SRX

Hello everyone,

I've got a problem with my DMZ zone, and I'm not sure how to solve it. Right now when I'm connection my laptop to port ge-0/0/2 I'm getting nothing, I can't ping gateway, I cannot access internet etc.

I'm not sure if that's possible but on local network I would like to allow to only ping a gateway and that's it, so someone from IP 10.0.2.5 will not access 10.0.2.6. According to the internet access I would like to access everything from DMZ but allow only specific port to DMZ.

So what I did (not sure if correct) I have created a pool per IP address, so for example pool dmz55 is assigned to IP 10.0.2.2 which is assigned to my public IP address 5.2*.***.55.

I'm also not sure about the policies for DMZ I believe that I can't do source-address any; destination-address any; application any; because each local IP address will be assigned the public.

My config:

## Last changed: 2015-04-06 22:09:53 BST
version 12.1X44-D35.5;
system {
    host-name srx;
    time-zone Europe/London;
    root-authentication {
        encrypted-password "******************************"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user access {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "*********************"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface [ vlan.0 ge-0/0/1.0 ];
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 176.58.109.199;
    }
}
interfaces {
    ge-0/0/0 {
        description internet;
        unit 0 {
            family inet {
                address 5.2*.***.54/29;
            }
        }
    }
    ge-0/0/1 {
        description lan;
        unit 0 {
            family inet {
                address 10.0.1.1/24;
            }
        }
    }
    ge-0/0/2 {
        description DMZ;
        unit 0 {
            family inet {
                address 10.0.2.1/24;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 5.2*.***.53;
    }
}
protocols {
    stp;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set lan-to-internet {
                from zone lan;
                to zone internet;
                rule lan-to-internet-r1 {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set dmz-to-internet {
                from zone DMZ;
                to zone internet;
                rule dmz-to-internet-r1 {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool dmz55 {
                address 10.0.2.2/32;
            }
            pool dmz56 {
                address 10.0.2.3/32;
            }
            pool dmz57 {
                address 10.0.2.4/32;
            }
            rule-set internet-to-dmz {
                from zone internet;
                rule internet-to-dmz-2-1 {
                    match {
                        destination-address 5.2*.***.55/32;
                        destination-port 80;
                        protocol [ tcp udp ];
                    }
                    then {
                        destination-nat pool dmz75;
                    }
                }
            }
        }
        proxy-arp {
            interface ge-0/0/0.0 {
                address {
                    5.2*.***.55/32;
                    5.2*.***.56/32;
                    5.2*.***.57/32;
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone lan to-zone internet {
            policy wan-to-internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
        }
        security-zone internet {
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone lan {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone DMZ {
            interfaces {
                ge-0/0/2.0;
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

HI,

I dont see a policy that allows anything comming from your DMZ towards the internet zone.

from-zone DMZ to-zone internet {
            policy dmz-to-internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }

To only allow icmp towards your "gateway" you can configure :

security-zone DMZ {
            host-inbound-traffic {
                system-services {
                    ping;
                }
               }
            }

Your source nat is fine to access the internet from you DMZ zone when you apply above policy

To make your destination nat work for lets say port 80 (http)

You also need to create a policy that allows traffic from the internet towards your DMZ zone.

Some links that my help you setup your config:

Simple guide to config destination nat and the policy's you need to open the right set of ports

http://www.mustbegeek.com/configure-destination-nat-in-juniper-srx/

http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

Debug NAT

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21922

Hope this helps you a bit

Hi,

Thank you for your help, Now I can access the internet from my DMZ zone - but there is a problem with IP address, when I'm browsing the internet my public IP address is the IP of my SRX (5.2*.***.54) - how I can change it to be the public IP of the NAT so for example 5.2*.***.55 for pool dmz55 (10.0.2.2)?

You can do like below everything from the 10.10.1.0/24 will be natted outside via the Pool dmz55. Hope this helps

source {
    pool dmz55 {
        address {
            5.2*.***.55/32;
        }
    }

rule-set dmz-to-internet {
                from zone DMZ;
                to zone internet;
                rule dmz-to-internet-r1 {
                    match {
                        source-address 10.10.1.0/24;

                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            pool {
                                src-nat-pool-servers;
                            }
                        }
                    }
                }
            }