RtoDto.net
Network/Security/Programming

SRX for beginners #2

rtoodtoo srx May 29, 2015

After my srx for beginners post has become the most popular article of this blog, I have decided to improve it a little bit as it is missing some vital information. Without talking too much let’s summarize what we will do in this post

  • What is a flow session?
  • How can we interpret a flow session entry?
  • How can we open a standard port/application on SRX and do destination NAT?
  • How can we open a non-standard port and do destination NAT?
  • How can we do proxy-arp?

In this post, we will use the same topology like previous post but I have added three new devices in this new topology so that I can show source/destination nat and proxy arp.

SRX for beginners topology
SRX for beginners topology

Let’s get started:

What is a flow session?

Juniper SRX is a stateful firewall hence box doesn’t forward an IP packet and forgets it. It has to remember which IP packets it has received and which packets it is expecting. It isn’t exactly like this but for the sake of simplicity let’s assume like this now. So what does a session look like on an SRX firewall. In order to show this from PC1 device, I telnet to TCP port 80 of www.example.com host which is outside my test network and see how the flow session looks like on our SRX firewall.

TCP 80 connection is established towards the host 93.184.216.34

pc1>telnet www.example.com 80
Trying 93.184.216.34...
Connected to www.example.com.
Escape character is '^]'.

Now let’s see how this session looks like on our firewall

root@srx220> show security flow session destination-port 80 
Session ID: 109, Policy name: allow-internal-clients/4, Timeout: 294, Valid
  In: 192.168.239.3/47715 --> 93.184.216.34/80;tcp, If: ge-0/0/1.0, Pkts: 2, Bytes: 112
  Out: 93.184.216.34/80 --> 192.168.100.38/20201;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Total sessions: 1

As you can see, we can display sessions by “show security flow session” command and by giving more options e.g destination-port you can filter session table.

How can we interpret a flow session entry?

Now let’s drill down this single flow session entry line by line.

Line 1

  • 109 : Each session is given a session identifier by the firewall, here 109
  • allow-internal-clients/4 : Security which exactly matches this specific traffic and number 4 is the policy index.
  • 294 : When a session is created it starts with default timeout and counts down to zero as long as no packet is seen. If it reaches 0 session is removed

Line 2

  • 192.168.239.3/47715 : Source IP address/Port of the source host which created the session
  • 93.184.216.34/80;tcp : Destination IP address/Port of the destination host and the transport layer protocol which is tcp here
  • ge-0/0/1.0 : The ingress interface of the packet
  • Pkts: 2, Bytes: 112 Number of packets and Bytes received on this direction

    • Line 3
    A flow session has two wings and this one is the wing on the reverse direction.

    • 93.184.216.34/80 : This is the same as our destination address
    • 192.168.100.38/20201 : This is the address to which 93.184.216.34 replies back but it is different than our source IP address 192.168.239.3 since we are doing source NAT and port translation
    • ge-0/0/0.0 : Ingress interface of the return packets
    • Pkts: 1, Bytes: 60 : IP packet and Bytes received from the destination

    How can we open a default/standard port/application on SRX and do destination NAT?

    In the topology, we have a Web server and we would like to allow public HTTP service i.e anyone who types http://192.168.100.38 on their browser from Internet will be redirected to our internal web server i.e we will create a destination NAT rule and a security policy allowing this HTTP traffic.

    First thing we should go to configuration mode

    root@srx220> configure                                      
Entering configuration mode

    Then we can paste the following commands to configure destination NAT

    Destination NAT

    set security nat destination pool webserver-internal address 192.168.239.10/32
set security nat destination rule-set internal-servers from zone internet
set security nat destination rule-set internal-servers rule webserver match destination-address 192.168.100.38/32
set security nat destination rule-set internal-servers rule webserver match destination-port 80
set security nat destination rule-set internal-servers rule webserver then destination-nat pool webserver-internal

    Note: In order to forward traffic to the internal server, a pool is required

    Security Policy
    If you don’t permit the HTTP traffic in a security policy, destination NAT has no use.
    On this setup I am moving from zone specific address groups to global addresses for which I am moving my old address book to global level and I am adding new address entry for webserver.

    delete security zones security-zone internal address-book address network_239
set security address-book global address network_239 192.168.239.0/24
set security address-book global address webserver 192.168.239.10/32

    Now we can create the security policy.

    set security policies from-zone internet to-zone internal policy allow-web-service match source-address any
set security policies from-zone internet to-zone internal policy allow-web-service match destination-address webserver
set security policies from-zone internet to-zone internal policy allow-web-service match application junos-http
set security policies from-zone internet to-zone internal policy allow-web-service then permit

    Note: On SRX, default applications are prefixed by junos- as you can see for junos-http application.

