SRX

Hi all

Hopefully someone can help here. Like many here it seems, I don't have the greatest of experiance with these devices, but having a good understanding of port forwarding over the years I cannot fathom what's gone wrong with my fairly simple requirements.

All the forwards that I have pointing to our SBS server on 10.1.1.100 are working great, but using the same structure to try and point / redirect ports to other systems just doesn't work, even though "show security nat destination rule *******" shows "Successful sessions", I'm not getting any successful connections.

My requirements are to have all the usual Windows SBS ports + RDP forwarded to 10.1.1.100 <this bit works great>
with port 33899 translated to 10.1.1.101:3389 <can't get this working>
and ports 5060 UDP, 50443 TCP translated to 10.1.1.220:5060 (for sip) & 10.1.1.220:443 (for remote login access for our sip provider) repectively <can't get this working>

like I said this doesn't sound complicated and why it's not working has me tearing out my hair!

I've obscured public IP and use/pass's in below. The Trust zone isn't really used for anything but my own "at box" management access, the csam zone is one of our building tenents who handle their own internal networking, so it's everything to the xic 10.1.1.0/24 network unless pointing to 10.1.1.100/32 that just doesn't seem to want to work!

if anyone can spot where I'm going wrong some tips would be greatly appreciated!

 

version 15.1X49-D60.7;
system {
    host-name SRX320;
    backup-router *.*.131.197;
    time-zone Europe/London;
    root-authentication {
        encrypted-password "***";
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    login {
        user **** {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "***";
            }
        }
        user **** {
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "***";
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        netconf {
            ssh;
        }
        dhcp-local-server {
            group jdhcp-group {
                interface irb.0;
            }
        }
        web-management {
            http;
            https {
                system-generated-certificate;
                interface [ ge-0/0/2.0 ge-0/0/5.0 irb.0 ];
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    max-configurations-on-flash 15;
    max-configuration-rollbacks 15;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 64.99.80.121 prefer;
    }
}
security {
    address-book {
        global {
            address network_trust 192.168.1.0/24;
            address network_xic 10.1.1.0/24;
            address xic_sbs 10.1.1.100/32;
            address xic_sw 10.1.1.101/32;
			address xic_sip 10.1.1.220/32;
            address csam *.*.138.218/32;
        }
    }
    alg {
        sip disable;
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set csam {
                from zone untrust;
                to zone untrust;
                rule no_nat {
                    match {
                        source-address *.*.138.218/30;
                    }
                    then {
                        source-nat {
                            off;
                        }
                    }
                }
            }
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule trust-to-untrust-access {
                    match {
                        source-address 192.168.1.0/24;
                        source-address-name [ network_trust network_xic ];
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set xic-to-untrust {
                from zone xic;
                to zone untrust;
                rule xic-to-untrust-access {
                    match {
                        source-address 10.1.1.0/24;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool xic-sbs-rdp {
                address 10.1.1.100/32 port 3389;
            }
            pool xic-sw-rdp {
                address 10.1.1.101/32 port 3389;
            }
            pool xic-sbs-smtp {
                address 10.1.1.100/32 port 25;
            }
            pool xic-sbs-http {
                address 10.1.1.100/32 port 80;
            }
            pool xic-sbs-https {
                address 10.1.1.100/32 port 443;
            }
            pool xic-sbs-https-rwa {
                address 10.1.1.100/32 port 987;
            }
            pool xic-sip-ctl {
                address 10.1.1.220/32 port 5060;
            }
            pool xic-sip-al-remote {
                address 10.1.1.220/32 port 443;
            }
            rule-set all-to-xic-services {
                from zone [ csam junos-host trust untrust xic ];
                rule xic-sbs-smtp {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address *.*.131.198/32;
                        destination-port {
                            25;
                        }
                        protocol tcp;
                    }
                    then {
                        destination-nat {
                            pool {
                                xic-sbs-smtp;
                            }
                        }
                    }
                }
                rule xic-sbs-http {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address *.*.131.198/32;
                        destination-port {
                            80;
                        }
                        protocol tcp;
                    }
                    then {
                        destination-nat {
                            pool {
                                xic-sbs-http;
                            }
                        }
                    }
                }
                rule xic-sbs-https {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address *.*.131.198/32;
                        destination-port {
                            443;
                        }
                        protocol tcp;
                    }
                    then {
                        destination-nat {
                            pool {
                                xic-sbs-https;
                            }
                        }
                    }
                }
                rule xic-sbs-https-rwa {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address *.*.131.198/32;
                        destination-port {
                            987;
                        }
                        protocol tcp;
                    }
                    then {
                        destination-nat {
                            pool {
