SRX

Welcome to Junos. 

I understand NAT but am struggling a little with JUNOS (12.1X44-D45.2) approach. Can someone speak to me in English, not in articles?

Sorry, I'm not going to restate the steps, but I do think if you go to The NAT configuration book below you will find it very well laid out.  In the table of contents pick your specific scenario then follow the step by step for that scenario.

Based on your list you don't mention if the address used is also your interface address or another address in the same or different subnet.  So the specifics vary depending on the scenario.  But it does seem clear you will not be using static nat which means you are mapping all traffic from a single internal ip address to a single public address that no other ip address can also use.

NAT Configuration with examples

http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/TN8_3500151-en.pdf

When you configuration has issue select the appropriate troubleshooting link here to get us the logs that will be needed to see what is wrong.

NAT troubleshooting links

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21922

1. Do I need a static route from ge-0/0/0.0 to ge-0/0/15.0 for traffic to get out?

Routing is separate from NAT.  So you need a route in place to reach the destination and source to successfully setup a session.

Connected subnets are automatically in the routing table, downstream segments require a route added using any method you prefer, static, ospf, or bgp.

In your case it looks like you only need the default route to your ISP for the internal traffic on ge-0/0/15 to reach the ISP on ge-0/0/0.

2. What are the basic steps and priority in which the zones and policies should be set?

Policies are separate from NAT as well.  

Zones are collections of interfaces/subnets with the same security requirements.  

When traffic arrives we take the ingress interface zone assignment as source and lookup the route for the destination.  The routing egress interface then gives us the destination zone.

Policy lookup now occurs using the source address and zone with the destination address and zone and the requested ports.  Default is deny so only traffic explicitly permitted by policy will continue processing.

3. How to allow all serives out but only http(s) and smtp in?

Your policies when you create then can specify port.  You would use any for your outbound policy and specify http/https/smtp on your inbound one in this case.

Dear Spuluka,

Thank you for your amazing response to my NAT questions and you are correct we will not be using the statis NAT.

Yes, IP listed above is also an interface address. Before I accept your post as the answer I would like to ask about #3.

I was able to figure out the NAT commands but I am still working on the policy commands to allow http/s ans smtp ports in.

Can you help list the policy commands to forward port 80 http to web server at 10.1.1.2?

Thakns in advance.

Just to be clear, the actual forwarding of the ports from your interface address to the internal servers is NAT and takes place in the NAT hierarchy.  Using the instructions on page 12 Destination NAT IP port translation.

the security policy heirarchy permits the connections to go through.  You create an address object for SERVER in the trust zone for your server address.

[edit security policies]
root# show
from-zone untrust to-zone trust {
    policy ServerFwd {
        match {
            source-address any;
            destination-address SERVER;
            application [ junos-http junos-https junos-smtp ];
        }
        then {
            permit;
        }
    }
}

There is complete separation between network functions like routing and NAT and the security policy.

The other consideration with http/https on your actual interface address is your usage of the remote access vpn or the Jweb admin tool.  These will use the same port on the same ip address so will need to be removed or put on another port.  Do you have remote access or Jweb configured for the ge-0/0/0 port?

Dear Steve,

Thank you for another helpful clarification!

Our situation is exactly as in the fugure 11 on the page 12 titled "Destination NAT—IP/Port Translation."

http/s needs to translate to destination 10.1.1.2 and smtp to 10.1.1.3

I was thinking to use a separate internal port ge-0/0/14.0 with say IP=10.1.1.11 for Jweb tool and ssh for managed access to the SRX internally and not to provide any other managed access from any other interfaces. Is that considered a good security practice? Would you advise it?

If I understood you correctly, you have advised to implement the following steps in the following order listed below in order to accomplish the above?

You have recommended to create address SERVER object. Did you mean as follows (example):

edit zones security-zone trust                     
set address-book address SRV01 10.1.1.2              
set address-book address SRV01 10.1.1.3

THEN SET THE POLICY AS FOLLOWS (as per your example)?

edit security policies from-zone untrust to-zone trust

set policy ServerFwd match source-address any

set policy ServerFwd match destination-address SRV01

set policy ServerFwd match application junos-http junos-https junos-smtp

set policy ServerFwd then permit

THEN SET RULES FOR PORT FORWARDING AS FOLLOWS:

destination {
       pool server-1 {
              address 10.1.1.2/32 port 80;
}
       pool server-2 {
              address 10.1.1.3/32 port 25;
}
       rule-set nat-example {
              from interface ge-0/0/0.0;
              rule port-forwarding {
                      match {
                              destination-address 200.0.0.63/32;
                              destination-port 80;
                                }
                              then {
                              destination-nat pool server-1;
                               }
                           }
               rule port-forwarding-2 {
                     match {
                              destination-address 200.0.0.63/32;
                              destination-port 25;
                           }
                         then {
                        destination-nat pool server-2;
                             }
}
}
}

DID I GET THE STEPS SOMEWHAT CORRECTLY?

