[AusNOG] security policies on a juniper srx110

Brian O'Kelly brianokelly at gmail.com
Tue Oct 16 13:33:05 EST 2012


What version of Junos? If its version 9.2 or later, it performs NATing
before checking policy. See diagram attached.

Do you have a route to the NATed destination address? Do you have an ALG
turned enabled?

On Tue, Oct 16, 2012 at 1:26 PM, Luca Salvatore <Luca at ninefold.com> wrote:

> Have you setup some traceoptions?  They will show you what going on.
>  Something like:
>
> set security flow traceoptions file flow-trace
> set security flow traceoptions flag basic-datapath
> set security flow traceoptions packet-filter 1 source-prefix x.x.x.x
> set security flow traceoptions packet-filter 1 destination-prefix y.y.y.y
>
> Make sure the address in the security policy matches the NATed address
> also....
>
>
> Luca
>
>
> -----Original Message-----
> From: ausnog-bounces at lists.ausnog.net [mailto:
> ausnog-bounces at lists.ausnog.net] On Behalf Of Peter Brown
> Sent: Tuesday, 16 October 2012 1:14 PM
> To: ausnog at lists.ausnog.net
> Subject: [AusNOG] security policies on a juniper srx110
>
> Hi everyone,
>
> I am still having trouble getting destination nat and security policies
> working on my srx110.
> I am reasonably sure the nat is working because i am seeing translation
> hits in the monitoring section of the web interface.
> I am not seeing anything in the security policies however.
> From all the documentation I have ready I have the nat and policies setup
> correctly but I am obviously missing something.
>
> Is there something else that sites between destination nat and policies
> that would stop the traffic from even hitting the security policies?
>
> Thanks in advance.
>
> Pete.
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20121016/e124c4bf/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2012-10-16 at 1.31.13 PM.png
Type: image/png
Size: 41435 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20121016/e124c4bf/attachment.png>


More information about the AusNOG mailing list