                                xic-sbs-https-rwa;
                            }
                        }
                    }
                }
                rule xic-sbs-rdp {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address *.*.131.198/32;
                        destination-port {
                            3389;
                        }
                        protocol tcp;
                    }
                    then {
                        destination-nat {
                            pool {
                                xic-sbs-rdp;
                            }
                        }
                    }
                }
                rule xic-sw-rdp {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address *.*.131.198/32;
                        destination-port {
                            33899;
                        }
                        protocol tcp;
                    }
                    then {
                        destination-nat {
                            pool {
                                xic-sw-rdp;
                            }
                        }
                    }
                }
                rule xic-sip-ctl {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address *.*.131.198/32;
                        destination-port {
                            5060;
                        }
                        protocol [ tcp udp ];
                    }
                    then {
                        destination-nat {
                            pool {
                                xic-sip-ctl;
                            }
                        }
                    }
                }
                rule xic-sip-al-remote {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address *.*.131.198/32;
                        destination-port {
                            50443;
                        }
                        protocol [ tcp udp ];
                    }
                    then {
                        destination-nat {
                            pool {
                                xic-sip-al-remote;
                            }
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone xic to-zone xic {
            policy xic-to-xic {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone xic to-zone untrust {
            policy xic-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone xic to-zone trust {
            policy xic-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone xic {
            policy trust-to-xic {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone xic {
            policy xic-sip {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-https junos-sip sip-support ];
                }
                then {
                    permit;
                }
            }
            policy rdp-from-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application [ MS-RDP MS-RDP-ALT ];
                }
                then {
                    permit;
                }
            }
            policy xic-sbs {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-ftp junos-http junos-http-ext junos-https junos-icmp-all junos-imap junos-imaps junos-mail junos-ping junos-smtp https-rwa ];
                }
                then {
                    permit;
                }
            }
        }
        from-zone csam to-zone untrust {
            policy csam-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone csam {
            policy untrust-to-csam {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                irb.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                            tftp;
                        }
                    }
                }
            }
        }
        security-zone xic {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/2.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ssh;
                            http;
                            https;
                        }
                    }
                }
            }
        }
        security-zone csam {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/5.0;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address *.*.131.198/30;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 10.1.1.1/24;
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family inet {
                address *.*.138.217/30;
            }
        }
    }
    irb {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 127.0.0.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop *.*.131.197;
    }
}
protocols {
    l2-learning {
        global-mode switching;
    }
}
access {
    address-assignment {
        pool junosDHCPPool {
            family inet {
                network 192.168.1.0/24;
                range junosRange {
                    low 192.168.1.2;
                    high 192.168.1.254;
                }
                dhcp-attributes {
                    router {
                        192.168.1.1;
                    }
                    propagate-settings ge-0/0/0.0;
                }
            }
        }
    }
}
applications {
    application MS-RDP {
        protocol tcp;
        destination-port 3389;
    }
    application MS-RDP-ALT {
        protocol tcp;
        destination-port 33899;
    }
    application https-rwa {
        protocol tcp;
        destination-port 987;
    }
    application sip-support {
        protocol tcp;
        destination-port 50443;
    }
}
vlans {
    vlan-trust {
        vlan-id 5;
        l3-interface irb.0;
    }
}

 

When it does not jump out, the quickest way to figure it out is to turn on debugging/traceoptions and you can use some packet filters to narrow down what is collected. When you run show security flow session, that will show you the input and output intercases so you cna quickly see if your return trafic is being generated and sent to right interface.

Thanks for replying lyndidon

Unfortunatelly the boss became so frustrated with me not being able to get this working, and the complete lack of Juniper support locally (Aberdeen, Scotland - doesn't seem to be any company able to offer support), that yesterday afternoon he had a local support company supply, configure & install a high end Draytek which they'll support within an hour should anything go wrong.

Overall prob a good idea as if anything were to go wrong with the SRX when I was on holiday they'd be screwed.

 

So on that note.

 

Anyone in the UK looking for a nearly new boxed SRX320 with JSB licence?

Open to realistic offers.

