SRX Services Gateway
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
ccorkrum
Contributor
ccorkrum
Posts: 58
Registered: ‎01-26-2011
0

Re: Trouble creating publishing rules

Options

‎01-28-2011 09:43 PM

I still can't get them to work, I have tried creating fw policies as well, I've added back in the syslog and screen config from the default configuration, i've got web management working from the trust zone after enabling all services and protocols on trust, untrust has dhcp and tftp enabled by default (i have a bank of static ip's so i shouldn't need dhcp, and tftp i have no idea why they would enable that) looking at what i have so far is there anything that would stop traffic in a policy or destination/source nat to a specific ip in the trust zone? Thanks for all the help so far, slowly but surely lol

 

## Last changed: 2011-01-28 23:12:36 UTC
version 10.4R1.9;
groups {
    node0 {
        system {
            host-name HOUTXGW1;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 192.168.1.1/24;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name HOUTXGW2;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 192.168.1.2/24;
                    }
                }
            }
        }
    }
}
apply-groups "${node}";
system {
    root-authentication {
        encrypted-password "$1$XerblLjy$NGsYkErHAIXaodkJEV.Ai.";
    }
    name-server {
        <my isp dns servers>;
        <my isp dns servers>;
    }
    services {
        ssh;
        web-management {
            http {
                interface [ fxp0.0 reth0.0 ];
            }
            https {
                system-generated-certificate;
                interface [ fxp0.0 reth0.0 ];
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
chassis {
    cluster {
        control-link-recovery;
        reth-count 2;
        node 0;
        node 1;
        redundancy-group 0 {
            node 0 priority 100;
            node 1 priority 1;
        }
        redundancy-group 1 {
            node 0 priority 100;
            node 1 priority 1;
            preempt;
            interface-monitor {
                ge-0/0/3 weight 255;
                ge-5/0/3 weight 255;
                ge-0/0/4 weight 255;
                ge-5/0/4 weight 255;
            }
        }
    }
}
interfaces {
    ge-0/0/3 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-0/0/4 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-5/0/3 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-5/0/4 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    fab0 {
        fabric-options {
            member-interfaces {
                ge-0/0/2;
            }
        }
    }
    fab1 {
        fabric-options {
            member-interfaces {
                ge-5/0/2;
            }
        }
    }
    reth0 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 192.168.11.1/24;
            }
        }
    }
    reth1 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address <my isp ip>/29;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop <my isp next hop>;
    }
}
security {
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                reth0.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                reth1.0;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}

Message 11 of 15 (1,954 Views)
 
Reply
ccorkrum
Contributor
ccorkrum
Posts: 58
Registered: ‎01-26-2011
0

Re: Trouble creating publishing rules

Options

‎01-28-2011 09:58 PM

I found this thread

 

http://communities.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/SSG-140-Port-forwarding-from-untrust-to...

 

Saying that you need to use a vip when your untrust address is your internet address, their is no sign of if it was resolved or not.

Message 12 of 15 (1,953 Views)
 
Reply
ccorkrum
Contributor
ccorkrum
Posts: 58
Registered: ‎01-26-2011
0

Re: Trouble creating publishing rules

Options

‎01-28-2011 10:11 PM

Made another change, reth1.0 I assigned my first ip out of my static ip bank from my isp. I'm thinking you don't use that IP for anything and then you can setup proxy arp for the other ip's and create rules to forward traffic? Need more coffee and time lol I think I'm slowly starting to understand

Message 13 of 15 (1,950 Views)
 
Reply
Recognized Expert
Recognized Expert
rasmus
Posts: 342
Registered: ‎02-28-2010
0

Re: Trouble creating publishing rules

Options

‎01-28-2011 10:40 PM

1. If you have one 1 public IP, assign it to untrust intf, and no proxy-arp req

     Just direct all tfc coming on phy intf (port 80) to ISA's ip ... using DNAT (as dnat is applied before route / fwd lookup)

 

2. If you have more than 1 IP ...

     Assign 1 to phy intf

     Assign 2 to virtual intf (configured through proxy arp)

    Now, fwd all incoming traffic on virtual intf (port 80) to ISA's ip .... using DNAT

 

Regards

Hafiz Muhammad Farooq
JNCIP-SEC, JNCIS-SEC, JNCIS-FWV, JNCIS-SP, JNCIA-JUNOS
RHCE, Oracle Certified Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

Message 14 of 15 (1,948 Views)
 
Reply
ccorkrum
Contributor
ccorkrum
Posts: 58
Registered: ‎01-26-2011
0

Re: Trouble creating publishing rules

Options

‎01-28-2011 10:45 PM

It is working woohoo, thank you all for your help

Message 15 of 15 (1,948 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.