Routing
Routing

J2320 - V12.4 BGP And Firewall Setup

08.30.17   |  
‎08-30-2017 07:26 AM

Hi,

 

I`m trying to get a J2320 to connect via BGP to our branch sites but having issues. I cannot get it to connect to our remote peer. I was using V8 before that did not have a stateful firewall, does this also need conifguring?

 

regards,

 

12 REPLIES
Routing

Re: J2320 - V12.4 BGP And Firewall Setup

08.30.17   |  
‎08-30-2017 05:05 PM

I am not quite sure what your configuration need is here, so sorry if this is the wrong direction.

 

You can use the J2320 in either packet mode as a plain router or flow mode that would be a firewall.  If it is in flow mode, then yes, you would need to configure security policies to allow the BGP session through.

 

Do you need a firewall or just want a router for this site?

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Routing

Re: J2320 - V12.4 BGP And Firewall Setup

08.31.17   |  
‎08-31-2017 12:58 AM

Hi,

 

Sure, it is a main router here that all our branch sites connect to through an MPLS, currently the J2320 is in packet mode and all branches route to us, we then host services that the branches rely on. I`d like to use flow mode and beef up security by creating policies that only permit certain ports from our branches and back to them. I have setup basic peering but that would not connect at all. Do the security policies have any influence on the BGP peer itself connecting to the external interface? I did allow all in both directions across all interfaces but it still wouldnt connect.

 

Cheers,

 

Routing

Re: J2320 - V12.4 BGP And Firewall Setup

08.31.17   |  
‎08-31-2017 02:52 AM

Thanks for the explanation.

 

Security policies are needed for all traffic that passes THROUGH the SRX, that is with pairs of devices outside the SRX.

Interfaces belong to zones.  

Traffic is classified by the ingress and egress interface of the initiator of the traffic

so the policy is written security policy from-zone X to-zone Y with all the desired specifications

These only need to be in the direction of the initiator, return traffic on this is permitted by the flow engine

 

For self traffic, traffic that starts or ends on the SRX itself (like the BGP peer) we first must enable the protocol on the zone.

The interface that the traffic is destined for belongs to a zone

under security zones security-zone NAME host-inbound-traffic we must allow the type of traffic (bgp in this case)

This will allow that traffic from any host

If you want to further restrict that traffic you also then create a security policy from-zone X to-zone junos-host with all the desired restrictions

 

This document has the details:

 

Inbound traffic in chapter 3

security policies in chapter 6

 

https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/security/securi...

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Routing

Re: J2320 - V12.4 BGP And Firewall Setup

08.31.17   |  
‎08-31-2017 04:59 AM

Hi,

 

Ok that`s great. I will get this configuration setup, hopefully it will work. I believe i have the BGP working now, on v12 of the firmware it added a confederate AS, i`ve removed all that and added the regular BGP configuration.

 

Will confirm asap Smiley Happy

Routing

Re: J2320 - V12.4 BGP And Firewall Setup

09.05.17   |  
‎09-05-2017 06:34 AM

Hi,

 

Ok so BGP has come up and i`m seeing active routes in the table but i cannot get any traffic to pass through the router itself e.g. ping or see any devices at either end. I have at the moment set all zones to all with all services to allow apart from the default global which is set to deny.

 

Config:

 

