SRX

Hi,

I'm new to using Juniper devices and must say I do love the amount of documentation available, but currently I am having an issue trying to figure out how to create a publishing rule. I use ISA/TMG on the back-end and planning to use a pair of SRX240s on the front-end, I've looked at both Destination NAT and the Firewall Wizard but am unable to get the traffic for go thru the Juniper and to the TMG servers that are publishing the web sites. My current configuration is attached, any help or pointing me in the right direction would be very appreciated. Thanks,

## Last changed: 2011-01-26 22:42:59 UTC
version 10.4R1.9;
groups {
    node0 {
        system {
            host-name HOUTXGW1;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 192.168.1.1/24;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name HOUTXGW2;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 192.168.1.2/24;
                    }
                }
            }
        }
    }
}
apply-groups "${node}";
system {
    root-authentication {
        encrypted-password "$1$XerblLjy$NGsYkErHAIXaodkJEV.Ai.";
    }
    name-server {
        x.x.x.x;
        x.x.x.x;
    }
    services {
        ssh;
        web-management {
            http {
                interface [ fxp0.0 reth0.0 ];
            }
            https {
                system-generated-certificate;
                interface [ fxp0.0 reth0.0 ];
            }
        }
    }
}
chassis {
    cluster {
        control-link-recovery;
        reth-count 2;
        node 0;
        node 1;
        redundancy-group 0 {
            node 0 priority 100;
            node 1 priority 1;
        }
        redundancy-group 1 {
            node 0 priority 100;
            node 1 priority 1;
            preempt;
            interface-monitor {
                ge-0/0/3 weight 255;
                ge-5/0/3 weight 255;
                ge-0/0/4 weight 255;
                ge-5/0/4 weight 255;
            }
        }
    }
}
interfaces {
    ge-0/0/3 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-0/0/4 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-5/0/3 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-5/0/4 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    fab0 {
        fabric-options {
            member-interfaces {
                ge-0/0/2;
            }
        }
    }
    fab1 {
        fabric-options {
            member-interfaces {
                ge-5/0/2;
            }
        }
    }
    reth0 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address x.x.x.x/24;
            }
        }
    }
    reth1 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address x.x.x.x/29;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop x.x.x.x;
    }
}
security {
    nat {
        source {
            rule-set interface-nat {
                from zone trust;
                to zone untrust;
                rule rule1 {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    zones {
        security-zone trust {
            interfaces {
                reth0.0;
            }
        }
        security-zone untrust {
            interfaces {
                reth1.0;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy permit-all {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}

I just ran into this pdf,

http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf

Am assuming you have server in private IP space needing access in public IP space. For that you would need either static NAT or destination NAT depending on whether you need traffic to NAT bi-directional or not. The app note you point is definitely the right document for you.

-Richard

Hi, Thanks for the reply.

Yes the servers are in a private IP space, I've tried destination nat but have had no luck so far. I added the below:

I'm wondering if I am missing something as I've removed ISA/TMG out of the mix and just tossed up a temporary IIS server and it never gets there, also web management isn't working on reth0.0 for http or https. I'm thinking I am missing something for trust communication maybe? The output I put in my first post is my full config, I did a cli, configure, delete before I started the ha config. It looked like most of it I was going to have to delete so I just deleted all of it (maybe creating problems?)

        destination {
            pool dnat-pool-http {
                address x.x.x.x/32 port 80;
            }
            rule-set dst-nat {
                from interface reth1.0;
                rule http-forwarding {
                    match {
                        destination-address x.x.x.x/32;
                        destination-port 80;
                    }
                    then {
                        destination-nat pool dnat-pool-http;
                    }
                }
            }
        }
    }

On your trust security zone you don't have http or https allowed and since reth0.0 is a part of that zone you wouldn't be able to web manage.

E.G.

zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    https;
                    http;

                }
            }
            interfaces {
                reth0.0;
            }
        }

You can also specify your host-inbound-traffic system-services under the actual interface in the zone if you don't want to be able to do this on your other interfaces in trust, but...  Looks like you only have reth0.0 so you should be good.

Also, under nat you don't have proxy arp configured so...  If this address you are destination nat-ting <- is that a word; on isn't the actual interface of the SRX it won't work.

E.G.

proxy-arp {
    interface reth1.0 {
        address {
            X.X.X.X/32;  <- Address used that isn't the SRX interface.
         }
    }
}

I thought it might have had something to do with that; host-inbound-traffic, looking at the default configuration it allows all services from trust to trust.

When you setup the proxy arp is it better to give the untrusted interface say like 192.168.1.1 and then say 192.168.1.2 is listening for http or https inbound?

I wasn't to sure about setting up the proxy arp as I read somewhere it was only needed when the interface ip is different from the one being used to listen for requests.

Could have been wrong or I didn't understand lol, I've had these devices for about 2 to 3 months and just turned them on for the first time a few days ago so my learning curve is pretty sharp.

Thanks for your help, I'm going to read into host-inbound-traffic and proxy arp again. What I'd really like to see are some examples of other folks configurations.

When you setup the proxy arp is it better to give the untrusted interface say like 192.168.1.1 and then say 192.168.1.2 is listening for http or https inbound?

Proxy arp isn't in relation to host-inbound-traffic, that's just there and it's the IP of the box.  Proxy arp would be if you are using destination nat to host say web servers or exchange servers with different DNS records then that of the SRX.

