SRX

Hi,

 

I have srx240 serving my LAN and i want to put some servers with public IPs behind the srx and control what applications are allowed to and fro the servers.

 

my plan is this:

 

pick two interfaces (one going to the switch connecting servers and one going to the MX providing internet) and put them in one zone (maybe servers zone) and do intrazone policies. i am required to tag the srx port facing the MX and untag the port facing serves, should i change from  family ethernet switching to family inet and do vlan-tagging or i can just change port mode to trunk to achieve this?.

 

Note: this two interfaces with be detached from two existing zones (trust and untrust), is there something i am missing?

 

Regards,

Sheeel.

I would put the servers in a separate DMZ zone because it's easier to visualize and construct the policy and traffic flow that way.  With an intrazone policy, For instance, you would have a single policy that defines inbound traffic to the servers, as well as the return traffic from the servers to the internet.  Confusing, IMO.  

 

The method by which you tag is really up to you.  I personally would make that MX-facing interface a normal vlan-tagged interface with no switching enabled:

 

set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0.5 vlan-id 5
set interfaces ge-0/0/0.5 family inet address x.x.x.x/xx

 But that's just my personal preference.  There's no technical reason right now that I can think of that gives this method an advantage over just using 'port-mode trunk'.

Hi Evt,

 

that means the DMZ zone will contain the interface facing the servers and the MX interface will be in diffrent zone?? 

or you mean normal DMZ setup where the policies are between DMZ zone and untrust zone??

 

Sheeel.

Yes to both. 

OK, so i can say :

 

security-zone DMZ interface ge-0/0/12.0

 

security-zone MX_port interface ge-0/0/13.0

 

and do the policies to and fro this two zones ??

 

 

That is what I would do.  I will not go so far as to say it is the right way because everyone's network is different.  It would just make more sense to me to do it that way.  I would just put the MX port into the 'untrust' zone definition or name it something relating to the function, simply for clarity's sake.  If someone else is looking at the config, it would be easier for them to figure out that, "Oh, the interfaces in this zone are to be untrusted" rather than have them wonder, "What is the MX port?".  I always try my best to design things in such a way that it's easier for someone else to understand just in case I get hit by a bus or fall down a well and snap my neck and die.

Just to let you know, there is already untrust zone containing anther interface (ge-0/0/0.0) going to the same MX and this how i get the internet to devices in the trust zone.

 

now i am having another port (ge-0/0/12.0) going to the same MX on difrent port carrying GW for the IPs on the servers.

 

so i have two ports from the SRX going to 2 ports on the MX all providing. 

 

just a clarification!! plz see the attached diagram.

 

 

Sheeel.

Ok, thanks for that.  Given this new information, you won't be able to configure your MX-facing ports in 'vlan-tagging' mode and you'd have to use an ethernet-switching family in 'trunk' mode because you need to be able to bridge the MX-facing and server-facing interfaces together.  You can't do that by configuring 'vlan-tagging' on the interface.

 

I can't say I've worked with a topology like this, which appears to be a routed and transparent mode hybrid, for lack of a better term.  Are there other devices in that network that need to exist outside of the SRX and that's why you can't make the SRX the default gateway of the servers?

Well as you have pointed out i was considering putting the servers in the trust zone and define static route in the srx for the block of public IPs that the servers are using. 

 

so this is my plan B: 

 

connect the servers to any interface in the trust zone remove that particular interface from default vlan-trust.

and define the static route like 1.1.1.0/28 next hop 2.2.2.2 (internet GW for the SRX defined in the MX).

My other concern is this: since the servers are on this block (1.1.1.0/28), what gateway IP will i use on the servers? normally my gateways are defined on the MX and in this case there is no IP in that /28 block define in the MX. there will only be static route on the MX poiting to this block of IPs with next hop of SRX IP (i.e static route 1.1.1.0/28 nexthop 2.2.2.3).

 

Hope u r getting my point.

Is your SRX operating in Transparent mode?  I had assumed it was not, but that may have been a bad assumption to make.

 

 

 

Hi,

 

No its not. its in route mode.

 

Regards,

Sheeel

 

 

Hi,

No its not, its in route mode

 

Regards,

Sheeel.

So is there any reason you cannot just make the SRX the default gateway for the servers?

Hi,

 

There is no particular reason why i shouldnt do that but i have achallenge. this is might sound stupid but i am wondering what GW IP i will use on the servers . i would have used the P2P ip between the srx and MX but that will fall diffrent subnet than the IPs on the server. 