## Last commit: 2017-09-05 13:23:52 UTC by root
version 12.1X44-D40.2;
system {
host-name DC-MPLS-01;
root-authentication {
encrypted-password 
}
name-server {
192.168.50.80;
192.168.50.81;
192.168.50.89;
}
login {
user administrator {
uid 2000;
class super-user;
authentication {
encrypted-password 
}
}
}
services {
ssh;
telnet;
web-management {
http;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
description "LAN HQ";
family inet {
address 192.168.50.4/22;
}
}
}
ge-0/0/2 {
description "WAN MPLS";
unit 0 {
family inet {
address 172.0.0.6/30;
}
}
}
ge-0/0/3 {
description "UNUSED LAN";
unit 0 {
family inet {
address 10.1.1.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 172.0.0.6/32;
}
}
}
}
snmp {
community public {
authorization read-only;
}
}
routing-options {
static {
route 172.0.0.0/30 next-hop 172.0.0.5;
}
router-id 172.0.0.6;
autonomous-system 65000;
}
protocols {
bgp {
group MPLS {
type external;
description "BT MPLS PEER";
export export-LAN;
peer-as 2856;
neighbor 172.0.0.5 {
local-address 172.0.0.6;
hold-time 90;
}
}
}
}
policy-options {
policy-statement export-LAN {
from {
protocol [ direct local ];
interface ge-0/0/0.0;
}
then accept;
}
policy-statement jweb-policy-default-route {
from {
route-filter 0.0.0.0/0 exact;
}
then accept;
}
policy-statement jweb-policy-direct {
from {
protocol direct;
interface ge-0/0/2.0;
}
then accept;
}
policy-statement jweb-policy-rip {
from protocol rip;
then accept;
}
}
security {
address-book {
Test {
description test;
address 1.1.1.1 {
description test;
1.1.1.1/32;
}
attach {
zone UnTrust;
}
}
}
policies {
from-zone Trust to-zone UnTrust {
policy Trust-Untrust {
description Trust-Untrust;
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
count;
}
}
}
from-zone UnTrust to-zone Trust {
policy Untrust-Trust {
description Untrust-Trust;
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
count;
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone Trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
lo0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone UnTrust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
}

 

Cheers,

 

Routing

Re: J2320 - V12.4 BGP And Firewall Setup

09.06.17   |  
‎09-06-2017 03:13 AM

The two things to check then are to confirm that sessions are being accepted and created for your traffic.  Setup the ping and then use:

 

show security flow session source-prefix 1.1.1.1 destination-prefix 2.2.2.2

 

This should show the accepted sessions with nat and packet counts.  If there are no sessions you will need to enable trace options to find out why.

 

Second thing to confirm is that the remote side has the return route for the traffic and that they ahve polcies to accept the traffic as well.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Routing

Re: J2320 - V12.4 BGP And Firewall Setup

09.07.17   |  
‎09-07-2017 07:56 AM

Hi,

 

Stil not having much luck.... I have setup a pair of J2320`s running V12 firmware, configured BGP between them (to simulate the MPLS proviers end) and i can see those routes replicating between the routers. On the head office end i can see and connect to all devices on the remote end but not the other way round e.g. communicating with head office end from the remote network. When running a trace i get as far as the external interface on the head office end`s router but no further. Machines in the head office end have a static route pointing back at the branch router.

 

Sorry it`s quite vague, let me know if you need any other info.

 

Cheers,

 

Routing

Re: J2320 - V12.4 BGP And Firewall Setup

09.08.17   |  
‎09-08-2017 02:35 AM

Securiity policies that permit the traffic are needed in the direction of the initiator (from-zone) of the traffic to the destination (to-zone)

 

set security policy from-zone NAME to-zone NAME

 

Both SRX need to have a policy that permits the traffic.

 

So in your case one of the two SRX does not have a policy from the hub zone to the spoke zone for the traffic to be permitted.  You confirm the existence of the sessions with the show security flow command.

 

If the session is not being created you can use trace options to get the details on why.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=kb16110

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Highlighted
Routing

Re: J2320 - V12.4 BGP And Firewall Setup

09.14.17   |  
‎09-14-2017 12:51 AM

Hi,

 

I updated the configuration and all branches are connecting, the issue i have left is that 1-2 people can connect at a branch but any additional ones will be blocked. I had policy-rematch enabled, would that potentially stop any additional sessions or would that only remove flows upon a commit?

 

regards,

 

Routing

Re: J2320 - V12.4 BGP And Firewall Setup

09.15.17   |  
‎09-15-2017 04:12 AM

No session rematch just compares all your existing sessions against the new policies you are committing.  If there is a match they stay and if they are now being denied they are closed.

 

To figure out why the sessions are blocked you will need to first verify that the session is not created using

show security session flow

 

As noted above.  If the session does exist then the issue will be with return path routing or the policies on the other J-series firewall.

