Screen OS

I am attempting to lock down what devices can send smtp traffic out through the firewall.  using the web interface, I created address objects for the servers I wanted to allow to send smtp traffic.  I then created the Allow policy included the mutiple objects as the trusted sources and used ANY as the untrusted destination.  I then created a policy to deny all smtp traffic from trusted to untrusted, I placed this rule beneath the above rule.  The result was only one server was allowed to send outbound smtp traffic, the one that had an inbound NAT and smtp policy setup for the mx record.

There does not seem to be a problem restricting outbound traffic from trusted to untrusted, but for some reason I cannot allow smtp traffic from trust to untrust, unless there is also an inverse policy and nat to allow it back in.  is this by design or am I doing something wrong?

Thanks,

Ray.

#policy
#SMTP
#NAT
#25
#restrict
#Port

Can you clarify what you mean by inbound nat?  Are you referring to the "incoming nat" on DIP?  If so, that only works with VoIP traffic.  Can you provide portion of your config that includes the policies and the VIP/MIP/DIP config?  

inbound nat, I have a one to one nat from public 2.2.2.69 to private 192.168.100.18,  I think I have included all of the config related to what I'm trying to do.  the config the way it is shown only allows the smtp1 server to send smtp traffic outbound, all other smtp traffic including sql1 and mail2 is blocked outbound.

 

set zone "Trust" vrouter "trust-vr"                                            
set zone "Untrust" vrouter "trust-vr"                                                                                      
set zone id 100 "Voice"                                                        
set zone id 102 "QUEST ISP"                                                    
set zone id 101 "MCI"                                                          
set zone "Untrust-Tun" vrouter "trust-vr"                                      
set zone "Trust" tcp-rst                                                       
set zone "Untrust" block
set interface "ethernet0/0" zone "Untrust"                                     
set interface "ethernet0/1" zone "QUEST ISP"
set interface ethernet0/0 ip 2.2.2.78/28                                  
set interface ethernet0/0 route                                                
set interface ethernet0/1 ip 3.3.3.126/28                                  
set interface ethernet0/1 route
set interface "ethernet0/0" mip 2.2.2.69 host 192.168.100.18 netmask 255.255.255.255 vr "trust-vr"            
set address "Trust" "MAIL2" 192.168.100.12 255.255.255.255
set address "Trust" "SMTP1" 192.168.100.18 255.255.255.255                       
set address "Trust" "SQL1" 192.168.100.4 255.255.255.255
exit                                                                           
set policy id 92 from "Trust" to "Untrust"  "MAIL2" "Any" "SMTP" permit log    
set policy id 92                                                               
set src-address "SMTP1"                                                        
set src-address "SQL1"                                                         
exit                                                                           
set policy id 94 name "block all other smtp" from "Trust" to "Untrust"  "Any" "Any" "SMTP" deny log                                                            
set policy id 94                                                               
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" nat src permit log count traffic                                                                  
set policy id 1                                                                
exit      
set policy id 7 from "Untrust" to "Trust"  "Any" "MIP(2.2.2.69)" "SMTP" permit log traffic                                                                
set policy id 7                                                                
exit        
set vrouter "untrust-vr"                                                       
exit                                                                           
set vrouter "trust-vr"                                                         
exit       

 

Thanks,

Ray                      

 

 

Please run some debug commands

 

set ff src-ip X.X.X.X dst-ip Y.Y.Y.Y (X is IP of SQL1 and Y is IP of a public SMTP server)

set ff src-ip Y.Y.Y.Y dst-ip X.X.X.X

debug flow basic

cl db

-> try to access server

undebug all

get db str

what do you mean in the debug by 'public smtp server',  I could test with a debug on mail2, now it is an smtp server, it sends mail directly out to the internet.  so I would use that for the source but what for the destination? just a receiving mail servers public IP? and then try to send an email with the rule set listed above in effect, correct?

