SRX Services Gateway
Highlighted
SRX Services Gateway

SRX_Remote_Access_To_WACs

‎08-06-2018 01:09 AM

Hello Team ,

 

This is with regards to remote access to WACs which is not happening from specific ips and below is the brief explanation on the same .

 

This installation is for a hospitality group and they have specific ips from which they need to reach one specific server & WACs and the issue is they are able to access the server but not the WACs .

The specific ips have already been added to come in i.e. from untrust to trust and as mentioned they are able to reach the Server but not the WACs and on the other hand my office subnet is also been added to same rule and i am able to access Server and WACs both .

 

1st rule : My office subnet and other subnets like noc to access rest all devices that should be accessible only from my office subnet and other noc subnets (Server & WACs not included)

 

2nd rule : My office subnet and Hospitality specific ips to access the Server and WACs.

 

Regards

shaan

 

 

7 REPLIES 7
Highlighted
SRX Services Gateway

Re: SRX_Remote_Access_To_WACs

‎08-06-2018 08:56 AM

Hi,

 

Can you confirm the creation of a session in the SRX when trying to reach the WACs and when reaching the server?

 

   > show security flow session destination-prefix [WACs_IP_ADDRESSES]

 

Also please let us know the NAT configuration in place for allowing these communications.

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
Highlighted
SRX Services Gateway

Re: SRX_Remote_Access_To_WACs

[ Edited ]
‎08-07-2018 04:00 AM

Hi ,

 

I am not seeing any sessions created when i am trying to access the WACs but i do see the sessions for the Server and also just to let you know this is happening only for specific ip when trying to access the WACs but for me accessing from my office network i am able to access both .

 

NAT Configuraiton for the WACs is static with port forwarding and for server one public ip without port forwarding .

 

Regards

Shaan

Highlighted
SRX Services Gateway

Re: SRX_Remote_Access_To_WACs

‎08-07-2018 11:54 AM
Hi all ,

Any insights please

Regards
Shaan
Highlighted
SRX Services Gateway

Re: SRX_Remote_Access_To_WACs

‎08-07-2018 12:53 PM

Hi Saan,

 

If the session is not getting created I will verify 2 things:

 

+Are the packets reaching the SRX? You can confirm this by applying a firewall filter with a counter that will increase any time that a packet from the affected IP address reaches the firewall:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21872&actp=METADATA

 

+Determine the reason why the SRX is not creating the session and dropping the packets instead. This can be verify with a flow traceoptions using "basic-datapath" flag:

 

Example config:

 

user@srx# show security flow
traceoptions {
file FILE;
flag basic-datapath;
packet-filter PF1 {
source-prefix [IP_ADDRESS_OF_AFFECTED_DEVICE]/32;
destination-prefix [SRX's_PUBLIC_IP]/32;
}

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16233&actp=METADATA&act=login

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16108

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
Highlighted
SRX Services Gateway

Re: SRX_Remote_Access_To_WACs

‎08-08-2018 04:49 AM

Hello ,

 

I tried configuring the filter option but i guess i did it wrong and the network came down .

What i did was applied the filter on interface on the outside interface connecting to ISP and also i forgot to mention by SRX are on HA setup .

 

Any other methods or troubleshooting i can do where i dont have network getting effected .

 

Regards

Shaan

Highlighted
SRX Services Gateway

Re: SRX_Remote_Access_To_WACs

‎08-08-2018 03:49 PM

Shaan,

 

Can you share the configuration of the filter? It should not bring down your network.

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
Highlighted
SRX Services Gateway

Re: SRX_Remote_Access_To_WACs

‎08-08-2018 04:00 PM

The coutner configuration should be similar to this one:

 

1. Create a filter that will count the traffic from the affected IP if it reaches the SRX. The same filter will allow all traffic that is not coming from tha affected IP:

 

   set firewall family inet filter TEST term COUNTER from source-address [PUBLIC_IP_OF_AFFECTED_DEVICE]
   set firewall family inet filter TEST term COUNTER from destination-address [SRX's_PUBLIC_IP]
   set firewall family inet filter TEST term COUNTER then count INCOMING_TRAFFIC
   set firewall family inet filter TEST term COUNTER then accept
   set firewall family inet filter TEST term ALLOW_ALL_TRAFFIC then accept

 

2. Apply this filter on INPUT direction on the external reth interface:

 

   Set interfaces [RETH_INTERFACE] unit [LOGICAL_UNIT] family inet filter input TEST

3.Commit the configuration.You can use "commit confirm 3" so that if there are any problems, the configuration changes will be reverted after 3 minutes.

 

4. During the 3 minutes of the "commit confirm" try to send data from the affected host and verify the counter with the folllowing command:

 

   > show firewall

An output similar to the following one will show:

   Filter: TEST
   Counters:
   Name Bytes Packets
   INCOMING_TRAFFIC 0 0

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
Feedback