 

If there is no session, use the trace options above to get the reason the session is being denied.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Routing

Re: J2320 - V12.4 BGP And Firewall Setup

09.25.17   |  
‎09-25-2017 12:50 PM

hi,

 

Still no joy, appears that source IPs are being ignored and the global deny policy then denies those connections coming in. What is odd is that we can see two to three devices connect fine from each remote site but any additional devices are then denied.

 

Config as follows:

 

## Last commit: 2017-09-25 19:52:15 BST by root
version 12.1X44-D40.2;
system {
host-name DC-MPLS-01;
time-zone Europe/London;
root-authentication {
encrypted-password 
}
name-server {
192.168.50.80;
192.168.50.81;
192.168.50.89;
}
login {
user administrator {
uid 2000;
class super-user;
authentication {
encrypted-password 
}
}
}
services {
ssh;
telnet;
web-management {
http;
}
}
syslog {
file policy_session {
user info;
match RT_FLOW;
archive size 1000k world-readable;
structured-data;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
description "LAN HQ";
family inet {
address 192.168.50.4/22;
}
}
}
ge-0/0/2 {
description "WAN MPLS";
unit 0 {
family inet {
address 172.0.0.6/30;
}
}
}
ge-0/0/3 {
description "SWITCHING LAN";
unit 0 {
family inet {
address 10.1.1.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 172.0.0.6/32;
}
}
}
}
snmp {
name "MPLS DC";
description "MPLS DC";
location DC;
client-list client {
192.168.48.0/22;
}
community public {
authorization read-only;
client-list-name client;
}
trap-group "MPLS Traps" {
destination-port 155;
targets {
192.168.50.127;
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.50.4;
route 172.0.2.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.4.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.6.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.8.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.10.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.12.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.14.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.16.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.18.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.20.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.22.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.24.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.26.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.28.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.32.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.34.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.36.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.38.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.40.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.42.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.44.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.46.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.48.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.50.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.52.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.54.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.56.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.58.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.60.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.64.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.68.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.70.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.72.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.76.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.78.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.80.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.84.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.86.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.88.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.90.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.92.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.94.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.104.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.108.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.112.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.114.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.116.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.118.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.120.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.122.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.124.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.126.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.128.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.130.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.132.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.134.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.138.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.140.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.142.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.144.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.146.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.148.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.150.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.152.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.154.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.156.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.158.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.160.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.162.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.164.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.166.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.168.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.170.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.172.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.222.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.224.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.226.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.228.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.230.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.234.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.236.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.238.0/23 {
next-hop 192.168.50.250;
preference 250;
}
route 212.67.106.242/32 {
next-hop 192.168.50.250;
preference 250;
}
route 213.216.142.231/32 {
next-hop 192.168.50.250;
preference 250;
}
route 172.0.106.0/23 {
next-hop 192.168.50.250;
preference 10;
}
}
router-id 172.0.0.6;
autonomous-system 65000;
}
protocols {
bgp {
group TRVG {
type external;
description "BT MPLS PEER";
export export-LAN;
peer-as 2856;
neighbor 172.0.0.5 {
local-address 172.0.0.6;
hold-time 90;
}
}
}
}
policy-options {
policy-statement export-LAN {
from {
protocol [ direct local ];
interface ge-0/0/0.0;
}
then accept;
}
policy-statement jweb-policy-default-route {
from {
route-filter 0.0.0.0/0 exact;
}
then accept;
}
policy-statement jweb-policy-direct {
from {
protocol direct;
interface ge-0/0/2.0;
}
then accept;
}
policy-statement jweb-policy-rip {
from protocol rip;
then accept;
}
}
security {
address-book {
TRUSTED-HOSTS {
description TRUSTED-HOSTS;
address CTX-APP01 {
description CTX-APP01;
192.168.50.131/32;
}
address CTX-APP02 {
description CTX-APP02;
192.168.50.132/32;
}
address CTX-APP03 {
description CTX-APP03;
192.168.50.133/32;
}
address CTX-APP04 {
description CTX-APP04;
192.168.50.134/32;
}
address MGMT1 {
description MGMT1;
192.168.50.226/32;
}
address STOREFRONT {
description STOREFRONT;
192.168.50.127/32;
}
address PRINT1 {
description PRINT1;
192.168.50.134/32;
}
address DC1 {
description DC1;
192.168.50.80/32;
}
address DC2 {
description DC2;
192.168.50.81/32;
}
address DC4 {
description DC4;
192.168.50.89/32;
}
address CTX-APP05 {
description CTX-APP05;
192.168.50.135/32;
}
address CTX-APP06 {
description CTX-APP06;
192.168.50.136/32;
}
address CTX-APP07 {
description CTX-APP07;
192.168.50.140/32;
}
address CTX-APP08 {
description CTX-APP08;
192.168.50.141/32;
}
address CTX-APP09 {
