API tools faq
paste
Guest User

Untitled

a guest
Feb 21st, 2018
101
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.90 KB | None | 0 0
raw download clone embed print report
  1. Currently, Our Client has a Juniper SRX firewall that they are replacing a Cisco unit with. =) The Cisco is just a little single NAT IP firewall device that works well but they need to distribute the IP of their mail server out to other addresses within their public static range. The Cisco unit was actually brought in to replace a faulty SonicWall that had no issues performing the translations as required. The goal is to restore that previous NAT configuration as follows:
  2.  
  3. - 205.127.45.68 – NAT’ed to inside IP 192.168.0.10 (groupwise-mail)
  4. o policy restriction to allow only SMTP, POP3, and GWAVA Digest (49285)
  5. - 205.127.45.69 – outside IP of the firewall
  6. - 205.127.45.70 – NAT’ed to inside IP 192.168.0.15 (groupwise-web)
  7. o Policy restriction to allow only HTTP/HTTPS
  8. - 205.127.45.72 – NAT’ed to inside IP 192.168.0.250
  9.  
  10. Currently I have configured static NAT for each of the above listed IP addresses. I also created a policy to allow connections using HTTP/HTTPS/SMTP/POP3/and GWAVA from the zone ‘untrust’ to the zone ‘trust’ when the destination is either of the above servers. Based on this configuration, we cannot utilize any of the above services or IPs when connected anywhere inside their network. Also, the way the GWAVA digest has to release their SPAM mail it interacts with itself via this external IP and it is therefore preventing the release of this digest internally or externally. I’ve tried source/destination NAT for the individual ports on the IPs listed above which doesn’t work, I tried also setting the static NAT as indicated above and still no go. Even using the Juniper SRX NAT guides online, I have everything set as indicated in their guides but it refuses to work.
  11.  
  12. Currently the customer has the firewall connected and manageable from the .69 address above but the internal side of things is not connected. They are operating using the Cisco small business router with port translation on the 205.127.45.68 address listed above and everything works perfectly. Once the Juniper is swapped into production, however, these devices refuse to NAT properly and only internet traffic is reachable.
  13.  
  14.  
  15. ## Last changed: 2011-10-28 13:08:32 PDT
  16. version 10.3R1.9;
  17. system {
  18. host-name srx220;
  19. time-zone America/Los_Angeles;
  20. root-authentication {
  21. encrypted-password "$1$6dUl5GiR$.vJkqFwJ21";
  22. }
  23. name-server {
  24. 205.127.0.50;
  25. 152.78.182.30;
  26. }
  27. login {
  28. user atglogin {
  29. uid 2005;
  30. class super-user;
  31. authentication {
  32. encrypted-password "$1$q0etf4YS$H/ /";
  33. }
  34. }
  35. user lgadmin {
  36. uid 2015;
  37. class super-user;
  38. authentication {
  39. encrypted-password "$1$mqzr/z1i$ / /yn1oIEsdO.";
  40. }
  41. }
  42. user michael {
  43. uid 2010;
  44. class super-user;
  45. authentication {
  46. encrypted-password "$1$ $qkgB8a7eJfBmRN/PxjyM40";
  47. }
  48. }
  49. }
  50. services {
  51. ssh;
  52. web-management {
  53. https {
  54. system-generated-certificate;
  55. }
  56. }
  57. }
  58. syslog {
  59. file messages {
  60. any any;
  61. authorization info;
  62. }
  63. file inactive-commands {
  64. interactive-commands any;
  65. }
  66. }
  67. }
  68. interfaces {
  69. ge-0/0/0 {
  70. unit 0 {
  71. family inet {
  72. address 192.168.0.11/24;
  73. }
  74. }
  75. }
  76. ge-0/0/1 {
  77. unit 0 {
  78. family inet {
  79. address 205.127.45.69/28;
  80. }
  81. }
  82. }
  83. lo0 {
  84. unit 0 {
  85. family inet {
  86. address 192.168.1.1/32;