I hope you are placing ISA/TMG in trust zone ...

and want to redirect all trust traffic going to untrust to ISA/TMG ...

if so ...

Just use destination nat (as you mentioned) ... however i see only one change in your config ...

destination {
   pool dnat-pool-http {
     address x.x.x.x/32 port 80;
   }
   rule-set dst-nat {
   from interface reth1.0;
   rule http-forwarding {
    match {
     destination-address 0.0.0.0/0;
     destination-port 80;
    }
   then {
     destination-nat pool dnat-pool-http;
   }
}
    

Regards

I had my public address where you suggest 0.0.0.0/0, I'll give that a shot. So proxy arp isn't needed or do I have to add that as well.

0.0.0.0/0 is stating any traffic that hits the untrust zone for port 80 will forward to that internal IP, and yes TMG is in trust with a private IP and then it's connected to the internal network.

1. yes, 0.0.0.0/0 will direct all 80 requests to your ISA ... I understood youe scenario now ... 🙂

2. /32 is your public ip address, so if you use it in DNAT you should configure proxy arp

3. So i think final NAT script should be

[ DIRECT PUB ADDRESS 80 REQUESTS TO ISA  ]

set security nat destination pool dnat-pool-http address <ISA-IP>/32 port 80

set security nat destination rule-set dst-nat from zone untrust

set security nat destination rule-set dst-nat rule http-forwarding match destination-address <PUB-IP>/32

set security nat destination rule-set dst-nat rule http-forwarding match destination-port 80

set security nat destination rule-set dst-nat rule http-forwarding then destination-nat pool dnat-pool-http

[ HIDE INTERNET IP FOM ISA ]

set security nat source rule-set src-nat from zone untrust

set security nat source rule-set src-nat to zone trust

set security nat source rule-set src-nat rule http-forwarding match destination-address <ISA-IP>/32

set security nat source rule-set src-nat rule http-forwarding then source-nat interface

[PROXY ARP]

set security nat proxy-arp interface reth1.0 address <PUB-IP>

Regards

I still can't get them to work, I have tried creating fw policies as well, I've added back in the syslog and screen config from the default configuration, i've got web management working from the trust zone after enabling all services and protocols on trust, untrust has dhcp and tftp enabled by default (i have a bank of static ip's so i shouldn't need dhcp, and tftp i have no idea why they would enable that) looking at what i have so far is there anything that would stop traffic in a policy or destination/source nat to a specific ip in the trust zone? Thanks for all the help so far, slowly but surely lol

## Last changed: 2011-01-28 23:12:36 UTC
version 10.4R1.9;
groups {
    node0 {
        system {
            host-name HOUTXGW1;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 192.168.1.1/24;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name HOUTXGW2;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 192.168.1.2/24;
                    }
                }
            }
        }
    }
}
apply-groups "${node}";
system {
    root-authentication {
        encrypted-password "$1$XerblLjy$NGsYkErHAIXaodkJEV.Ai.";
    }
    name-server {
        <my isp dns servers>;
        <my isp dns servers>;
    }
    services {
        ssh;
        web-management {
            http {
                interface [ fxp0.0 reth0.0 ];
            }
            https {
                system-generated-certificate;
                interface [ fxp0.0 reth0.0 ];
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
chassis {
    cluster {
        control-link-recovery;
        reth-count 2;
        node 0;
        node 1;
        redundancy-group 0 {
            node 0 priority 100;
            node 1 priority 1;
        }
        redundancy-group 1 {
            node 0 priority 100;
            node 1 priority 1;
            preempt;
            interface-monitor {
                ge-0/0/3 weight 255;
                ge-5/0/3 weight 255;
                ge-0/0/4 weight 255;
                ge-5/0/4 weight 255;
            }
        }
    }
}
interfaces {
    ge-0/0/3 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-0/0/4 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-5/0/3 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-5/0/4 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    fab0 {
        fabric-options {
            member-interfaces {
                ge-0/0/2;
            }
        }
    }
    fab1 {
        fabric-options {
            member-interfaces {
                ge-5/0/2;
            }
        }
    }
    reth0 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 192.168.11.1/24;
            }
        }
    }
    reth1 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address <my isp ip>/29;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop <my isp next hop>;
    }
}
security {
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                reth0.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                reth1.0;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}

I found this thread

http://communities.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/SSG-140-Port-forwarding-from-untrust-to-trust-for-rsyncd-873/m-p/38688

Saying that you need to use a vip when your untrust address is your internet address, their is no sign of if it was resolved or not.

Made another change, reth1.0 I assigned my first ip out of my static ip bank from my isp. I'm thinking you don't use that IP for anything and then you can setup proxy arp for the other ip's and create rules to forward traffic? Need more coffee and time lol I think I'm slowly starting to understand

1. If you have one 1 public IP, assign it to untrust intf, and no proxy-arp req

     Just direct all tfc coming on phy intf (port 80) to ISA's ip ... using DNAT (as dnat is applied before route / fwd lookup)

2. If you have more than 1 IP ...

     Assign 1 to phy intf

     Assign 2 to virtual intf (configured through proxy arp)

    Now, fwd all incoming traffic on virtual intf (port 80) to ISA's ip .... using DNAT

Regards

It is working woohoo, thank you all for your help