SRX

hi every one

I have problem in publishing rules through tmg then juniper srx 240 to to the internet users

I created publishing rule on tmg to web server and it work perfectly

but when I connect juniper to external NIC of tmg with default gateway the juniper it self

the publishing cannot work

I created destination nat to nat between public IP of web site and external NIC TMG server to accept the request and redrect it to web server

then created proxy arp that link between the public ip and interface of  juniper

 

of course policies are as followes

1- from trust to trust allow

2- from trust to untrust allow

3- from untrust to trust application junos-http allow , otherwise deny

 

final note: I created previously firewall filter (fbf) and applied them on vlan.0 interface to load sharing between multiple ISPs based on source IP and it work ok

 

please help me in publishing the rule because every thing is ok and destination nat receive hits but I didnot know where is the drop

thanks

Hi

 

Can you post your config?

 

Part of the complication may be down to the multiple links.  Set this up for just one WAN link.  Otherwise you may be having an issue between traffic coming in from one interface but return traffic going via another.

 

Hello ,

sorry for the lating reply

I attached my config. I hope you trouble shoot the problem with me

thanks

without reading the whole config, i can see one major problem.

on the untrust securityzone, remove the system services http. The SRX will be trying to respond instead of allowing any nat/polcy rule to work.

You also need to be more explicit on the source nat rule. specify the internal network and external ip address, not just interface.

thanks sir, when I removed host inbound trafiic from untrust zone, the published website worked ok

I will publish another rdp and sql server and isa will ask you if there is any problem

thanks again

hello sir,

the web server and RDP and SQL publishing rules worked ok for 2 days then it stopped working although translation hits increase continusly 

all I did that after web server rule worked , I add another 2 rule in the same rule-set one for publishing RDP and the other for SQL

and in policy from untrust to trust I addedd RDP and SQL applications

it was working but now it didnot , I didnot know the reason

I appreciate your reply

 

 

please post your updated config.

I attached my updated config.

thanks

Under the destination NAT rule add the protocol for traffic.

 

E.G.

 

      match {
                        destination-address xxx.xxx.xxx.xx7/32;
                        destination-port 443;
                        protocol tcp;
                    }

 

Also on the policy

        from-zone untrust to-zone trust {
            policy HTTP {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-https junos-http RDP1 SQL RDP ];
                }
                then {
                    permit {
                        destination-address {
                            drop-untranslated;
                        }
                    }
                }
            }

 

 

Create seperate rules for the application, not just under one policy.  Group RDP together, and seperate the other out.  You can remove the JUNOS HTTPS as you have not setup a matching NAT rule.

 

 

 

this rules some times work for me and then close after that

it work before remove host inbound traffic , but suddenly it is stopped

then return to work after remove host in bound traffic

now it is stopped again , I donot know the issue

I didnot find protocol to choise in destination nat , only destination address and port in this version,

, also I created seperate policies for web, sql,rdp and removed https but no luck

 

Hello ,

I feel that FBF (filter) that I applied on vlan.0 block the traffic some how or as I use multiple ISP modems

what is your opinion ?

I dont use virtual routing instances, so I cannot offer advice.

 

However I would suggest that you upgrade your Junor version to 10.4R11.4 or 1.xx1 or even 12.xx

I donot use virtual routing instance, it is forwarding instance type

also thanks for your effort