• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2929
  • Last Modified:

Juniper SRX110 H2 DMZ Configuration

Hi

I'm currently using a Juniper SRX 110 (H2) firmware 12.1R4.8 with my home VDSL Connection.
Problem is i cant forward port ranges with this modem (cant seem to find a way) and need to open ports for PS4.

I would like to setup a DMZ to the PS4 192.168.1.199
Or is it possible to enable UPNP?

ports needed:
UDP: 3074, 3478-3479, 3659, 6000
TCP: 80, 443, 1935, 3478-3480, 3659, 10000-10099, 42127

Current Configuration

version 12.1R4.8;
system {
    host-name Tixsta;
    time-zone pacific/aucklanpset;
    root-authentication {
        encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user xxxxxxx {
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ##ET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
                router {
                    192.168.1.1;
                }
            }
            propagate-settings fe-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp;
}
interfaces {
    fe-0/0/0 {
        unit 0;
    }
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    pt-1/0/0 {
        vlan-tagging;
        vdsl-options {
            vdsl-profile auto;
        }
        unit 0 {
            encapsulation ppp-over-ether;
            vlan-id 10;
        }
    }
    pp0 {
        traceoptions {
            flag all;
        }
        no-per-unit-scheduler;
        unit 0 {
            ppp-options {
                pap {
                    local-name "xxxxxxx@snap.net.nz";
                    local-password "xxxxxxxxxxxxxxxxxxxxxx"; ## S-DATA
                    passive;
                }
            }
            pppoe-options {
                underlying-interface pt-1/0/0.0;
                auto-reconnect 10;
                client;
            }
            family inet {
                mtu 1492;
                negotiate-address;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop pp0.0;
    }
}
protocols {
    stp;
}
security {
    flow {
        tcp-mss {
            all-tcp {
                mss 1452;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ssh;
                    ping;
                }
            }
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                            ssh;
                            ping;
                        }
                    }
                }
                pt-1/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                            ssh;
                            ping;
                        }
                    }
                }
                pp0.0;
            }
        }
        security-zone untrus;
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}
0
Thomas NZ
Asked:
Thomas NZ
1 Solution
 
RafaelCommented:
For starters not all the ports are in your SRX nor the IP's in your address book. You need to add them into the SRX. You also need to add them in as applications. Give me day to go over your configs and see where I can help. Time to spend time with the family.
0
 
Thomas NZSystems EngineerAuthor Commented:
Great thank you!

Would be great to forward ranges! Is the DMZ or UPNP possible with the SRX

 I can forward ports like below e.g.

Create a destination pool for each server/INTERNAL port:
set security nat destination pool dnat_SBSSERVER_SMTP address 192.168.3.2/32 port 25
set security nat destination pool dnat_SBSSERVER_HTTP address 192.168.3.2/32 port 80
set security nat destination pool dnat_SBSSERVER_HTTPS address 192.168.3.2/32 port 443

Create a DNAT rule-set:

set security nat destination rule-set DEST-NAT from zone untrust

For each port, add a DNAT rule to define the EXTERNAL port – using 0.0.0.0/0 will catch VPN traffic in the DNAT rule:

[edit security nat destination rule-set DEST-NAT]
set rule SBSSERVER_SMTP match destination-address <public ip>/32
set rule SBSSERVER_SMTP match destination-port 25
set rule SBSSERVER_SMTP then destination-nat pool dnat_SBSSERVER_SMTP

set rule SBSSERVER_HTTP match destination-address <public ip>/32
set rule SBSSERVER_HTTP match destination-port 80
set rule SBSSERVER_HTTP then destination-nat pool dnat_SBSSERVER_HTTP

set rule SBSSERVER_HTTPS match destination-address <public ip>/32
set rule SBSSERVER_HTTPS match destination-port 443
set rule SBSSERVER_HTTPS then destination-nat pool dnat_SBSSERVER_HTTPS

Create a security policy to allow the ports to the destination server:
[edit security policies from-zone untrust to-zone trust policy untrust-to-trust-DNAT_SBSSERVER]

set match source-address any
set match destination-address SBSSERVER
# Set single
set match application junos-smtp
# Or multiple
set match application [ junos-http junos-https ]
0
 
Thomas NZSystems EngineerAuthor Commented:
Anyone?
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
pergrCommented:
You have outlines the solution yourself, in the comment above.
0
 
RafaelCommented:
DMZ is possible in the SRX.
First you have to make sure you configure address book entries.
Then you have to set up your Pre-translated ports configuration
Then set up your NAT Pool configuration and then create your policy.

I would recommend setting up a PS4 application set so that you can drop the required ports into the set. That would make it easier for security policies and configuration of the DMZ and NAT pool.

So something such as:

set application-set PS4
                {
                application 3478-3480;
                application 3659;
                application 52028-52030;
                application 10000-10099;
                application 1935;
                application 42127;
                                       
                application 3074;
                application 3478-3479;
                application 3659;
                application 6000;
                }

Outside of that you would be on the right track. Make the configuration changes and re-post the updated config so we can take a look at it once the changes have been made.

-Rafael
0
 
Thomas NZSystems EngineerAuthor Commented:
Thanks rcaballerojr

Will make some changes tomorrow an post the configuration.
0
 
Thomas NZSystems EngineerAuthor Commented:
I have made some changes - let me just grab that config.
0
 
Thomas NZSystems EngineerAuthor Commented:
Thanks Rafael

I manged to get everything working with your help. I haven't had time to post final config, but i will.
0
 
RafaelCommented:
You're welcome. I look forward to seeing the final config. I"m sure it will help others as well when they do a search for something similar here on EE.
0
 
Aaron BrownCommented:
beltonnz,

Any chance you can post your final configuration? I have this same question and problem and would rather not open another thread.

Thanks,
Aaron
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now