SRX Services Gateway
SRX Services Gateway

SRX as firewall

‎10-06-2013 08:00 AM

Hi All,

 

I have not really used the SRX as a standalone firewall yet and I am trying to figure out how to set it up and forward traffic in order to access a webserver behind it. I have the following config setup:

 

security {
nat {
destination {
pool WEBSERVER {
address PrivateIP/32;
}
rule-set NatRule {
from zone untrust;
rule 1 {
match {
destination-address PublicIP/32;
destination-port 80;
}
then {
destination-nat pool WEBSERVER;
}
}
rule 2 {
match {
destination-address PublicIP/32;
destination-port 443;
}
then {
destination-nat pool WEBSERVER;
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy WEBACCESS {
match {
source-address any;
destination-address WEBADDRESS;
application [junos-http junos-https];
}
then {
permit;
}
}
}

security-zone trust {
tcp-rst;
address-book {
address WEBADDRESS PrivateIP/32;
}
interfaces {
ge-0/0/1.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
http;
https;
}
}
interfaces {
ge-0/0/0.0;
}
}

 

Is there something I am missing with this setup?

 

Any advice would be great, thanks.

8 REPLIES 8
SRX Services Gateway

Re: SRX as firewall

‎10-06-2013 10:16 PM

Hi Talia,

 

I believe basic config to make this setup work is there.

 

Are you facing any issues with this config ?

 

 

-Sarab

SRX Services Gateway

Re: SRX as firewall

‎10-07-2013 02:47 AM

Thanks Sarab,

 

my setup involves a webserver behind the firewall. While I can see packets being translated and forwarded through the right port (used show security flow session) I dont see anything coming back from the webserver. If I try and access the domain  that is redirected to the interface I only get a time out message or page unable to load. I can access the webserver through a public IP (no firewall) or local and it works fine, but when I try and access it through NAT it won't load, which made me think maybe there was something wrong with my setup.

 

Thanks for your reply and to confirm it is fine. I will look into the webserver (Apache) and see if I can find the issue. 

 

cheers.

 

Talia

SRX Services Gateway

Re: SRX as firewall

‎10-07-2013 02:58 AM
Does the server has two NICs , one with Public IP and other with private connected to Juniper FW ?
SRX Services Gateway

Re: SRX as firewall

‎12-17-2013 11:16 PM

Hello,

 

Try this:

 

set security nat destination pool WEBSERVER_http address PrivateIP/32
set security nat destination pool WEBSERVER_http address port 80

set security nat destination pool WEBSERVER_http address PrivateIP/32
set security nat destination pool WEBSERVER_https address port 443


rule-set NatRule from zone untrust rule 1  then destination-nat pool WEBSERVER_http;
rule-set NatRule from zone untrust rule 1  then destination-nat pool WEBSERVER_https;

 

Let me know how it goes.

 

Regards,

 

Luis Sandi

SRX Services Gateway

Re: SRX as firewall

‎12-18-2013 12:33 AM

Hi

 

your issue is not in the SRX config ,because your Webserver is replying to the requests from another route (using public IP interface) as it seems to be your default GW is connection through the public interface , so you need to think how to route your return traffic , by configuring static routes if your external source IPs for this service are limited  , or configure default gateway to be your SRX .

 

Regards

Red1


if this worked for you, kindly help other visitors/members of our community by tagging this post as "Accepted Solution".
Kudos are good way of appreciation.
-------------
Red1
JNCIE-SEC #158, JNCIP-SP, JNCIS- ( FWV, SA, AC )

SRX Services Gateway

Re: SRX as firewall

‎12-18-2013 07:37 AM

you cant have two network cards with two gateways,

 

It sound slike the traffic is coming in, hitting the webserver and then cant get back out becuase its trying to route out form the other gateway

SRX Services Gateway

Re: SRX as firewall

‎12-18-2013 08:24 AM

Hi thanks for the reply, yeah you were right, rookie mistake with wrong default gateway assigned on the webserver site. It is all working fine nowSmiley Happy

Highlighted
SRX Services Gateway

Re: SRX as firewall

‎12-19-2013 11:35 AM

Also one of my custpmer faced the same situation default gateway gives the solution.

JMD