-https ];
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone untrust {
                interfaces {
                    reth1.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
            }
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                        ping;
                        traceroute;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    reth0.0 {
                        host-inbound-traffic {
                            system-services {
                                ssh;
                                ping;
                                dns;
                            }
                        }
                    }
                }
            }
        }
    }

Hi

SRX policy can be configured by providing actual prefix(only numbers and '.') or by configuring address book and map Ip-Address to String.

In your case: you are using a string x.y.z.. hence you are seeing an error.

To get rid of the issue, you need to create an address book named x.y.x.226/32 and map an ip-address to it.

http://kb.juniper.net/InfoCenter/index?cmid=no&page=content&id=KB16621

Regards,

Raveen

[Note: If this answers your question, you could mark this as accepted, that way it helps others as well. Kudos will be cool]

If intention was to hide ip-address in this forum(and you replaced it with x.y.z) then please check if the ip-address that you are adding contains any space or special characters or alphabets.

Regards,

Raveen

Hi Raven,

The intention was to hide the ip in the forum. In reallity  there is no x.y.z, there are real and working ips. Everything but the policy for that IP works fine, whoch means, that I can send and receive data using the IP range x.y.z.224/27

Regards,

Ruben

Hi Ruben

Without having real configuration file and ip-address that you are using, it is difficult to know the root cause.

Have you checked if ip-address that you are adding does not contain special character/space etc..?

Regards,

Raveen

You cannot sepcify an address or subnet as a match condition--you must create an address book entry and reference that.

set security zones security-zone trust address-book address someservername x.y.z.226/32
set security policies from-zone untrust to-zone trust policy domain_com match source-address any
set security policies from-zone untrust to-zone trust policy domain_com match destination-address someservername
set security policies from-zone untrust to-zone trust policy domain_com match application junos-http
set security policies from-zone untrust to-zone trust policy domain_com then permit