 

thanks,

Ray.

ok, disregard my last reply, I ran the debug, see below:

 

NOTE:  1.1.1.1 is the private IP of MAIL2
       5.5.5.5 is the public IP of the smtp server the mail is being sent to.
       9.9.9.9 is the default gateway of the Juniper firewall

 

---------------------------------------------------------------------------------------------------
Juniper-> set ff src-ip 1.1.1.1 dst-ip 5.5.5.5
filter added
Juniper-> set ff src-ip 5.5.5.5 dst-ip 1.1.1.1
filter added
Juniper-> debug flow basic
Juniper-> cl db
Juniper->
Juniper->
Juniper-> undebug all
Juniper-> get db str
 
****** 7038963.0: <Trust/bgroup0> packet received [48]******
  ipid = 28540(6f7c), @02c69410
  packet passed sanity check.
  bgroup0:1.1.1.1/36551->5.5.5.5/25,6<Root>
  no session found
  flow_first_sanity_check: in <bgroup0>, out <N/A>
  chose interface bgroup0 as incoming nat if.
  flow_first_routing: in <bgroup0>, out <N/A>
  search route to (bgroup0, 1.1.1.1->5.5.5.5) in vr trust-vr for vsd-0/
flag-0/ifp-null
PBR lookup params: dst-ip: 5.5.5.5, src-ip: 1.1.1.1, dst-port: 25, src-
port: 36551, protocol: 6, dscp: 0
PBR: no route to (5.5.5.5) in vr trust-vr
  [ Dest] 12.route 5.5.5.5->9.9.9.9, to ethernet0/0
  routed (x_dst_ip 5.5.5.5) from bgroup0 (bgroup0 in 0) to ethernet0/0
  policy search from zone 2-> zone 1
 policy_flow_search  policy search nat_crt from zone 2-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 5.5.5.5, port 25, proto 6)
  No SW RPC rule match, search HW rule
  Permitted by policy 92
  No src xlate   choose interface ethernet0/0 as outgoing phy if
  no loop on ifp ethernet0/0.
  session application type 7, name SMTP, nas_id 0, timeout 1800sec
ALG vector is not attached
  service lookup identified service 0.
  flow_first_final_check: in <bgroup0>, out <ethernet0/0>
  existing vector list 3-34f96f0.
  Session (id:3354) created for first pak 3
  flow_first_install_session======>
  route to 9.9.9.9
  arp entry found for 9.9.9.9
  nsp2 wing prepared, ready
  cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (ethernet0/0, 5.5.5.5->1.1.1.1) in vr trust-vr for vs
d-0/flag-3000/ifp-bgroup0
  [ Dest] 5.route 1.1.1.1->1.1.1.1, to bgroup0
  route to 1.1.1.1
  flow got session.
  flow session id 3354
  post addr xlation: 1.1.1.1->5.5.5.5.
 flow_send_vector_, vid = 0, is_layer2_if=0
  send packet to traffic shaping queue.
  flow_ip_send: 6f7c:1.1.1.1->5.5.5.5,6 => ethernet0/0(48) flag 0x20000
, vlan 0
 pak has mac
  Send to ethernet0/0 (62)
****** 7038966.0: <Trust/bgroup0> packet received [48]******
  ipid = 28556(6f8c), @02ccd410
  packet passed sanity check.
  bgroup0:1.1.1.1/36551->5.5.5.5/25,6<Root>
  existing session found. sess token 4
  flow got session.
  flow session id 3354
  post addr xlation: 1.1.1.1->5.5.5.5.
 flow_send_vector_, vid = 0, is_layer2_if=0
  send packet to traffic shaping queue.
  flow_ip_send: 6f8c:1.1.1.1->5.5.5.5,6 => ethernet0/0(48) flag 0x20000
, vlan 0
 pak has mac
  Send to ethernet0/0 (62)
JUNIPER->
-------------------------------------------------------------------------------------------------------

I attempted to send three emails from MAIL2, none of them were allowed through.

Ray.

 

Set nat on policy 92 under the advanced options.

 

 

At least according to your debug that seems to be the problem

  Permitted by policy 92
  No src xlate   choose interface ethernet0/0 as outgoing phy if

Advanced settings for policy 92, has the 'Source Translation' box checked  and further over it states (DIP on) None (use Egress Interface IP).   

The 'Destination Translation' checkbox is not checked.

 

Ray.

According to your config nat is not enabled for that policy.

 

 

set policy id 92 from "Trust" to "Untrust"  "MAIL2" "Any" "SMTP" permit log    
set policy id 92                                                               
set src-address "SMTP1"                                                        
set src-address "SQL1"                                                         
exit            

 

 

I would create a new policy for smtp1 and remove it from policy 92.  Since smtp1 already has a mip defined it does not need to have nat enabled.

Ok, recreated the policy, source translation box is checked, and it is working.  thanks for your help.

 

Ray.