SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  RDP and VPN -- FW policy...

    Posted 11-30-2011 12:30
      |   view attached

    Hello Everyone!!

     

    I went back to basics and test environment because I can't figure out what I am doing wrong.

     

    Any guidance is much appreciated!

     

    Here is the config...

     

    Have a goon one!

    Attachment(s)

    txt
    RDP-VPN policy match test.txt   6 KB 1 version


  • 2.  RE: RDP and VPN -- FW policy...

    Posted 12-01-2011 13:57

    You haven't exactly described what the issue is that you're having... so I'm just going to take a guess based on your config -- it's probably your NAT configuration.

     

    If you don't need NAT, then take out the source NAT rules.  If you do need NAT, then you'll need to configure NAT to allow your incoming connections (destination NAT or static NAT).



  • 3.  RE: RDP and VPN -- FW policy...

    Posted 12-02-2011 07:01

    Hi kr!

     

    You are right... I got jumpy and didn't describe properly my issue.. which is this:

     

    I got an SRX210, my outside address being 192.168.1.10/29

     

    traffic that hits that address (192.168.1.10) with a VPN request needs to go to 10.0.1.198

     

    traffic that hits that address (192.168.1.10) with a Remote Desktop request needs to go to 10.0.1.196

     

    ... I was told that it could be achieved by just configuring a FW policy matching the traffic type (i.e junos-gre junos-pptp) and it would send it to the correct internal IP..

     

    I am doing something wrong or missing something because it is not happening...

     

    Many thanks for replying!

     

     



  • 4.  RE: RDP and VPN -- FW policy...
    Best Answer

    Posted 12-02-2011 11:35

    For sure you should also configure 'destination nat' to do IP address translation

     

    For RDP, rule might look like this

     

    set security nat destination pool 10-0-1-196--3389 address 10.0.1.196/32
    set security nat destination pool 10-0-1-196--3389 address port 3389
    set security nat destination rule-set destination from zone untrust
    set security nat destination rule-set destination rule r1 match destination-address 192.168.1.10/32
    set security nat destination rule-set destination rule r1 match destination-port 3389
    set security nat destination rule-set destination rule r1 then destination-nat pool 10-0-1-196--3389

     

     

    For VPN connections - could be more tricky as there are several types of vpn around...

     

     

    more on NAT configuration

    http://kb.juniper.net/InfoCenter/index?page=content&id=TN81&actp=LIST



  • 5.  RE: RDP and VPN -- FW policy...

    Posted 12-02-2011 12:12

    You definately would need some kind of destination NAT.  The firewall would have no way to know which traffic to send to which internal host otherwise.

     

    Aigarz gave a suggestion for a starting point to cover your RDP connection, however, the VPN termination is more difficult.  You cannot match a NAT rule on GRE, as it is a protocol and not a port number.  The SRX has a PPTP ALG that I believe is supposed to handle the necessary magic for translating GRE sessions.

     

    For a starting suggestion, try setting up your destination NAT (incoming connections) something like this:

    security {
  nat {
    destination {
      pool srv-RDP {
        address 10.0.1.196/32;
      }
      pool srv-PPTP {
        address 10.0.1.198/32;
      }
      rule-set untrust-to-trust {
        from zone untrust;
        rule RDP {
          match {
            source-address 0.0.0.0/0;
            destination-address 192.168.1.10/32;
            destination-port 3389;
          }
          then {
            destination-nat pool srv-RDP;
          }
        }
        rule PPTP {
          match {
            source-address 0.0.0.0/0;
            destination-address 192.168.1.10/32;
            destination-port 1723;
          }
          then {
            destination-nat pool srv-PPTP;
          }
        }
      }
    }
  }
}

     

    You'll also want to make sure that your PPTP ALG is enabled:

     

    user@srx> show security alg status | match PPTP 
  PPTP     : Enabled

     

    Set your security policies to allow the junos-pptp service, but you don't need the junos-gre service since the ALG takes care of that (as far as I know):

     

    from-zone untrust to-zone trust {
  policy VPN-Test {
    match {
      source-address any;
      destination-address addr_10_0_1_198;
      application junos-pptp;
    }
    then {
      permit;
      log {
        session-init;
        session-close;
      }
    }
  }
}

     

    That should get you going in the right direction. I can't promise that that's 100% of what you need to make it work, I have not done this exact configuration and I don't have a place where I can build it to test it.

     



  • 6.  RE: RDP and VPN -- FW policy...

    Posted 12-07-2011 07:00

    Thank you Aigarz and Keith for your posts... they have been MOST helpfull!!

     

    Aigiraz solution worked as a charm. I had misunderstood the concept when it was explained to me but after seeing the lines it was clear!

     

    Keith, your solution seems simple yet elegant! I will reset my test lab and give it a shot!! I will post soon!!

     

    again.... THANKS!



  • 7.  RE: RDP and VPN -- FW policy...

    Posted 12-07-2011 07:46

    .... WORKED LIKE A CHARM!!

     

    MANY THANKS FOR YOUR POSTS, TIME AND PATIENCE!!

     

    on the test environment working with the same computer I was able to REMOTE IN ... AND VPN IN at the same time with NO PROBLEMS!!

     

    KUDOS GENTLEMEN!!