SRX Services Gateway
Reply
Contributor
Scotty_SA
Posts: 40
Registered: ‎03-19-2010
0
Accepted Solution

packet mode and flow mode

Hi Guys

 

I have run into a small problem and im hoping the forum could shed some light and point me in the right direction.

 

I need to setup packet-mode for a particular range of public IP's

 

I have setup a prefix-list that refrences the public IP's

 

I have setup a firewall filter from source to destination(prefix-list) then packet-mode

 

I have then bound the filter to both interfaces. Ge-0/0/0 and Ge-0/0/3

 

I have attached a diagram and the config of the SRX220

 

Troublshooting

 

Once i applied the config, we could ping the servers from the internet. 

Voice services were working like a dream

sho firewall command indicated the filter was being hit

 

 

Problem:

 

We could not connect to any TCP services on the prefic-list. But yet UDP traffic was working well.

port 80 was not responding

port 5900 - not responding

SSH - not responding

 

Seems like TCP was being blocked for some reason.........

Has anyone else had the same problem? am i doing something wrong

 

Let me know

 

 

TX CHAMPS

 

 


 

 

 

Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012
0

Re: packet mode and flow mode

[ Edited ]

Hi,

 

If possible, could you please provide the flow trace output  for the problematic traffic - that would help in speedy resolution . 

 

set security flow traceoptions file testing

set security flow traceoptions flag all  ( not basic-datapath)

se security flow traceoptions packet-filter 1 source-prefix x.x.x.x desitnation-prefix y.y.y.y protocol tcp

set security flow traceoptions packet-filter 2 source-prefix y.y.y.y destination-prefix x.x.x.x protcol tcp

 

Initiate one TCP flow and   provide the output of  "show log testing | no-more" .

 

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Contributor
Scotty_SA
Posts: 40
Registered: ‎03-19-2010
0

Re: packet mode and flow mode

Hi Pardeep

 

i will as soon as i get a change window.

 

do you think it might be because the interfaces are assigned to zones?

 

As soon as we get another change window, ill setup the trace and post the output

 

Currently the firewall is is full packet-mode

 

set security fowarding options family mpls mode packet-based

Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012
0

Re: packet mode and flow mode

Hi ,

 

I think , as you have applied the same filter on ge-0/0/0 and ge-0/0/3 , for tcp connections initiated from Internet , first packet (SYN) will match firewall filter applied on ge-0/0/0 and processed in packet modei,e bypass flow module . the reply (SYN+ACK) fom the server in DMZ will come on ge-0/0/3 interface and does NOT match firewall filter main term (because for this packet, the destination is NOT the MIA prefix list) and it matches term 2 and will be processed by flow module . during this flow processing (first path processing)  , and  it might be dropped by SRX, as the first packet is not a syn .

 

so removing the filter on ge-0/0/3 might help or apply a different filter with correct match conditions.

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Contributor
Scotty_SA
Posts: 40
Registered: ‎03-19-2010
0

Re: packet mode and flow mode

Hi There

 

correct - i should have show my latest config.....sorry

 

i realised that too - so i then created a reverse filter for source (porefix-list and destination 0/0 and then bound it to ge-0/0/3

 

same problem........TCP traffic would not pass through

 

 

ill setup a trace when we get a change window..

 

 

TX for the help so far

Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012
0

Re: packet mode and flow mode

Hi ,

 

Just one more thing - how did you apply the firewall filters on these interfaces ? in both input and output directions(as shown in your current config)  or only input direction ? 

 

If we apply the same filter  in both directions(input ,output) on the same interface , i think that will create an issue again . 

 

You may try by applying the two filters configured on the respective interfaces only in the input direction .

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Contributor
Scotty_SA
Posts: 40
Registered: ‎03-19-2010
0

Re: packet mode and flow mode

Hi There

 

I have moved to the new config and all seems to be working fine - i now have and input filter on ge-0/0/0 and an inout filter on ge-0/0/3

 

we have tested and now TCP works.......everything works

 

AWESOME

 

TX for your help

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.