vSRX
vSRX

Help with Firewall and Nat Rules

[ Edited ]
‎07-31-2019 03:23 PM

Sorry having a harder time then I should with rules, I have too many types of firewalls I use and for some reason having a hard time to get these to work.

 

Wan IP 62.210.7.160

Lan : 10.0.8.0/24

fxp0.0 : 10.0.9.1 

 

Address object in firewall 

Starblue_Edge 10.0.8.9

Unifi 10.0.8.9 

 

Applications 

SMTP ( 25 ) 

Custom Unifi ( 8443 ) 

 

I been trying rules a couple of different ways with out much luck here is my current config 

## Last changed: 2019-07-30 22:04:11 UTC
version 20190606.224121_builder.r1033375;
system {
    host-name SiptologyFrance;
    root-authentication {
        encrypted-password "Wouldnt you like to know";
    }
    services {
        ssh;
        web-management {
            http {
                interface [ fxp0.0 ge-0/0/0.0  ];
            }
            https {
                port 1030;
                system-generated-certificate;
                interface [ ge-0/0/0.0 ge-0/0/1.0 ];
            }
        }
    }
    time-zone UTC;
    name-server {
        1.1.1.1;
        9.9.9.9;
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
security {
    log {
        utc-timestamp;
        mode stream;
        format syslog;
        report;
    }
    ike {
        proposal RobPolicy {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 28800;
        }
        policy ike_pol_Siptology {
            mode main;
            proposals RobPolicy;
            pre-shared-key ascii-text "SuperSecretPasswordPhrase totally not password";
        }
        gateway gw_Siptology {
            ike-policy ike_pol_Siptology;
            address 174.58.110.192;
            dead-peer-detection;
            external-interface ge-0/0/1.0;
        }
    }
    ipsec {
        proposal robpolicyphase2 {
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 28800;
        }
        policy ipsec_pol_Siptology {
            proposals robpolicyphase2;
        }
        vpn Siptology {
            bind-interface st0.0;
            vpn-monitor;
            ike {
                gateway gw_Siptology;
                ipsec-policy ipsec_pol_Siptology;
            }
            establish-tunnels immediately;
        }
    }
    address-book {
        global {
            address addr_10_0_8_0_24 10.0.8.0/24;
            address addr_10_3_1_0_24 10.3.1.0/24;
            address Unifi 10.0.8.11/32;
            address StarBlue_Edge 10.0.8.9/32;
            address WAN 62.210.7.160/32;
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set DefaultOut {
                from zone trust;
                to zone untrust;
                rule DefaultOut {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool Unifi_8443_nat {
                routing-instance {
                    default;
                }
                address 10.0.8.11/32 port 8443;
            }
            pool SMTP {
                address 10.0.8.9/32 port 25;
            }
            rule-set Unifi_8443_nat {
                from zone untrust;
                rule Unifi_8443_nat {
                    match {
                        source-address-name WAN;
                        destination-address-name Unifi;
                        destination-port {
                            8443;
                        }
                        protocol [ tcp udp ];
                    }
                    then {
                        destination-nat {
                            off;
                        }
                    }
                }
            }
            rule-set SMTP {
                from interface ge-0/0/1.0;
                rule SMTP {
                    match {
                        source-address-name WAN;
                        destination-address-name StarBlue_Edge;
                        destination-port {
                            25;
                        }
                        protocol [ tcp udp ];
                    }
                    then {
                        destination-nat {
                            pool {
                                SMTP;
                            }
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy policy_out_Siptology {
                match {
                    source-address addr_10_0_8_0_24;
                    destination-address addr_10_3_1_0_24;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy policy_in_Siptology {
                match {
                    source-address addr_10_3_1_0_24;
                    destination-address addr_10_0_8_0_24;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy 8443_Inbound {
                description "Allow 8443 Inbound for Unifi";
                match {
                    source-address any;
                    destination-address any;
                    application Unifi_8443;
                    dynamic-application any;
                }
                then {
                    permit;
                    count;
                }
            }
        }
        from-zone untrust to-zone untrust {
            policy StarBlueSMTP {
                match {
                    source-address any-ipv4;
                    destination-address WAN;
                    application [ junos-smtp junos-smtps ];
                    dynamic-application any;
                }
                then {
                    permit;
                    count;
                }
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {
                    all;
                    ike;
                }
            }
            interfaces {
                ge-0/0/0.0;
                st0.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.0.8.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 62.210.7.160/16;
            }
        }
    }
    fxp0 {
        unit 0 {
            family inet {
                address 10.0.9.1/24;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
}
access {
    address-assignment {
        pool Production {
            family inet {
                network 10.0.8.0/24;
                range Default {
                    low 10.0.8.100;
                    high 10.0.8.254;
                }
                dhcp-attributes {
                    name-server {
                        1.1.1.1;
                    }
                    propagate-settings ge-0/0/0.0;
                }
            }
        }
    }
}
applications {
    application Unifi_8443 {
        description "Unifi Portal access";
        protocol tcp;
        destination-port 8443;
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 62.210.0.1;
        route 10.3.1.0/24 next-hop st0.0;
    }
}

