SRX

Hello,

I have 2 questions regarding srx firewall:

- If I do a nat from public address A to public address B, doing a nat which replaces B by private address C (destination NAT), do I have to create a firewall policy? And if yes, from A to B, or A to C?

If I look at the packet flow, the logical way is a policy allowing flow from B to C...?

And if I do a nat from private address D to public address E, doing a nat which replaces D by public address F (source NAT), do I have to create a firewall policy? And if yes, from D to E, or F to E?

If I look at the packet flow, the logical way is a policy allowing flow from D to E...?

-Does entering a lot of commands in the same time by SSH works for you without errors?

Let's say I enter something like 500 lines in configuration mod by copy/pasting them... the copy is unfortunately not 100% pasted, leading to only a part of the commands being processed.

How can I enter a lot of command in the same time without error?

Can I create a txt file, then upload it to the srx, and having it executed by a command?

Thanks in advance,

Q1: no. but you should look into security policies, depending on your interfaces and security zones, you might want to create one.

Q2: look into the junos cli guide, check for "load" and "save"

btw: best link for getting into SRX: http://kb.juniper.net/InfoCenter/index?page=content&id=KB15694

Thanks for your answers.

"Q1: no. but you should look into security policies, depending on your interfaces and security zones, you might want to create one."

Ok, but from where to where do I have to create my security policy?

Like I said before, if I have a flow between A (untrust zone) and the public address B of my fw (untrust zone), and if then I make a destination nat, changing the destination address from the address B of my fw (untrust zone) to my computer C (trust zone), what policy do I have to make?

from zone untrust to zone untrust from A to B any service permit

or

from zone untrust to zone trust from A to C any service permit

?

Same question if I do a source nat?

My computer A (trust zone) wants to connect to a computer C (untrust zone) with the source address of my fw B (untrust zone)

from zone untrust to zone untrust from B to C any service permit

or

from zone trust to zone untrust from A to C any service permit

?

"Q2: look into the junos cli guide, check for "load" and "save""

I suppose that's "load set relative myfile"?

the cool thing about juniper is: 

they have Examples for most common scenarios:

like 

Example: Configuring Destination NAT for IP Address and Port Translation

( http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/nat-security-destination-address-port-translation-configuring.html )

as far as security policies go: 

from zone -> where your source is.

to zone -> destination

so for your dest nat that would be 

from zone untrust to-zone trust.

for source

from zone trust to-zone untrust

----

for Q2:

 you dont really need the "relative" part, depends on the formatting of your configuration file i guess ;:-)

You always have to have a security-policy in place to permit traffic on an SRX if you have not changed the default policy action from deny to allow.

Static and Destination NAT are carried out before stateful security-policy (but not before stateless filters if you are using them also), source-nat is after. So for example in your first scenario you permit A-C. IN your 2nd it's D-E.

As for terminal session pasting, I've had mixed results. It works fine most of the time but I have seen occasional glitches. CYs recommendation on file loading/merging is good.

Thanks for your help 🙂

You should configure policy.

When you use NAT, please remember that use the "true" IP address of client and server.

So the policy in your example is: A to C, and D to E.