description CTX-APP09;
192.168.50.142/32;
}
address CTX-APP10 {
description CTX-APP10;
192.168.50.137/32;
}
address CTX-APP11 {
description CTX-APP11;
192.168.50.138/32;
}
address CTX-APP12 {
description CTX-APP12;
192.168.50.139/32;
}
address CTX-APP14 {
description CTX-APP14;
192.168.50.143/32;
}
address CTX-APP15 {
description CTX-APP15;
192.168.50.144/32;
}
address-set TRUSTED-HOSTS {
description TRUSTED-HOSTS;
address CTX-APP01;
address CTX-APP02;
address CTX-APP03;
address CTX-APP04;
address MGMT1;
address STOREFRONT;
address PRINT1;
address DC1;
address DC2;
address DC4;
address CTX-APP05;
address CTX-APP06;
address CTX-APP07;
address CTX-APP08;
address CTX-APP09;
address CTX-APP10;
address CTX-APP11;
address CTX-APP12;
address CTX-APP14;
address CTX-APP15;
}
attach {
zone Trust;
}
}
UNTRUSTED-HOSTS {
description UNTRUSTED-HOSTS;
address TEST-SITE {
description TEST-SITE;
wildcard-address 172.0.166.0/23;
}
address TEST-SITE-LOOPBACK {
description TEST-SITE-LOOPBACK;
wildcard-address 172.200.166.0/24;
}
address ANCORA {
description ANCORA;
wildcard-address 172.0.156.0/23;
}
address BARR {
description BARR;
wildcard-address 172.0.88.0/23;
}
address BELFAST {
description BELFAST;
wildcard-address 172.0.140.0/23;
}
address BELLSHILL {
description BELLSHILL;
wildcard-address 172.0.142.0/23;
}
address BONESS {
description BONESS;
wildcard-address 172.0.38.0/23;
}
address BRADFORD {
description BRADFORD;
wildcard-address 172.0.228.0/23;
}
address CAMBRIDGE {
description CAMBRIDGE;
wildcard-address 172.0.72.0/23;
}
address DOWNPATRICK {
description DOWNPATRICK;
wildcard-address 172.0.18.0/23;
}
address GALAXY {
description GALAXY;
wildcard-address 172.0.50.0/23;
}
address GLASGOW {
description GLASGOW;
wildcard-address 172.0.48.0/23;
}
address GOTPEOPLE {
description GOTPEOPLE;
wildcard-address 172.0.118.0/23;
}
address HASTINGS {
description HASTINGS;
wildcard-address 172.0.152.0/23;
}
address HUDDERSFIELD {
description HUDDERSFIELD;
wildcard-address 172.0.36.0/23;
}
address HULL {
description HULL;
wildcard-address 172.0.106.0/23;
}
address INSIDERIGHT {
description INSIDERIGHT;
wildcard-address 172.0.146.0/23;
}
address IPSWICH {
description IPSWICH;
wildcard-address 172.0.10.0/23;
}
address KERRYFOODS {
description KERRYFOODS;
wildcard-address 172.0.68.0/23;
}
address KINGSLYNN {
description KINGSLYNN;
wildcard-address 172.0.8.0/23;
}
address LIGA {
description LIGA;
wildcard-address 172.0.138.0/23;
}
address LYONS {
description LYONS;
wildcard-address 172.0.168.0/23;
}
address MAK {
description MAK;
wildcard-address 172.0.86.0/23;
}
address MASSINGHAM {
description MASSINGHAM;
wildcard-address 172.0.90.0/23;
}
address MILTONKEYNES {
description MILTONKEYNES;
wildcard-address 172.0.116.0/23;
}
address NORWICH-NR13QL {
description NORWICH-NR13QL;
wildcard-address 172.0.160.0/23;
}
address NORWICH-NR31AZ {
description NORWICH-NR31AZ;
wildcard-address 172.0.154.0/23;
}
address PEBBLE {
description PEBBLE;
wildcard-address 172.0.26.0/23;
}
address PETERBOROUGH {
description PETERBOROUGH;
wildcard-address 172.0.20.0/23;
}
address READING {
description READING;
wildcard-address 172.0.24.0/23;
}
address RESOLVE {
description RESOLVE;
wildcard-address 172.0.120.0/23;
}
address SENIORSALMON {
description SENIORSALMON;
wildcard-address 172.0.66.0/23;
}
address SOUTHEND {
description SOUTHEND;
wildcard-address 172.0.12.0/23;
}
address STEVENAGE {
description STEVENAGE;
wildcard-address 172.0.16.0/23;
}
address TEACHERHUB-BRISTOL {
description TEACHERHUB-BRISTOL;
wildcard-address 172.0.162.0/23;
}
address TEACHERHUB-WATFORD {
description TEACHERHUB-WATFORD;
wildcard-address 172.0.164.0/23;
}
address TENNIAL {
description TENNIAL;
wildcard-address 172.0.124.0/23;
}
address THORNE {
description THORNE;
wildcard-address 172.0.150.0/23;
}
address TOMLIN {
description TOMLIN;
wildcard-address 172.0.134.0/23;
}
address TOPTEAM {
description TOPTEAM;
wildcard-address 172.0.114.0/23;
}
address TOTTENHAM {
description TOTTENHAM;
wildcard-address 172.0.64.0/23;
}
address UNIVERSAL {
description UNIVERSAL;
wildcard-address 172.0.94.0/23;
}
address VANTA {
description VANTA;
wildcard-address 172.0.170.0/23;
}
address WAKEFIELD {
description WAKEFIELD;
wildcard-address 172.0.70.0/23;
}
address WARRINGTON {
description WARRINGTON;
wildcard-address 172.0.126.0/23;
}
address WHURK {
description WHURK;
wildcard-address 172.0.148.0/23;
}
address WORCESTER {
description WORCESTER;
wildcard-address 172.0.234.0/23;
}
address WORTHING {
description WORTHING;
wildcard-address 172.0.142.0/23;
}
address BELFAST-LOOPBACK {
description BELFAST-LOOPBACK;
wildcard-address 172.200.140.0/23;
}
address BELLSHILL-LOOPBACK {
description BELLSHILL-LOOPBACK;
wildcard-address 172.200.142.0/23;
}
address BONESS-LOOPBACK {
description BONESS-LOOPBACK;
wildcard-address 172.200.38.0/23;
}
address BRADFORD-LOOPBACK {
description BRADFORD-LOOPBACK;
wildcard-address 172.200.228.0/23;
}
address CAMBRIDGE-LOOPBACK {
description CAMBRIDGE-LOOPBACK;
wildcard-address 172.200.72.0/23;
}
address DOWNPATRICK-LOOPBACK {
description DOWNPATRICK-LOOPBACK;
wildcard-address 172.200.18.0/23;
}
address GALAXY-LOOPBACK {
description GALAXY-LOOPBACK;
wildcard-address 172.200.50.0/23;
}
address GLASGOW-LOOPBACK {
description GLASGOW-LOOPBACK;
wildcard-address 172.200.48.0/23;
}
address GOTPEOPLE-LOOPBACK {
description GOTPEOPLE-LOOPBACK;
wildcard-address 172.200.118.0/23;
}
address HASTINGS-LOOPBACK {
description HASTINGS-LOOPBACK;
wildcard-address 172.200.152.0/23;
}
address HUDDERSFIELD-LOOPBACK {
description HUDDERSFIELD-LOOPBACK;
wildcard-address 172.200.36.0/23;
}
address HULL-LOOPBACK {
description HULL-LOOPBACK;
wildcard-address 172.200.106.0/23;
}
address INSIDERIGHT-LOOPBACK {
description INSIDERIGHT-LOOPBACK;
wildcard-address 172.200.146.0/23;
}
address IPSWICH-LOOPBACK {
description IPSWICH-LOOPBACK;
wildcard-address 172.200.10.0/23;
}
address KERRYFOODS-LOOPBACK {
description KERRYFOODS-LOOPBACK;
wildcard-address 172.200.68.0/23;
}
address KINGSLYNN-LOOPBACK {
description KINGSLYNN-LOOPBACK;
wildcard-address 172.200.8.0/23;
}
address LIGA-LOOPBACK {
description LIGA-LOOPBACK;
wildcard-address 172.200.138.0/23;
}
address LYONS-LOOPBACK {
description LYONS-LOOPBACK;
wildcard-address 172.200.168.0/23;
}
address MAK-LOOPBACK {
description MAK-LOOPBACK;
wildcard-address 172.200.86.0/23;
}
address MASSINGHAM-LOOPBACK {
description MASSINGHAM-LOOPBACK;
wildcard-address 172.200.90.0/23;
}
address MILTONKEYNES-LOOPBACK {
description MILTONKEYNES-LOOPBACK;
wildcard-address 172.200.116.0/23;
}
address NORWICH-NR13QL-LOOPBACK {
description NORWICH-NR13QL-LOOPBACK;
wildcard-address 172.200.160.0/23;
}
address NORWICH-NR31AZ-LOOPBACK {
description NORWICH-NR31AZ-LOOPBACK;
wildcard-address 172.200.154.0/23;
}
address PEBBLE-LOOPBACK {
description PEBBLE-LOOPBACK;
wildcard-address 172.200.26.0/23;
}
address PETERBOROUGH-LOOPBACK {
description PETERBOROUGH-LOOPBACK;
wildcard-address 172.200.20.0/23;
}
address READING-LOOPBACK {
description READING-LOOPBACK;
wildcard-address 172.200.24.0/23;
}
address RESOLVE-LOOPBACK {
description RESOLVE-LOOPBACK;
wildcard-address 172.200.120.0/23;
}
address SENIORSALMON-LOOPBACK {
description SENIORSALMON-LOOPBACK;
wildcard-address 172.200.66.0/23;
}
address SOUTHEND-LOOPBACK {
description SOUTHEND-LOOPBACK;
wildcard-address 172.200.12.0/23;
}
address STEVENAGE-LOOPBACK {
description STEVENAGE-LOOPBACK;
wildcard-address 172.200.16.0/23;
}
address TEACHERHUB-BRISTOL-LOOPBACK {
description TEACHERHUB-BRISTOL-LOOPBACK;
wildcard-address 172.200.162.0/23;
}
address TEACHERHUB-WATFORD-LOOPBACK {
description TEACHERHUB-WATFORD-LOOPBACK;
wildcard-address 172.200.164.0/23;
}
address TENNIAL-LOOPBACK {
description TENNIAL-LOOPBACK;
wildcard-address 172.200.124.0/23;
}
address THORNE-LOOPBACK {
description THORNE-LOOPBACK;
wildcard-address 172.200.150.0/23;
}
address TOMLIN-LOOPBACK {
description TOMLIN-LOOPBACK;
wildcard-address 172.200.134.0/23;
}
address TOPTEAM-LOOPBACK {
description TOPTEAM-LOOPBACK;
wildcard-address 172.200.114.0/23;
}
address TOTTENHAM-LOOPBACK {
description TOTTENHAM-LOOPBACK;
wildcard-address 172.200.64.0/23;
}
address UNIVERSAL-LOOPBACK {