    Finally commit your changes. Now we telnet to the IP 192.168.100.38 from outside network (10.100.100.10) and check the session table.

    root@srx220> show security flow session destination-port 80 
Session ID: 147, Policy name: allow-web-service/5, Timeout: 286, Valid
  In: 10.100.100.10/36120 --> 192.168.100.38/80;tcp, If: ge-0/0/0.0, Pkts: 3, Bytes: 164
  Out: 192.168.239.10/80 --> 10.100.100.10/36120;tcp, If: ge-0/0/1.0, Pkts: 2, Bytes: 120
Total sessions: 1

    As you can see request for 192.168.100.38:80 is translated to 192.168.239.10:80 by SRX.

    How can we open a non-standard port and do destination NAT?

    Now we have a different requirement. There is an SMTP server which is listening on port default port 25 but we somehow want everyone to access this host on port 2025 instead of the default port. Now we will configure this scenario.

    First Address book entry

    set security address-book global address smtpserver 192.168.239.11 

    set security nat destination pool smtpserver-internal address 192.168.239.11/32
set security nat destination pool smtpserver-internal address port 25
set security nat destination rule-set internal-servers rule smtpserver match destination-address 192.168.100.38/32
set security nat destination rule-set internal-servers rule smtpserver match destination-port 2025
set security nat destination rule-set internal-servers rule smtpserver then destination-nat pool smtpserver-internal

    Note: Pay attention that pool we created is for port 25 but actual port match is for 2025

    Now security policy

    set security policies from-zone internet to-zone internal policy allow-smtp-service match source-address any
set security policies from-zone internet to-zone internal policy allow-smtp-service match destination-address smtpserver
set security policies from-zone internet to-zone internal policy allow-smtp-service match application junos-smtp
set security policies from-zone internet to-zone internal policy allow-smtp-service then permit

    Note: You may be asking why do we use junos-smtp application which has port 25 instead of an application which has destination port 2025. The reason is that security policy processing is done after destination is processed hence when security policy does the match, port is already translated to 25 from 2025.

    For example, if you were to redirect(port nat) 2025 port to another non-standard port e.g 2000 on this smtp server then you would have to create an application e.g named custom-smtp and permit this application on this policy. 

    set applications application custom-smtp protocol tcp
set applications application custom-smtp destination-port 2025

    But this isn’t what we are configuring now. We just redirect outside 2025 port to internal 25 port.

    Now we telnet from our Internet host

    root@vHost2:~# vhost INTERNET1
INTERNET1>telnet 192.168.100.38 2025
Trying 192.168.100.38...
Connected to 192.168.100.38.
Escape character is '^]'.
220 vHost2 ESMTP Postfix (Debian/GNU)

    Heyyy, we have got the smtp response on non-standard port 2025. Let’s check the flow session.

    root@srx220> show security flow session destination-port 25      
Session ID: 151, Policy name: allow-smtp-service/6, Timeout: 1784, Valid
  In: 10.100.100.10/56967 --> 192.168.100.38/2025;tcp, If: ge-0/0/0.0, Pkts: 3, Bytes: 164
  Out: 192.168.239.11/25 --> 10.100.100.10/56967;tcp, If: ge-0/0/1.0, Pkts: 2, Bytes: 151
Total sessions: 1

    Yes, port 2025 is translated to 25 as it can be seen in the flow session too.

    You can also check the translation hits by the following command to see if the NAT rule is really being hit or not.

    root@srx220> show security nat destination rule smtpserver 
 
Destination NAT rule: smtpserver           Rule-set: internal-servers 
  Rule-Id                    : 2  
  Rule position              : 2
  From zone                  : internet
    Destination addresses    : 192.168.100.38  - 192.168.100.38
    Destination port         : 2025            - 2025
  Action                     : smtpserver-internal 
  Translation hits           : 1    <---Here we can see the translation hits.
    Successful sessions      : 1
    Failed sessions          : 0
  Number of sessions         : 1

    How can we do proxy-arp?

    According to our topology, we have only one WAN IP assigned to the external interface which is 192.168.100.38 but our ISP has given us a /24 block from which now we also would like to use IP address 192.168.100.100 for some services. However we don't want to assign this IP address to the external interface. The problem is that if you don't assign an IP to an interface, you don't respond to ARP requests for that IP. In order to solve this problem we need to configure proxy arp. To demonstrate this, we have a scenario. We have an application server IP of which is 192.168.239.12 in the internal network and application is running on TCP port 8080. We would like everyone on Internet to access this application via TCP port 80 i.e we will redirect TCP80 requests coming to 192.168.100.100 to the internal 192.168.239.12 TCP8080. 

