SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  address/address-set under nat destination

    Posted 07-18-2016 08:46

    Hi everybody.

    I; struggling to understand what is wrong with my conf.

    I'm configurig a nat destination rule:

    set security nat destination rule-set PFW-RASPI rule PFW-8080 match source-address-name ASET-YOTI-OFFICE

    but when I commit:

    root@SRX210# commit
    [edit security nat destination rule-set PFW-RASPI rule PFW-8080 match]
    'source-address-name ASET-YOTI-OFFICE'
    Can not find address/address-set(ASET-YOTI-OFFICE) in default global address book
    error: configuration check-out failed

    However I have that address book configured

    root@SRX210# show | display set | match ASET-YOTI-OFFICE
    set security address-book YOTI-OFFICE address-set ASET-YOTI-OFFICE address YOTI-1
    set security address-book YOTI-OFFICE address-set ASET-YOTI-OFFICE address YOTI-2

     

    Question 1: What is the reason of that error?

    Question 2: Why JunOS gives the opportunity  to restrict the access to a range of IP under NAT as well as under the security policy for that nat rule? What is the difference?

    Thanks


    #SRX
    #ADDRBOOK
    #Policies
    #NAT


  • 2.  RE: address/address-set under nat destination
    Best Answer

    Posted 07-18-2016 09:01

    Hi,

     

    You have defined that address set under the YOTI-OFFICE address book and not the global one. Please change it to the following :-

     

    set security address-book global address-set ASET-YOTI-OFFICE address YOTI-1

     And perform a similar configuration for the YOTI-2  as well.

     

    Regards,

    Sahil Sharma

    ---------------------------------------------------

    Please mark my solution as accepted if it helped, Kudos are appreciated as well.



  • 3.  RE: address/address-set under nat destination

    Posted 07-18-2016 13:19

    Hi, Thnak you very much for your reply!
    Can you please give me more info about that? Why this is necessary? I would like to understand that!

    Thanks!



  • 4.  RE: address/address-set under nat destination

    Posted 07-18-2016 22:57

    Hi,

     

    Suppose your internal Server IP address is 192.168.1.10 and you have a public IP from the ISP, suppose 9.9.9.9.

     

    You want to host various applications on the internal server working on different ports, and want them accessible from the internet.

     

    You create a static NAT between 192.168.1.10 and 9.9.9.9. This essentially means that all ports on 9.9.9.9 are translated to all ports on 192.168.1.10.

    However, currently you have only one single port on the internal server which is running an application. Hence, you create a security policy to allow just that one port from the Internet Zone to the Server Zone and thus blocking access to all the other ports on that IP despite of having a NAT for all the ports.

     

    Please let me know if the explanation is clear.

     

    Regards,

    Sahil Sharma

    ---------------------------------------------------

    Please mark my solution as accepted if it helped, Kudos are appreciated as well.



  • 5.  RE: address/address-set under nat destination

    Posted 07-18-2016 09:04

    Regarding your second question, here is the packet flow for the SRX :-

    http://kb.juniper.net/InfoCenter/index?page=content&id=kb16110&actp=search

     

    Depending on the type of NAT, Junos gives the flexibility to restrict access in security policies as well.

     

    Hence, even if you configure a static nat for a single internal IP to an External IP, you can still restrict the ports using the security policy.

     

    Regards,

    Sahil Sharma

    ---------------------------------------------------

    Please mark my solution as accepted if it helped, Kudos are appreciated as well.