Sorry to hear that. I am big fan of Juniper...er Juniper Switches and SRX. What you have experienced is sad and I am trully sorry. But on the other hand, you now have a chance to do a little consultanting on the side. If you can find a buyer, for fee offer to set it up. 🙂 And you could recoup your losses and at the same time learn more about the SRX. You could be the one:)

Sounds like an excelent plan to me 

From what I've seen I'm a big fan of their capabilities, just not the seemingly long winded way to do what other devices handle very simply.

I was always planning on working through the online training after the Christmas / New Year madness subsided so you might be onto something, and once completed, I'm sure my mind would be rewired in a way not to find the procedures complicated in any way.

Just wouldn't have a device to practice with if we manage to shift this one.

 

NOTE:

As it turns out the port forwards may well have been working perfectly well all along.

the 33899 > 3389 redirect I couldn't get working didn't initially work on the new router either until the network card was restarted on the server (thinking a Winblows update for the card drivers knackered this as there was one applied the end of last week and no reboot since), and the sip issue was another matter.

Our provider was adament that it was setup correctly, as it was tested with a test number over sip whilst running our main system fed from our analogue PBX before migration, but it turns out that no matter what I tried it wouldn't have worked, as the old system only passed a 4 didgit number to the phones where the sip was passing 6 (so the phones didn't know what to do with the data), and whenever we dialed 9 for an outside line our sip pbx was trying to route the call via the old analogue pbx and not the sip provider.

 

The boss is rightfully fuming with them, and for my own sanity i'm going to hook the SRX up over the weekend to see if it now works!

I scanned the configuration and it looked pretty good to me, nothing jumped out. As far as the SIP phone issue, that should not be a problem. This is the likely configuration you need:

http://www.juniper.net/documentation/en_US/junos15.1x49/topics/example/nat-security-source-persistent-nat-with-address-pool-configuring-cli.html

You can get the vSRX for a trial period, I think 30/60 days. This is another sore point. People may not have time to consistently test over 30 day but 60 is more reasonable. It requires dual CPU to work. I am with you; fire up that bad boy over the weekend and test it out. Also look at the config and see if you have that set up. Another important factor sometimes could be the ordering of the rules, terms and policies, so always take a look at that. Keep us posted if the test works, and better yet get the coffee and sta awake out..until it works:) You will behappy you did.:) For sure there are a lot of configurations that can be done in few minutes with a few drag'n drops a few clicks and it is done quickly in other systems. The key to Juniper is to a have a working config saved which you can then modify as needed without having to type the whole thing out. In fact before you zeroize that box, run these 2 command at the very top of the heirarchy so you can save the config in two formats;

user@SRX#show | display set | save srx-config1

user@SRX#show | no-more | save  srx-config2

Both files will be in the root directory of the logged in user or you can specify a path to save to an ftp/scp server

Except for passwords, the rest of the config is in plaintext.

The SRXs are beasts and perform well when there are not software bugs.Plus the added benefit of the dual root partition, so if there is a power outage and one does not have a UPS (don't laugh) and you primary partition gets corrupted, it boots up from the secondary partion and continues to function when powere is restored. And you can easily repair the corrupted partition with a simple command.

Mark this as resolved and select your response that you ended up using different equipment, so people will not keep clicking on it

As advised by lyndidon marked as resolved as different hardware used. Will update once I test juniper configuration with now working internal systems.
Thanks for the tips lyndidon. Hope they come on handy for future.
Very tempted to get a lesser / older model on the cheap for my own use and testing.

Hi Guys  

Please i need some help  here -  This is the scenario

I have an application running running on a server (2012 R2),  that application can only currently be accessed  internally. 

localhost and running on 8080 -  -   soo i access that app through the web like this 

localhost:8080.

 

The problem is that  i need  to  give access to this portal from the internet.  so that people can access that app from outside my network.

 

So i guess i need to  do a NAT/Port forwarding on my SRX220, I have an external public address,  how do i do a port forwarding,

 

The server internal ip address is 192.168.x.x  and  my external ip address is  111.69.x.x  -  

After this - how do you now access that web page?  i guess this will be a port 80 that should be opened.

 

Can anyone  help  pls 

This will do it

https://www.juniper.net/techpubs/en_US/junos12.1/topics/example/nat-security-destination-address-port-translation-configuring.html

Just use the find and replace and enter your port and IP address and it is done in a few minutes:)