[AusNOG] security policies on a juniper srx110

Peter Brown rendhalver at gmail.com
Tue Oct 16 13:43:35 EST 2012


Yeah sorry forgot to mention the version, it's 11.2R3.3.

On 16 October 2012 12:33, Brian O'Kelly <brianokelly at gmail.com> wrote:
> What version of Junos? If its version 9.2 or later, it performs NATing
> before checking policy. See diagram attached.
>
> Do you have a route to the NATed destination address? Do you have an ALG
> turned enabled?

Ah. I was wondering if it was routing.
There appears to be a route for the range my servers are on pointing
to the default vlan i am using.
I am pretty new to routing so I may be completely mistaken.

192.168.178.0/24 (1 entry, 1 announced)
        *Direct Preference: 0
                Next hop type: Interface
                Address: 0x156c438
                Next-hop reference count: 2
                Next hop: via vlan.0, selected
                State: <Active Int>
                Age: 2w6d 5:11:37
                Task: IF
                Announcement bits (1): 2-Resolve tree 1
                AS path: I


no alg setup.

>
>
> On Tue, Oct 16, 2012 at 1:26 PM, Luca Salvatore <Luca at ninefold.com> wrote:
>>
>> Have you setup some traceoptions?  They will show you what going on.
>> Something like:
>>
>> set security flow traceoptions file flow-trace
>> set security flow traceoptions flag basic-datapath
>> set security flow traceoptions packet-filter 1 source-prefix x.x.x.x
>> set security flow traceoptions packet-filter 1 destination-prefix y.y.y.y
>>
>> Make sure the address in the security policy matches the NATed address
>> also....
>>
>>
>> Luca
>>
>>
>> -----Original Message-----
>> From: ausnog-bounces at lists.ausnog.net
>> [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Peter Brown
>> Sent: Tuesday, 16 October 2012 1:14 PM
>> To: ausnog at lists.ausnog.net
>> Subject: [AusNOG] security policies on a juniper srx110
>>
>> Hi everyone,
>>
>> I am still having trouble getting destination nat and security policies
>> working on my srx110.
>> I am reasonably sure the nat is working because i am seeing translation
>> hits in the monitoring section of the web interface.
>> I am not seeing anything in the security policies however.
>> From all the documentation I have ready I have the nat and policies setup
>> correctly but I am obviously missing something.
>>
>> Is there something else that sites between destination nat and policies
>> that would stop the traffic from even hitting the security policies?
>>
>> Thanks in advance.
>>
>> Pete.
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>



More information about the AusNOG mailing list