SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Destination Address Port mix up

    Posted 06-08-2015 14:05

    I have a small dilemma in understanding what ports are open to what servers in my Destination NAT setup.

    I am trying to lock it down to only one port open per server.

     

     

    Is this showing port http open for Web?

    set security policies from-zone PUBLIC to-zone PRIVATE policy PUBLIC-TO-PRIVATE match destination-address WEB
    set security policies from-zone PUBLIC to-zone PRIVATE policy PUBLIC-TO-PRIVATE match application junos-http

     

    Are both ports open to both servers in the following example?

    set security policies from-zone PUBLIC to-zone PRIVATE policy PUBLIC-TO-PRIVATE match destination-address WEB
    set security policies from-zone PUBLIC to-zone PRIVATE policy PUBLIC-TO-PRIVATE match destination-address MAIL
    set security policies from-zone PUBLIC to-zone PRIVATE policy PUBLIC-TO-PRIVATE match application junos-http
    set security policies from-zone PUBLIC to-zone PRIVATE policy PUBLIC-TO-PRIVATE match application junos-smtp

     

    How to achieve that ONLY ONE PORT is OPEN to each server as follows (not both ports to both servers):

    http   -> open to WEB

    smtp -> open to MAIL



  • 2.  RE: Destination Address Port mix up
    Best Answer

     
    Posted 06-08-2015 20:03

    Hello ,

     

    Its Simple , create 2 different Security Policy with different name , from same Zone to Same zone . For Eg:

     

     

    set security policies from-zone PUBLIC to-zone PRIVATE policy PUBLIC-TO-PRIVATE-WEB match destination-address WEB
    set security policies from-zone PUBLIC to-zone PRIVATE policy PUBLIC-TO-PRIVATE-MAIL match destination-address MAIL
    set security policies from-zone PUBLIC to-zone PRIVATE policy PUBLIC-TO-PRIVATE-WEB match application junos-http
    set security policies from-zone PUBLIC to-zone PRIVATE policy PUBLIC-TO-PRIVATE-MAIL match application junos-smtp



  • 3.  RE: Destination Address Port mix up

    Posted 06-13-2015 00:21

    BEAUTIFUL!

     

    So can I simply use a "pattern replace command" to pattern replace PUBLIC-TO-PRIVATE with PUBLIC-TO-PRIVATE-WEB? etc...



  • 4.  RE: Destination Address Port mix up

     
    Posted 06-13-2015 00:39

    Hello , 

     

    Yes your understanding is correct . 🙂



  • 5.  RE: Destination Address Port mix up

    Posted 06-13-2015 03:21

    Your replace pattern will put all four lines into the "web" rule.  You will still need to manually delete the smtp lines from the web rule and create them into their own rule in that case.



  • 6.  RE: Destination Address Port mix up

    Posted 06-21-2015 02:06

    I have another PORT MIX UP case. Any advice is greatly appreciated!

     

    We have two Web Servers (Server A and Server SP) on the same network doing two different things. We need to open junos-http to Server A and junos-https ports to SP, however it seems that both ports are open to only server A which makes no sense to me. Here is the code we added to open https port to server SP but for some reason https still goes to web server A. There is no explicit https rule for server A. Here are the details:

     

     

    set security nat destination pool SP-POOL address 10.1.1.X/32
    set security nat destination pool SP-POOL address port 443


    set security nat destination rule-set DESTINATION-NAT rule PORT-FORWARDING-SP match destination-address 72.8X.XX.XXX/32
    set security nat destination rule-set DESTINATION-NAT rule PORT-FORWARDING-SP match destination-port 443
    set security nat destination rule-set DESTINATION-NAT rule PORT-FORWARDING-SP then destination-nat pool SP-POOL

     

    set security policies from-zone PUBLIC to-zone PRIVATE policy PUBLIC-TO-PRIVATE-SP match source-address any
    set security policies from-zone PUBLIC to-zone PRIVATE policy PUBLIC-TO-PRIVATE-SP match destination-address VIPSP
    set security policies from-zone PUBLIC to-zone PRIVATE policy PUBLIC-TO-PRIVATE-SP match application junos-https
    set security policies from-zone PUBLIC to-zone PRIVATE policy PUBLIC-TO-PRIVATE-SP then permit



  • 7.  RE: Destination Address Port mix up

    Posted 06-21-2015 06:27

    This set of nat and policy rules is only sending https to the server.  If you are also getting http traffic to that server then another rule is kicking in.

     

    You need to look at the nat and security policies as a whole to troubleshoot this.

     

    You probably should also enable logging on all the policies so you can see what rule the traffic is actually hitting.

     

    take a look at the steps in KB16252 for troubleshooting nat to gather some good information on the issue.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB16252



  • 8.  RE: Destination Address Port mix up

    Posted 06-21-2015 18:45

    THIS ISSUE HAS BEEN RESOLVED.

     

    The newly implemented VPN rule was overshadowing the http/s services. It was redirecting traffic.

     

    By moving the VPN rule under the http/s services rule using the INSERT method we solved this problem!

     

    Thanks



  • 9.  RE: Destination Address Port mix up

    Posted 06-22-2015 03:32

    Glad you have it worked out.  Thanks for the update.