SRX

Hi Masters,

Trying to config SRX210HX based on the sample configuration outlined in KB17223, and i was trying to steer the traffic based on the source IP addresses which worked well. However I didn't seem to be able to access any management interfaces: http, https, SSH unless i remove the IP based filtering from firewall (e.g. term DMZ2-ISP-2). Here is the configuration:

version 11.1R4.4;
system {
    host-name SRX210HX;
    domain-name domain.local;
    time-zone Australia/Melbourne;
    root-authentication {
        encrypted-password "encrypted-password";
    }
    name-server {
        1.1.1.254;
        2.2.2.254;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            management-url admin;
            http {
                interface [ ge-0/0/0.0 ge-0/0/1.0 fe-0/0/2.0 fe-0/0/3.0 fe-0/0/4.0 fe-0/0/5.0 fe-0/0/6.0 fe-0/0/7.0 ];
            }
            https {
                system-generated-certificate;
                interface [ ge-0/0/0.0 ge-0/0/1.0 fe-0/0/2.0 fe-0/0/3.0 fe-0/0/4.0 fe-0/0/5.0 fe-0/0/6.0 fe-0/0/7.0 ];
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 49;
    max-configuration-rollbacks 49;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            description Port4Trust;
            family inet {
                filter {
                    input filter-based-forwarding;
                }
                address 10.20.3.254/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            description Port4DMZ1;
            family inet {
                filter {
                    input filter-based-forwarding;
                }
                address 192.168.3.1/26;
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            description Port4DMZ2;
            family inet {
                filter {
                    input filter-based-forwarding;
                }
                address 192.168.3.65/26;
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            description Port4DMZ3;
            family inet {
                filter {
                    input filter-based-forwarding;
                }
                address 192.168.3.129/26;
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            description Port4lSP1;
            family inet {
                address 1.1.1.1/29;
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            description Port4ISP2;
            family inet {
                address 2.2.2.2/29;
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet isp-instances;
    }
    rib-groups {
        isp-instances {
            import-rib [ inet.0 ISP-1.inet.0 ISP-2.inet.0 ISP-3.inet.0 ISP-4.inet.0 ];
        }
    }
}
protocols {
    stp;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set OUTGOING {
                from zone [ dmz2 trust ];
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone dmz2 to-zone untrust {
            policy dmz2-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone dmz2 {
            address-book {
                address web-server 192.168.3.66/32;
            }
            interfaces {
                fe-0/0/2.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone trust {
            tcp-rst;
            address-book {
                address mail-server 10.20.3.5/32;
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                fe-0/0/6.0;
                fe-0/0/7.0;
            }
        }
        security-zone dmz1 {
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
    }
}
firewall {
    family inet {
        filter filter-based-forwarding {

            term DMZ1-ISP-1 {
                from {
                    source-address {
                        192.168.3.0/26;
                    }
                }
                then {
                    routing-instance ISP-1;
                }
            }
            term DMZ2-ISP-2 {
                from {
                    source-address {
                        192.168.3.64/26;
                    }
                }
                then {
                    routing-instance ISP-2;
                }
            }
            term default {
                then accept;
            }
        }
    }
}
routing-instances {
    ISP-1 {
        description lSP1;
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 1.1.1.1;
            }
        }
    }
    ISP-2 {
        description ISP2;
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 2.2.2.1;
            }
        }
    }

Could you please shed some lights on the issue.

thanks in advance,

Bob

you say it works without the ip-based filtering, so i suppose you try to connect from either one of the filter's source networks.

cant test right now, but try to add the destination in a term, BEFORE the source term.

term jweb {

       from {      

              destination-address {

                     192.168.3.1/32

              }

       then {

              accept;

       }

}

term DMZ4port1

term DMZ4port2

what can i say, you're a legend. it works like a charm.

Thank you very much.

just one more thing, is there a way to group any IPs on all interfaces of the SRX so I can have only one statement for it:

term jweb {

       from {      

              destination-address {

                     any IPs on SRX

              }

       then {

              accept;

       }

}

Cheers,

Bob

check this kb article:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16685

it should be possible to add multiple filter matches, but i think you have to insert separate lines for each address

like 

from {

    destination-address 1.1.1.1/32

    destination-address 2.2.2.2/32

}

then { ...

iirc destination-address is always /32 in this case, because you only want the single ip of the router here.

glad i could help you

chris

thanks Chris

once again, it works

from {

    destination-address {1.1.1.1/32;

                                           2.2.2.2/32

                                          }

then { ...

what i was hoping for was that i don't have to enter every single IPs on SRX210 to the array.

but never mind.

Problem solved.

Thanks again,

Bob

sorry to be a pain. I have added both lan and wan port IPs to term jweb as discussed:

term jweb {
       from {      
              destination-address {
                     192.168.3.1/32 (LAN IP)
                     1.1.1.1/32 (WAN IP)
              }
       then {
              accept;
       }
}
term DMZ4port1
term DMZ4port2

 J-Web access can be done via any LAN connection, but i was unable to establish any WAN connection to manage the device.

Can you please shed some light on the issue.

Thanks and regards,

Bob