Thanks in advance and please advise.

Since you have two different server ip addresses you need two server address objects

edit zones security-zone trust                     
set address-book address SRV01 10.1.1.2              
set address-book address SRV02 10.1.1.3

You can

1-put these into a group or

2-put both addresses into the security policy or

3-Create two security policies with only the single server and the necessary ports for that server only

Everything looks good.

Dear Steven,

Thank you again for looking over my code above.

Can you please explain what you meant by server address objects?

I undersatnd working mechanics but terminology sometimes confuses me.

Can you explain how address-book functions and its purpose?

Finally, what did you mean by putting two servers into a group/or address into security policy?

Did you mean to say the pool as follows:

set security nat destination pool WEBSERVER_POOL address 10.1.1.2/32 port 80

set security nat destination pool MAILSERVER_POOL address 10.1.1.3/32 port 25

Please kindly clarify.

Thanks in advance...

Sorry for the confusion.

These are your nat pools part of your nat policy elements.  I am not talking about this at all.

set security nat destination pool WEBSERVER_POOL address 10.1.1.2/32 port 80
set security nat destination pool MAILSERVER_POOL address 10.1.1.3/32 port 25

I'm talking about your security policy to permit the communication to your two servers.

Your address objects set the TWO addresses to the SAME name.  This is not possible.  Thus I changed the SECOND to SRV02 as a UNIQUE name per address.

edit zones security-zone trust                     
set address-book address SRV01 10.1.1.2              
set address-book address SRV01 10.1.1.3

Your policy is a single policy that will permit all three ports then to BOTH servers when you add the second address

edit security policies from-zone untrust to-zone trust
set policy ServerFwd match source-address any
set policy ServerFwd match destination-address [SRV01 SRV02]
set policy ServerFwd match application [junos-http junos-https junos-smtp]
set policy ServerFwd then permit

The alternative is to create two policies that allow just the required ports to the specific server.

Junos also supports address groups where you could create a group with both servers in the group and use that as the destination in the policy.

Thank you.

Can you advice how to open a range of ports say 5000 to 6000?

What are the line commands to accomplish that?

We have some phone devices like Vonage and MagicJack that may require that.

Unfortunately, port range forwarding on destination not was not supported as of the 12.1x44 releases that I'm running.  The assumption by Juniper has been if you need large port ranges you are going to use static nat and do a one to one mapping.  Which you obviously cannot do in your case with a ip assigned to the untrust interface.

For security policies you can create custom application objects with ranges.  And for nat policies you can use address objects but you cannot use application objects (as of x44 I think  the latest release is x47).  This has been on the requested features for some time.  you can open a ticket to confirm with support if an upgrade will get you the feature or not.

Dear Steven,

Thank you for your continuous support and your patience while providing very much needed assistance with this thread.

Let me rephrase my question regarding opening the range of ports and what we are trying to accomplish.

We have IP Polycom phones, Vonage and Magic Jack phone devices that we are planning to assign to zone PHONES and place on PHONES vlan on the Cisco switch after the SRX.

The plan is to put the phones on ge-0/0/1.0 interface 192.168.2.1 and setup the DHCP server pool as follows:

pool 192.168.2.0/24 {
    address-range low 192.168.2.15 high 192.168.2..200;
    default-lease-time 259200;
    domain-name domain.com;
    name-server {
        x.x.x.x;
        x.x.x.x;
    }
    router {
        192.168.2.1;
    }

However, some devices like Magic Jack and Vonage require the range of ports to be open. So, I guess we do not need the NAT in this case? Please kindly advise.

I would open this question as a separate thread.  I've not done much with supporting voip systems.  So I am probably not the best to contribute on this one.

some key data would be the location of the server and which technology the servers users SIP or H323.