SRX Services Gateway
Reply
Contributor
ccorkrum
Posts: 58
Registered: ‎01-26-2011
0

Re: Trouble creating publishing rules

I still can't get them to work, I have tried creating fw policies as well, I've added back in the syslog and screen config from the default configuration, i've got web management working from the trust zone after enabling all services and protocols on trust, untrust has dhcp and tftp enabled by default (i have a bank of static ip's so i shouldn't need dhcp, and tftp i have no idea why they would enable that) looking at what i have so far is there anything that would stop traffic in a policy or destination/source nat to a specific ip in the trust zone? Thanks for all the help so far, slowly but surely lol

 

## Last changed: 2011-01-28 23:12:36 UTC
version 10.4R1.9;
groups {
    node0 {
        system {
            host-name HOUTXGW1;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 192.168.1.1/24;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name HOUTXGW2;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 192.168.1.2/24;
                    }
                }
            }
        }
    }
}
apply-groups "${node}";
system {
    root-authentication {
        encrypted-password "$1$XerblLjy$NGsYkErHAIXaodkJEV.Ai.";
    }
    name-server {
        <my isp dns servers>;
        <my isp dns servers>;
    }
    services {
        ssh;
        web-management {
            http {
                interface [ fxp0.0 reth0.0 ];
            }
            https {
                system-generated-certificate;
                interface [ fxp0.0 reth0.0 ];
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
chassis {
    cluster {
        control-link-recovery;
        reth-count 2;
        node 0;
        node 1;
        redundancy-group 0 {
            node 0 priority 100;
            node 1 priority 1;
        }
        redundancy-group 1 {
            node 0 priority 100;
            node 1 priority 1;
            preempt;
            interface-monitor {
                ge-0/0/3 weight 255;
                ge-5/0/3 weight 255;
                ge-0/0/4 weight 255;
                ge-5/0/4 weight 255;
            }
        }
    }
}
interfaces {
    ge-0/0/3 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-0/0/4 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-5/0/3 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-5/0/4 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    fab0 {
        fabric-options {
            member-interfaces {
                ge-0/0/2;
            }
        }
    }
    fab1 {
        fabric-options {
            member-interfaces {
                ge-5/0/2;
            }
        }
    }
    reth0 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 192.168.11.1/24;
            }
        }
    }
    reth1 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address <my isp ip>/29;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop <my isp next hop>;
    }
}
security {
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                reth0.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                reth1.0;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}

Contributor
ccorkrum
Posts: 58
Registered: ‎01-26-2011
0

Re: Trouble creating publishing rules

I found this thread

 

http://communities.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/SSG-140-Port-forwarding-from-untrust-to...

 

Saying that you need to use a vip when your untrust address is your internet address, their is no sign of if it was resolved or not.

Contributor
ccorkrum
Posts: 58
Registered: ‎01-26-2011
0

Re: Trouble creating publishing rules

Made another change, reth1.0 I assigned my first ip out of my static ip bank from my isp. I'm thinking you don't use that IP for anything and then you can setup proxy arp for the other ip's and create rules to forward traffic? Need more coffee and time lol I think I'm slowly starting to understand

Recognized Expert
rasmus
Posts: 378
Registered: ‎02-28-2010
0

Re: Trouble creating publishing rules

1. If you have one 1 public IP, assign it to untrust intf, and no proxy-arp req

     Just direct all tfc coming on phy intf (port 80) to ISA's ip ... using DNAT (as dnat is applied before route / fwd lookup)

 

2. If you have more than 1 IP ...

     Assign 1 to phy intf

     Assign 2 to virtual intf (configured through proxy arp)

    Now, fwd all incoming traffic on virtual intf (port 80) to ISA's ip .... using DNAT

 

Regards

Hafiz Muhammad Farooq
JNCIE-SEC, JNCIP-SEC, JNCIS-SEC, JNCIS-FWV
JNCIS-SP, JNCIS-SA, JNCIA-JUNOS
IBM Qradar Deployment Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

Contributor
ccorkrum
Posts: 58
Registered: ‎01-26-2011
0

Re: Trouble creating publishing rules

It is working woohoo, thank you all for your help

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.