 

please find attached digram for understanding.

 

What is wrong with 2.2.2.1? 

Hi,

 

 

I have conected the server and created new zone for it and did polcies between the untrust-zone and servers zone. 

i have put the interface (ge-0/0/12) in the servers zone and have not restricted anything so far, i have source any, destination and application and in the both polices but still cant reach the server from outside neither can the server ping outiside.

 

the interface connecting to the servers is in family eth-switching and untagged , will moving to family inet make difrence?

is there anything am missing? 

Are you routing traffic for the server network in the MX to the SRX?  Something like:

 

set routing-options static 2.2.2.0/28 next-hop 1.1.1.2

yes, i have static routes in the MX pointing to the srx public IP and static route in the SRX with next hop of public IP on the MX.

 

SRX static route:

 

route xx.xx.9.168/30 next-hop xx.xx.8.129

 

MX static route:

 

route xx.xx.9.168/30 next-hop xx.xx.8.130

 

Regards,

Sheeel.

It would help if you could provide an updated map of how things are physically connected now, including IP subnets.  You can use fake subnets in place of real ones to protect your network information.

 

My first question is why is there a route on the SRX pointing at the MX?  Isn't that subnet attached to the SRX?  If not, then you are effectively creating a loop within your network.

Hi,

 

Please find attached diagram. that subnet is attached to the srx but there is no IP on the interface conecting to the servers and the srx doesnt see that as ditrectly connected route. thats why am putting the route in the srx. thats how i thought but i could be wrong.

Hi,

 

If you want the servers to have connectivity towards anything else then the 2.2.2.0/28 subnet you need to configure an address on the srx interface facing the servers. On the servers you need to set a default gw or a subnet of routes towards the ip on the SRX to have connectivity

hi,

 

thanks for that, i configured IP on the srx interface and used that as the GW for the servers.

now i can ping the MX (Lo0 IP) from the servers and the MX can ping the servers. but thats it. the servers cant ping anything else apart from MX, i cant go beyond the MX. anything am missing?

 

Regards,

Sheeel.

Their must be something missing in the routing table of the MX can you attach the routing config of the mx  ?

You need to remove the following route from your  SRX

 

SRX static route:

 

route xx.xx.9.168/30 next-hop xx.xx.8.129

 

That route you don't need. You only need that route on your MX towards the SRX

Hi EVT/MarcTB

 

Its now working. i forgot to tag the static route in the MX with  community value for IBGP, the route wasnt matching the IBGP community and hence wasnt distributed to other routers. now i can reach the servers from anywhere.thanks soo much for your help. 

 

Coming to the main point now: 

 

the whole idea of putting this servers behind the SRX was to control the upload traffic towards internet from the servers. we had applied policer to the interface  that was supposed to controll both uploads and downloads but the uploads arent capped by the policer, dont know why. some  told me  UDP traffic is not mostly limited by the policer, its only TCP that the polcier affects (how far is this true???).

 

now that the servers are behind the srx how can i limit the upload traffic? i have applied policer to the SRX interface facing the servers but its not diffent from the policer we had in the MX. 

how can i go about controlling the upload from the servers? thats the main requirement,

 

Thank you guys for your time.

 

Regards,
Sheeel.

If you are trying to limit traffic from the servers to the internet, you would apply a policer on the INPUT of the interface connected to the servers:

 

# show interfaces ge-0/0/6    
unit 0 {
    family inet {
        policer {
            input limit-traffic;
        }
    }
}
# show firewall policer limit-traffic 
if-exceeding {
    bandwidth-limit 10m;
    burst-size-limit 1m;
}
then discard;

 The policer in this instance works on the 'inet' family and will police all traffic on the interface as a whole to 10Mb/s.  You can also call the policer from within a firewall filter if you want to limit the policer to only restrict certain types of traffic.

I applied atypical 2Mb/s policer on both out/input. When u say policer works on 'inet' family, I hope that covers all IPv4 traffic since there is no IPv6 configured.

If apply filter and reference the policer within the filter for the specific traffic to be limted.. while I still be apply the policer into to the interface? .

From untrust zone I want to allow remote desktop connection but I don't see an option in list of applications (like for ssh I select junos-ssh), is there something like junos- rdc??

Yes you still will .

 

 

You can create an application profile for rdp yourself. Something like below will work

 

application ms_rdp {
    protocol tcp;
    destination-port 3389;
}