Any guidance is appreciated! 

 

5 REPLIES 5
vSRX

Re: Help with Firewall and Nat Rules

‎07-31-2019 07:14 PM

Please let us know what do you want to achieve and what is not working? Couple of suggestions based on your current config are given below:

1. Remove "dynamic-application any" from the untrust to trust security policies

2. Use original lan ip as destination in untrust to tust security policies.

3. Source address of the traffic and untrust interface ip are same. I think it should be different

 

 

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
vSRX

Re: Help with Firewall and Nat Rules

‎08-01-2019 02:53 AM

Sorry I forgot to state my intentions. 

 

Need to figure out what I am doing wrong the end goal is the following 

 

Create Firewall rule to allow 8443/TCP open on the address object named WAN ( 62.210.7.160 ) 

Create the correct Destination NAT policy to redirect request from 62.210.7.160:8443 to (Unifi address object ) 10.0.8.11:8443

 

The other rule / nat policy I was attempting and failing at:  

Create Firewall rule to allow SMTP 25/TCP open on WAN

Destination nat redirect to address object named Starblue-Edge 10.0.8.9:25

 

Thank you for your help.

vSRX

Re: Help with Firewall and Nat Rules

‎08-01-2019 03:26 AM

I cleaned up my config to hopefully have it make more sense. 

 