description UNIVERSAL-LOOPBACK;
wildcard-address 172.200.94.0/23;
}
address VANTA-LOOPBACK {
description VANTA-LOOPBACK;
wildcard-address 172.200.170.0/23;
}
address WAKEFIELD-LOOPBACK {
description WAKEFIELD-LOOPBACK;
wildcard-address 172.200.70.0/23;
}
address WARRINGTON-LOOPBACK {
description WARRINGTON-LOOPBACK;
wildcard-address 172.200.126.0/23;
}
address WHURK-LOOPBACK {
description WHURK-LOOPBACK;
wildcard-address 172.200.148.0/23;
}
address WORCESTER-LOOPBACK {
description WORCESTER-LOOPBACK;
wildcard-address 172.200.234.0/23;
}
address WORTHING-LOOPBACK {
description WORTHING-LOOPBACK;
wildcard-address 172.200.142.0/23;
}
address-set DEREHAM-LAB {
description DEREHAM-LAB;
address TEST-SITE;
address TEST-SITE-LOOPBACK;
}
attach {
zone UnTrust;
}
}
}
policies {
from-zone Trust to-zone UnTrust {
policy Trust-Untrust {
description Trust-Untrust;
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
}
from-zone UnTrust to-zone Trust {
policy UNTRUST-TRUST-BRANCHES {
description UNTRUST-TRUST-BRANCHES;
match {
source-address any;
destination-address TRUSTED-HOSTS;
application BRANCH-PORTS;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
}
global {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
session-close;
}
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone Trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
lo0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone UnTrust {
host-inbound-traffic {
protocols {
bgp;
}
}
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
protocols {
bgp;
}
}
}
}
}
}
}
applications {
application VNC {
protocol tcp;
destination-port 5900;
description VNC;
}
application Terminal_Citrix_1494 {
protocol tcp;
destination-port 1494;
description Terminal_Citrix_1494;
}
application Terminal_Citrix_1604 {
protocol tcp;
destination-port 1604;
description Terminal_Citrix_1604;
}
application Terminal_Citrix_2598 {
protocol tcp;
destination-port 2598;
description Terminal_Citrix_2598;
}
application Terminal_Citrix_2512 {
protocol tcp;
destination-port 2512;
description Terminal_Citrix_2512;
}
application Terminal_Citrix_2513 {
protocol tcp;
destination-port 2513;
description Terminal_Citrix_2513;
}
application Terminal_Management_30001-30005 {
protocol tcp;
destination-port 30001-30005;
description Terminal_Management_30001-30005;
}
application Terminal_Management_9080 {
protocol tcp;
destination-port 9080;
description Terminal_Management_9080;
}
application Terminal_Management_33751 {
protocol tcp;
destination-port 33751;
description Terminal_Management_33751;
}
application Terminal_Management_39107 {
protocol tcp;
destination-port 39107;
description Terminal_Management_39107;
}
application Terminal_Management_44383 {
protocol tcp;
destination-port 44383;
description Terminal_Management_44383;
}
application Terminal_Management_30001-30005-UDP {
protocol udp;
destination-port 30001-30005;
description Terminal_Management_30001-30005-UDP;
}
application Zyxel-HTTPS {
protocol tcp;
destination-port 444;
description Zyxel-HTTPS;
}
application-set BRANCH-PORTS {
description BRANCH-PORTS;
application Terminal_Citrix_1494;
application Terminal_Citrix_1604;
application Terminal_Citrix_2598;
application Terminal_Citrix_2512;
application Terminal_Citrix_2513;
application Terminal_Management_30001-30005;
application Terminal_Management_9080;
application Terminal_Management_33751;
application Terminal_Management_39107;
application Terminal_Management_44383;
application Terminal_Management_30001-30005-UDP;
application Zyxel-HTTPS;
application junos-smtp;
application junos-dns-udp;
application junos-dns-tcp;
application junos-http;
application junos-https;
}
}

Routing

Re: J2320 - V12.4 BGP And Firewall Setup

09.27.17   |  
‎09-27-2017 03:05 AM

To see why the policies are not working we will need the source and destination ip addresses to evaluate the configuration.

 

If you could run trace options per this and post the file it would help too.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=kb16110

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home