SRX

last person joined: 23 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  FTP behind the NAT

    Posted 04-24-2012 01:58

    Hi.

    I have SRX210HE and internal FTP-server, and I need to access to this FTP from public network. I saw a lot of  material on this topic and does not understand what I did wrong.

     

    blabla@blablabla# show security nat destination

    pool NAS {
        address 192.168.0.xxx/32 port 21;
    }
    pool NAS-20 {
        address 192.168.0.xxx/32 port 20;
    }
    rule-set NAS {
        from zone untrust;
        rule NAS-21 {
            match {
                destination-address xxx.xxx.xxx.98/32;
                destination-port 21;
            }
            then {
                destination-nat pool NAS;
            }
        }
        rule NAS-20 {
            match {
                destination-address xxx.xxx.xxx.98/32;
                destination-port 20;
            }
            then {
                destination-nat pool NAS-20;
            }
        }
    }

     

     

    blabla@blablabla# show security policies

    from-zone trust to-zone untrust {
        policy trust-to-untrust {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
    from-zone untrust to-zone trust {
        policy Phone-VPN {
            match {
                source-address any;
                destination-address 192.168.0.0/16
                application any;
            }
            then {
                permit {
                    tunnel {
                        ipsec-vpn Avaya-Phones-VPN
                    }
                }
            }
        }
        policy dyn-vpn-policy {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit {
                    tunnel {
                        ipsec-vpn dyn-vpn;
                    }
                }
            }
        }
        policy NAS {
            match {
                source-address any;
                destination-address NAS;
                application junos-ftp;
            }
            then {
                permit;
            }
        }
    }

     

     

    blabla@blablabla# show security alg
    ftp disable ftps-extension;
    h323 disable;
    mgcp disable;
    sccp disable;
    sip disable;

     

    Can it be that policies are interrupting each other? Any help will be very appreciated.



  • 2.  RE: FTP behind the NAT
    Best Answer

    Posted 04-24-2012 03:13

    Hi there,

     

    Hi,  Can you move this policy to the top?

     

        policy NAS {
        match {
            source-address any;
            destination-address NAS;
            application junos-ftp;
        }
        then {
            permit;
        }
    }
}

     

    user@srx# edit security policies from-zone untrust to-zone trust
user@srx# insert policy NAS before policy Phone-VPN

     

     



  • 3.  RE: FTP behind the NAT

    Posted 04-24-2012 23:50

    Thanks for advice. It works, but incorrectly. FTP server works in passive mode and first phase, which goes through 21 port  works, but then connection goes through random port selecting by FTP server. This step does not work. Any ideas?



  • 4.  RE: FTP behind the NAT

    Posted 04-25-2012 00:00

    I'll try to use FTP ALG and ftp-extension and see what will happened



  • 5.  RE: FTP behind the NAT

    Posted 04-25-2012 01:31

    Enable the FTP ALG and check.  Your config looks good now



  • 6.  RE: FTP behind the NAT

    Posted 04-26-2012 05:41

    It works with ALG enabled. Thanks a lot. That's all for nowSmiley Wink