## Last changed: 2019-08-01 06:19:42 UTC
version 20190606.224121_builder.r1033375;
system {
    host-name SiptologyFrance;
    root-authentication {
        encrypted-password "So totally admin123";
    }
    login {
        user rob {
            full-name rob;
            uid 316;
            class super-user;
            authentication {
                encrypted-password "clearly just password";
            }
        }
    }
    services {
        ssh;
        web-management {
            http {
                interface [ fxp0.0 ge-0/0/0.0 ];
            }
            https {
                port 1030;
                system-generated-certificate;
                interface [ ge-0/0/0.0 ge-0/0/1.0 ];
            }
        }
    }
    time-zone UTC;
    authentication-order password;
    name-server {
        1.1.1.1;
        9.9.9.9;
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
security {
    log {
        utc-timestamp;
        mode stream;
        format syslog;
        report;
    }
    ike {
        proposal RobPolicy {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 28800;
        }
        policy ike_pol_Siptology {
            mode main;
            proposals RobPolicy;
            pre-shared-key ascii-text "MerakiMerakiMeraki";
        }
        gateway gw_Siptology {
            ike-policy ike_pol_Siptology;
            address 174.58.110.192;
            dead-peer-detection;
            external-interface ge-0/0/1.0;
        }
    }
    ipsec {
        proposal robpolicyphase2 {
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 28800;
        }
        policy ipsec_pol_Siptology {
            proposals robpolicyphase2;
        }
        vpn Siptology {
            bind-interface st0.0;
            vpn-monitor;
            ike {
                gateway gw_Siptology;
                ipsec-policy ipsec_pol_Siptology;
            }
            establish-tunnels immediately;
        }
    }
    address-book {
        global {
            address addr_10_0_8_0_24 10.0.8.0/24;
            address addr_10_3_1_0_24 10.3.1.0/24;
            address Unifi 10.0.8.11/32;
            address StarBlue_Edge 10.0.8.9/32;
            address WAN 62.210.7.160/32;
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set DefaultOut {
                from zone trust;
                to zone untrust;
                rule DefaultOut {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool SMTP {
                address 10.0.8.9/32 port 25;
            }
            pool Unifi_8443 {
                routing-instance {
                    default;
                }
                address 10.0.8.11/32 port 8443;
            }
            rule-set Wan2Lan {
                description Wan_to_LAN;
                from zone untrust;
                rule SMTP {
                    description "SMTP to Starblue_Edge";
                    match {
                        source-address-name WAN;
                        destination-address-name StarBlue_Edge;
                        destination-port {
                            25;
                        }
                        protocol tcp;
                    }
                    then {
                        destination-nat {
                            pool {
                                SMTP;
                            }
                        }
                    }
                }
                rule Unifi_8443 {
                    description "Unifi Portal ";
                    match {
                        source-address-name WAN;
                        destination-address-name Unifi;
                        destination-port {
                            8443;
                        }
                        protocol tcp;
                    }
                    then {
                        destination-nat {
                            pool {
                                Unifi_8443;
                            }
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy policy_out_Siptology {
                match {
                    source-address addr_10_0_8_0_24;
                    destination-address addr_10_3_1_0_24;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy policy_in_Siptology {
                match {
                    source-address addr_10_3_1_0_24;
                    destination-address addr_10_0_8_0_24;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy UnifiPortal {
                description "Inbound access to Unifi Portal";
                match {
                    source-address any;
                    destination-address Unifi;
                    application Unifi_8443;
                    source-identity any;
                    dynamic-application any;
                }
                then {
                    permit;
                    count;
                }
            }
            policy StarblueTestRule {
                description "Allow SMTP in to Edge server";
                match {
                    source-address any;
                    destination-address StarBlue_Edge;
                    application junos-smtp;
                    dynamic-application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {
                    all;
                    ike;
                }
            }
            interfaces {
                ge-0/0/0.0;
                st0.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.0.8.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 62.210.7.160/16;
            }
        }
    }
    fxp0 {
        unit 0 {
            family inet {
                address 10.0.9.1/24;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
}
access {
    address-assignment {
        pool Production {
            family inet {
                network 10.0.8.0/24;
                range Default {
                    low 10.0.8.100;
                    high 10.0.8.254;
                }
                dhcp-attributes {
                    name-server {
                        1.1.1.1;
                    }
                    propagate-settings ge-0/0/0.0;
                }
            }
        }
    }
}
applications {
    application Unifi_8443 {
        description "Unifi Portal access";
        protocol tcp;
        destination-port 8443;
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 62.210.0.1;
        route 10.3.1.0/24 next-hop st0.0;
    }
}
vSRX
Solution
Accepted by topic author rsnyder
‎08-01-2019 06:37 AM

Re: Help with Firewall and Nat Rules

[ Edited ]
‎08-01-2019 04:20 AM

Please try this config and update the status:

delete security nat destination rule-set Wan2Lan rule SMTP match source-address-name WAN
delete security nat destination rule-set Wan2Lan rule SMTP match destination-address-name StarBlue_Edge
delete security nat destination rule-set Wan2Lan rule Unifi_8443 match source-address-name WAN
delete security nat destination rule-set Wan2Lan rule Unifi_8443 match destination-address-name Unifi
delete policies from-zone untrust to-zone trust policy UnifiPortal match dynamic-application any
delete policies from-zone untrust to-zone trust policy StarblueTestRule match dynamic-application any

set security nat destination rule-set Wan2Lan rule SMTP match source-address 0.0.0.0/0
set security nat destination rule-set Wan2Lan rule SMTP match destination-address 62.210.7.160/32
set security nat destination rule-set Wan2Lan rule Unifi_8443 match source-address 0.0.0.0/0
set security nat destination rule-set Wan2Lan rule Unifi_8443 match destination-address 62.210.7.160/32

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
vSRX

Re: Help with Firewall and Nat Rules

‎08-01-2019 06:40 AM

Thank you for your assistance.    

 

I think the problem I was having was I am trying to use the gui as the helpdesk staff who would ultimately be using it would most likely not feel comfortable around the command line.   So alot of the mistakes where me having made rules via the jweb wizards.  

 

Now that I saw how the cli made the rules it made alot more sense when looking back at the jweb gui.  

 

Thank you again.