Solved

Juniper SRX110 H2 DMZ Configuration

Posted on 2014-04-16
11
2,348 Views
Last Modified: 2014-10-10
Hi

I'm currently using a Juniper SRX 110 (H2) firmware 12.1R4.8 with my home VDSL Connection.
Problem is i cant forward port ranges with this modem (cant seem to find a way) and need to open ports for PS4.

I would like to setup a DMZ to the PS4 192.168.1.199
Or is it possible to enable UPNP?

ports needed:
UDP: 3074, 3478-3479, 3659, 6000
TCP: 80, 443, 1935, 3478-3480, 3659, 10000-10099, 42127

Current Configuration

version 12.1R4.8;
system {
    host-name Tixsta;
    time-zone pacific/aucklanpset;
    root-authentication {
        encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user xxxxxxx {
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ##ET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
                router {
                    192.168.1.1;
                }
            }
            propagate-settings fe-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp;
}
interfaces {
    fe-0/0/0 {
        unit 0;
    }
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    pt-1/0/0 {
        vlan-tagging;
        vdsl-options {
            vdsl-profile auto;
        }
        unit 0 {
            encapsulation ppp-over-ether;
            vlan-id 10;
        }
    }
    pp0 {
        traceoptions {
            flag all;
        }
        no-per-unit-scheduler;
        unit 0 {
            ppp-options {
                pap {
                    local-name "xxxxxxx@snap.net.nz";
                    local-password "xxxxxxxxxxxxxxxxxxxxxx"; ## S-DATA
                    passive;
                }
            }
            pppoe-options {
                underlying-interface pt-1/0/0.0;
                auto-reconnect 10;
                client;
            }
            family inet {
                mtu 1492;
                negotiate-address;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop pp0.0;
    }
}
protocols {
    stp;
}
security {
    flow {
        tcp-mss {
            all-tcp {
                mss 1452;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ssh;
                    ping;
                }
            }
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                            ssh;
                            ping;
                        }
                    }
                }
                pt-1/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                            ssh;
                            ping;
                        }
                    }
                }
                pp0.0;
            }
        }
        security-zone untrus;
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}
0
Comment
Question by:beltonnz
11 Comments
 
LVL 10

Expert Comment

by:Rafael
Comment Utility
For starters not all the ports are in your SRX nor the IP's in your address book. You need to add them into the SRX. You also need to add them in as applications. Give me day to go over your configs and see where I can help. Time to spend time with the family.
0
 
LVL 1

Author Comment

by:beltonnz
Comment Utility
Great thank you!

Would be great to forward ranges! Is the DMZ or UPNP possible with the SRX

 I can forward ports like below e.g.

Create a destination pool for each server/INTERNAL port:
set security nat destination pool dnat_SBSSERVER_SMTP address 192.168.3.2/32 port 25
set security nat destination pool dnat_SBSSERVER_HTTP address 192.168.3.2/32 port 80
set security nat destination pool dnat_SBSSERVER_HTTPS address 192.168.3.2/32 port 443

Create a DNAT rule-set:

set security nat destination rule-set DEST-NAT from zone untrust

For each port, add a DNAT rule to define the EXTERNAL port – using 0.0.0.0/0 will catch VPN traffic in the DNAT rule:

[edit security nat destination rule-set DEST-NAT]
set rule SBSSERVER_SMTP match destination-address <public ip>/32
set rule SBSSERVER_SMTP match destination-port 25
set rule SBSSERVER_SMTP then destination-nat pool dnat_SBSSERVER_SMTP

set rule SBSSERVER_HTTP match destination-address <public ip>/32
set rule SBSSERVER_HTTP match destination-port 80
set rule SBSSERVER_HTTP then destination-nat pool dnat_SBSSERVER_HTTP

set rule SBSSERVER_HTTPS match destination-address <public ip>/32
set rule SBSSERVER_HTTPS match destination-port 443
set rule SBSSERVER_HTTPS then destination-nat pool dnat_SBSSERVER_HTTPS

Create a security policy to allow the ports to the destination server:
[edit security policies from-zone untrust to-zone trust policy untrust-to-trust-DNAT_SBSSERVER]

set match source-address any
set match destination-address SBSSERVER
# Set single
set match application junos-smtp
# Or multiple
set match application [ junos-http junos-https ]
0
 
LVL 1

Author Comment

by:beltonnz
Comment Utility
Anyone?
0
 
LVL 17

Expert Comment

by:pergr
Comment Utility
You have outlines the solution yourself, in the comment above.
0
 
LVL 10

Accepted Solution

by:
Rafael earned 500 total points
Comment Utility
DMZ is possible in the SRX.
First you have to make sure you configure address book entries.
Then you have to set up your Pre-translated ports configuration
Then set up your NAT Pool configuration and then create your policy.

I would recommend setting up a PS4 application set so that you can drop the required ports into the set. That would make it easier for security policies and configuration of the DMZ and NAT pool.

So something such as:

set application-set PS4
                {
                application 3478-3480;
                application 3659;
                application 52028-52030;
                application 10000-10099;
                application 1935;
                application 42127;
                                       
                application 3074;
                application 3478-3479;
                application 3659;
                application 6000;
                }

Outside of that you would be on the right track. Make the configuration changes and re-post the updated config so we can take a look at it once the changes have been made.

-Rafael
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:beltonnz
Comment Utility
Thanks rcaballerojr

Will make some changes tomorrow an post the configuration.
0
 
LVL 1

Author Comment

by:beltonnz
Comment Utility
I have made some changes - let me just grab that config.
0
 
LVL 1

Author Comment

by:beltonnz
Comment Utility
Thanks Rafael

I manged to get everything working with your help. I haven't had time to post final config, but i will.
0
 
LVL 10

Expert Comment

by:Rafael
Comment Utility
You're welcome. I look forward to seeing the final config. I"m sure it will help others as well when they do a search for something similar here on EE.
0
 

Expert Comment

by:Aaron Brown
Comment Utility
beltonnz,

Any chance you can post your final configuration? I have this same question and problem and would rather not open another thread.

Thanks,
Aaron
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now