SRX

I have attached a current copy of my configuration, I've enabled logging on both deny rules between untrust-to-trust and untrust-to-dmz and am not picking up anything, is there a way to test a nat rule to make sure it's working and is hitting a policy and being denied at that point?

Attachment(s)

HOUTXGW1-2_NetConfig.txt   9 KB 1 version

Awesome, I have to run the site in compatibility mode. Noticed it doesn't keep the body of the thread if I don't lol.

I created a static nat between trust, dmz, and untrust to an IP in dmz (web servers) and I have a rule allowing untrust to dmz to the specific group of web servers over http/https but I still can't seem to access the web servers from trust.

Thanks for any help anyone can offer

I figured it out, you need to add the zones to the static-nat and create a policy between trust and dmz allowing http/https and you can reference your public address in DNS for internal clients (helpful with VPN clients using internal DNS servers) they might not have access to other zones and this way they will access your published resources via thier public address;-)

Here is my configuration for reference, I wish more people would post these lol...

I also cleaned up my FW policies as all traffic is denied by default until you create a rule allowing it so now the only thing I have is trust to untrust, dmz to untrust, and untrust/trust to dmz for http/https and a deny rule with logging for anything coming from untrust to dmz.

Attachment(s)

HOUTXGW1-2_NetConfig.txt   8 KB 1 version

Not reflected in the configuration I posted but I also removed everything not needed from dmz and only have ftp, http, https, and ping (my web servers are multihomed) so dns and ntp come from AD on it's other interface not ideal I know but these machines have to be part of AD so I have no other choice.