  87. }
  88. }
  89. }
  90. }
  91. routing-options {
  92. static {
  93. route 0.0.0.0/0 next-hop 205.127.45.65;
  94. }
  95. }
  96. security {
  97. nat {
  98. source {
  99. pool groupwise-public {
  100. address {
  101. 205.127.45.68/32 to 205.127.45.68/32;
  102. }
  103. }
  104. pool groupwise-web {
  105. address {
  106. 205.127.45.70/32 to 205.127.45.70/32;
  107. }
  108. }
  109. rule-set internet-bound {
  110. from zone trust;
  111. to zone untrust;
  112. rule 2 {
  113. match {
  114. destination-address 0.0.0.0/0;
  115. }
  116. then {
  117. source-nat {
  118. interface;
  119. }
  120. }
  121. }
  122. }
  123. }
  124. destination {
  125. pool groupwise-web {
  126. address 192.168.0.15/32;
  127. }
  128. pool groupwise-mail {
  129. address 192.168.0.10/32;
  130. }
  131. }
  132. static {
  133. rule-set 1 {
  134. from zone untrust;
  135. rule r1 {
  136. match {
  137. destination-address 201.127.45.72/32;
  138. }
  139. then {
  140. static-nat prefix 192.168.0.250/32;
  141. }
  142. }
  143. rule groupwise-mail {
  144. match {
  145. destination-address 205.127.45.68/32;
  146. }
  147. then {
  148. static-nat prefix 192.168.0.10/32;
  149. }
  150. }
  151. rule gorupwise-web {
  152. match {
  153. destination-address 205.127.45.70/32;
  154. }
  155. then {
  156. static-nat prefix 192.168.0.15/32;
  157. }
  158. }
  159. }
  160. }
  161. proxy-arp {
  162. interface ge-0/0/1.0 {
  163. address {
  164. 205.127.45.68/32;
  165. 205.127.45.70/32;
  166. 205.127.45.72/32;
  167. }
  168. }
  169. }
  170. }
  171. zones {
  172. security-zone untrust {
  173. host-inbound-traffic {
  174. system-services {
  175. ssh;
  176. https;
  177. }
  178. }
  179. interfaces {
  180. ge-0/0/1.0;
  181. }
  182. }
  183. security-zone trust {
  184. address-book {
  185. address groupwise-web 192.168.0.15/32;
  186. address groupwise-mail 192.168.0.10/32;
  187. address SA-700 192.168.0.250/32;
  188. address-set groupwise {
  189. address groupwise-web;
  190. address groupwise-mail;
  191. }
  192. }
  193. host-inbound-traffic {
  194. system-services {
  195. ssh;
  196. http;
  197. https;
  198. }
  199. }
  200. interfaces {
  201. ge-0/0/0.0;
  202. }
  203. }
  204. }
  205. policies {
  206. from-zone trust to-zone untrust {
  207. policy groupwise {
  208. match {
  209. source-address [ groupwise-web groupwise-mail ];
  210. destination-address any;
  211. application any;
  212. }
  213. then {
  214. permit;
  215. }
  216. }
  217. policy outbound-internet {
  218. match {
  219. source-address any;
  220. destination-address any;
  221. application any;
  222. }
  223. then {
  224. permit;
  225. }
  226. }
  227. }
  228. from-zone trust to-zone trust {
  229. policy intrazone-policy {
  230. match {
  231. source-address any;
  232. destination-address any;
  233. application any;
  234. }
  235. then {
  236. permit;
  237. }
  238. }
  239. }
  240. from-zone untrust to-zone trust {
  241. policy access-groupwise {
  242. match {
  243. source-address any;
  244. destination-address [ groupwise-mail groupwise-web ];
  245. application [ junos-http junos-https junos-mail junos-pop3 GWAVA_digest junos-smtp ];
  246. }
  247. then {
  248. permit;
  249. }
  250. }
  251. policy access_SA-700 {
  252. match {
  253. source-address any;
  254. destination-address SA-700;
  255. application junos-https;
  256. }
  257. then {
  258. permit;
  259. }
  260. }
  261. }
  262. }
  263. }
  264. applications {
  265. application GWAVA_digest {
  266. protocol tcp;
  267. destination-port 49285;
  268. }
  269. application SA-700_HTTPS {
  270. protocol tcp;
  271. destination-port 10443;
  272. }
  273. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!