[AusNOG] security policies on a juniper srx110

Martyn Lomax me at martynlomax.com
Tue Oct 16 19:10:52 EST 2012


Peter,

I think the direction on your NAT policy is wrong. Currently you're checking for a destination of 150.101.179.5 "from" the trust zone, however that is address would be inbound on the untrust zone (on at-1/0/0).

You do have the correct security policy in place to match the translated destination IP.

You can use the "show security flow session" command to help you find out what is happening with sessions being created, including more clues about the effects of NAT on them. E.g. "show security flow session destination-port 443" or "show security flow session destination-prefix 192.168.178.11"

Cheers, Martyn


On 16/10/2012, at 1:57 PM, Peter Brown <rendhalver at gmail.com> wrote:

> On 16 October 2012 12:40, Dale Shaw <dale.shaw+ausnog at gmail.com> wrote:
>> G'day Peter,
>> 
>> On Tue, Oct 16, 2012 at 1:13 PM, Peter Brown <rendhalver at gmail.com> wrote:
>>> 
>>> I am still having trouble getting destination nat and security
>>> policies working on my srx110.
>> 
>> I've seen your posts on this topic both here on AusNOG and on the SAGE-AU lists.
> 
> I did notice some of you lads are in SAGE-AU as well. :)
> 
>> It's time to post your full configuration. Sanitise it if you need to,
>> but this dribs-and-drabs approach clearly isn't getting you the result
>> you're looking for.
> 
> I guess I was worried about spamming the list too much and sending attachments.
> I have attached my current config.
> Please forgive me if that's not cool.
> 
>> 
>> cheers,
>> Dale



More information about the AusNOG mailing list