This is with regards to remote access to WACs which is not happening from specific ips and below is the brief explanation on the same .
This installation is for a hospitality group and they have specific ips from which they need to reach one specific server & WACs and the issue is they are able to access the server but not the WACs .
The specific ips have already been added to come in i.e. from untrust to trust and as mentioned they are able to reach the Server but not the WACs and on the other hand my office subnet is also been added to same rule and i am able to access Server and WACs both .
1st rule : My office subnet and other subnets like noc to access rest all devices that should be accessible only from my office subnet and other noc subnets (Server & WACs not included)
2nd rule : My office subnet and Hospitality specific ips to access the Server and WACs.
I am not seeing any sessions created when i am trying to access the WACs but i do see the sessions for the Server and also just to let you know this is happening only for specific ip when trying to access the WACs but for me accessing from my office network i am able to access both .
NAT Configuraiton for the WACs is static with port forwarding and for server one public ip without port forwarding .
The coutner configuration should be similar to this one:
1. Create a filter that will count the traffic from the affected IP if it reaches the SRX. The same filter will allow all traffic that is not coming from tha affected IP:
set firewall family inet filter TEST term COUNTER from source-address [PUBLIC_IP_OF_AFFECTED_DEVICE] set firewall family inet filter TEST term COUNTER from destination-address [SRX's_PUBLIC_IP] set firewall family inet filter TEST term COUNTER then count INCOMING_TRAFFIC set firewall family inet filter TEST term COUNTER then accept set firewall family inet filter TEST term ALLOW_ALL_TRAFFIC then accept
2. Apply this filter on INPUT direction on the external reth interface:
Set interfaces [RETH_INTERFACE] unit [LOGICAL_UNIT] family inet filter input TEST
3.Commit the configuration.You can use "commit confirm 3" so that if there are any problems, the configuration changes will be reverted after 3 minutes.
4. During the 3 minutes of the "commit confirm" try to send data from the affected host and verify the counter with the folllowing command:
> show firewall
An output similar to the following one will show:
Filter: TEST Counters: Name Bytes Packets INCOMING_TRAFFIC 0 0
Pura Vida from Costa Rica - Mark as Resolved if it applies. Kudos are appreciated too!