    #Configure Proxy-arp so that we can respond to ARP requests to this address
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.100.100/32

#Configure TCP8080 custom application
set applications application TCP8080 protocol tcp
set applications application TCP8080 destination-port 8080

#We also need an address book entry for our policy
set security address-book global address appserver 192.168.239.12/32

#Here we configure our pool for nat
set security nat destination pool appserver-internal address 192.168.239.12/32
set security nat destination pool appserver-internal address port 8080

#Destination NAT rule
set security nat destination rule-set internal-servers rule appserver match destination-address 192.168.100.100/32
set security nat destination rule-set internal-servers rule appserver match destination-port 80
set security nat destination rule-set internal-servers rule appserver then destination-nat pool appserver-internal

#And finally security policy allowing TCP8080
set security policies from-zone internet to-zone internal policy allow-appserver match source-address any
set security policies from-zone internet to-zone internal policy allow-appserver match destination-address appserver
set security policies from-zone internet to-zone internal policy allow-appserver match application TCP8080
set security policies from-zone internet to-zone internal policy allow-appserver then permit

    Now we do connect to TCP80 port of 192.168.100.100 from 10.100.100.10 Internet host and see the session table

    root@srx220> show security flow session destination-port 80 
Session ID: 7, Policy name: allow-appserver/7, Timeout: 1792, Valid
  In: 10.100.100.10/45550 --> 192.168.100.100/80;tcp, If: ge-0/0/0.0, Pkts: 3, Bytes: 164
  Out: 192.168.239.12/8080 --> 10.100.100.10/45550;tcp, If: ge-0/0/1.0, Pkts: 2, Bytes: 120
Total sessions: 1

    Yes it works! we redirect port 80 to internal 8080 port.

    Now I am hoping that I have completed SRX for beginners posts!

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE

18 thoughts on “SRX for beginners #2”

  1. If you have an public IP subnet and are going to use destination or static NAT don’t forget to set security > nat > proxy-arp for your addresses on the respective outgoing interface as long as you do not use the address of the SRX itself.

    Reply

    1. Thanks for the feedback. Very good point actually. Hence, I have updated the post and added the proxy-arp scenario.

      Genco.

      Reply

      1. Hello Mr Author. Really appreciate you posting very valuable information on this blog. I follow your posts a lot and has really helped me learning SRX.

        I have few items that I would like your suggestions on, I would really appreciate if you could help me compile a list of all tasks that can be automated in SRX5800.
        – health checks that can be automated with some external tool
        -configurations that can be deployed with automation tools.

        Reply

  2. Hello,
    I am completely new with juniper product and I got an opportunity to get knowledge of srx220 due to my Cisco pix is malfunctioning since last 2 weeks, and it is going to be replaced by srx220. Will you please help me to configure that box. I am sending you the network diagram and config file of my pix-525. I think here is no any option to upload any jpg file so I am elaborating my network.

    We are using 7 to 8 vlans in our network created in cisco 4510r catalyst switch which is connected with cisco pix through vlan 500 and default route configured in 4510r is the ip of pix inside ip which is 172.16.0.250 255.255.255.248. The pix is in between the 4510r and cisco router and i have no access of that router. That router is under ISP so I can’t change in that router. The outside ip of pix is 172.20.1.2/24 is directly connected to the router. Config of pix-525 are follows:

    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    interface gb-ethernet0 1000auto shutdown
    interface gb-ethernet1 1000auto shutdown
    interface ethernet2 100full
    interface ethernet3 100full
    interface ethernet4 auto shutdown
    interface ethernet5 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif gb-ethernet0 inside1 security99
    nameif gb-ethernet1 inside2 security90
    nameif ethernet2 intf4 security8
    nameif ethernet3 radio-phy security10
    nameif ethernet4 intf6 security12
    nameif ethernet5 intf7 security14
    enable password ################# encrypted
    passwd ################ encrypted
    hostname cupix
    domain-name cupix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list acl_out permit icmp any any
    access-list acl_out permit udp any any eq domain
    access-list acl_out permit ip any any
    access-list acl_out permit tcp any any
    access-list acl_in permit icmp any any
    access-list acl_in permit udp any any eq domain
    access-list acl_in permit tcp any any
    access-list RADIO-PHY permit ip host 10.0.3.2 any
    access-list RADIO-PHY permit ip host 10.0.3.3 any
    access-list RADIO-PHY permit tcp 10.0.3.0 255.255.255.0 any
    access-list RJABZR_CASH permit ip host 10.0.2.2 any
    access-list RJABZR_CASH permit ip host 10.0.2.3 any
    access-list RJABZR_CASH permit ip host 10.0.2.4 any
    access-list RJABZR_CASH permit ip host 10.0.2.5 any
    access-list RJABZR_CASH permit ip host 10.0.2.6 any
    access-list RJABZR_CASH permit ip host 10.0.2.10 any
    access-list RJABZR_CASH permit ip host 10.0.2.11 any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu inside1 1500
    mtu inside2 1500
    mtu intf4 1500
    mtu radio-phy 1500
    mtu intf6 1500
    mtu intf7 1500
    ip address outside 172.20.1.2 255.255.255.0
    ip address inside 172.16.0.250 255.255.255.248
    no ip address inside1
    no ip address inside2
    no ip address intf4
    ip address radio-phy 192.110.1.1 255.255.255.0
    no ip address intf6
    no ip address intf7
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address inside1
    no failover ip address inside2
    no failover ip address intf4
    no failover ip address radio-phy
    no failover ip address intf6
    no failover ip address intf7
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list RJABZR_CASH
    nat (inside) 1 10.3.64.74 255.255.255.255 0 0
    nat (inside) 1 172.16.1.11 255.255.255.255 0
    nat (inside) 1 172.16.110.2 255.255.255.255 0 0
    nat (inside) 1 172.16.0.248 255.255.255.248 0 0
    nat (inside) 1 172.16.11.248 255.255.255.248 0 0
    nat (inside) 1 10.0.2.0 255.255.255.0 0 0
    nat (inside) 1 172.10.1.0 255.255.255.0 0 0
    nat (inside) 1 172.16.11.0 255.255.255.0 0 0
    nat (inside) 1 172.16.100.0 255.255.255.0 0 0
    nat (inside) 1 192.110.1.0 255.255.255.0 0 0
    nat (inside) 1 192.168.50.0 255.255.255.0 0 0
    nat (inside) 1 172.16.0.0 255.255.0.0 0 0
    access-group acl_out in interface outside
    access-group acl_in i
    route outside 0.0.0.0 0.0.0.0 172.20.1.1 1
    route inside 10.0.2.0 255.255.255.0 172.16.0.249 1
    route inside 10.0.3.0 255.255.255.0 172.16.0.249 1
    route inside 10.3.64.0 255.255.224.0 172.16.0.249 1
    route inside 172.10.0.0 255.255.0.0 172.16.0.249 1
    route inside 172.10.1.0 255.255.255.0 172.16.0.249 1
    route inside 172.16.0.0 255.255.0.0 172.16.0.249 1
    route inside 192.168.50.0 255.255.255.0 172.16.0.249 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet 172.16.0.0 255.255.0.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0

    So will you please send me the configuration of that box which will be installed here. and I requests to you for make of post of this problem like your others posts which are very clearly understandable.

    Thanks:

    Anand Chourasia

    Reply

  3. Hi ,

    This artical is really helpful for me .Can you please involve vpn configuration also .

    Thanks

    Amol

    Reply

  4. Hi,

    Just read it for accessing web server from outside case. Have one query how private IP address can be telnet or accessible from outside, Only Public IP address are rout able and accessible over internet, i thing something wrong in typing or i missed something. Please clarify me. Thanks

    Reply

  5. Hi,

    I need to open some ports from 192.168.1.15 to 0.0.0.0/0 the ports are UDP 5060 and 4000 to 4012. Network map: http://i67.tinypic.com/2r6l6vd.jpg

    Can you help me?

    SRX is in flow mode:

    admin@SRX210> show security flow status
    Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: flow based (reboot needed to change to drop)
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
    Advanced services data-plane memory mode: Default
    Flow trace status
    Flow tracing status: off
    Flow session distribution
    Distribution mode: RR-based

    admin@SRX210>

    Thanks!

    Reply

  6. Thanks for the great pages. Your reminder to add the dhcp to the host allowed services seems so obvious now, but during troubleshooting was kicking my butt. Very good information. Drinks are on me if you are ever in the Washington DC area.

    Reply

  7. great article. I’ve been working for SRX sporadically and these articles are really helpful.

    Reply

  8. any article showing how can use application server (on private ip) as mention in above diagram running tomcat and SRX connected with internet …. i define static NAT , destination nat but its not working, my linux server running with public IP on other eth0 from where i can access it easily if i make default route to private IP eth1 connected to firewall and try to access firewall ip its not working

    Reply

You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading