Solved

Juniper SRX110 H2 DMZ Configuration

Posted on 2014-04-16
11
2,432 Views
Last Modified: 2014-10-10
Hi

I'm currently using a Juniper SRX 110 (H2) firmware 12.1R4.8 with my home VDSL Connection.
Problem is i cant forward port ranges with this modem (cant seem to find a way) and need to open ports for PS4.

I would like to setup a DMZ to the PS4 192.168.1.199
Or is it possible to enable UPNP?

ports needed:
UDP: 3074, 3478-3479, 3659, 6000
TCP: 80, 443, 1935, 3478-3480, 3659, 10000-10099, 42127

Current Configuration

version 12.1R4.8;
system {
    host-name Tixsta;
    time-zone pacific/aucklanpset;
    root-authentication {
        encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user xxxxxxx {
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ##ET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
                router {
                    192.168.1.1;
                }
            }
            propagate-settings fe-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp;
}
interfaces {
    fe-0/0/0 {
        unit 0;
    }
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    pt-1/0/0 {
        vlan-tagging;
        vdsl-options {
            vdsl-profile auto;
        }
        unit 0 {
            encapsulation ppp-over-ether;
            vlan-id 10;
        }
    }
    pp0 {
        traceoptions {
            flag all;
        }
        no-per-unit-scheduler;
        unit 0 {
            ppp-options {
                pap {
                    local-name "xxxxxxx@snap.net.nz";
                    local-password "xxxxxxxxxxxxxxxxxxxxxx"; ## S-DATA
                    passive;
                }
            }
            pppoe-options {
                underlying-interface pt-1/0/0.0;
                auto-reconnect 10;
                client;
            }
            family inet {
                mtu 1492;
                negotiate-address;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop pp0.0;
    }
}
protocols {
    stp;
}
security {
    flow {
        tcp-mss {
            all-tcp {
                mss 1452;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ssh;
                    ping;
                }
            }
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                            ssh;
                            ping;
                        }
                    }
                }
                pt-1/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                            ssh;
                            ping;
                        }
                    }
                }
                pp0.0;
            }
        }
        security-zone untrus;
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}
0
Comment
Question by:beltonnz
11 Comments
 
LVL 10

Expert Comment

by:Rafael
ID: 40005487
For starters not all the ports are in your SRX nor the IP's in your address book. You need to add them into the SRX. You also need to add them in as applications. Give me day to go over your configs and see where I can help. Time to spend time with the family.
0
 
LVL 1

Author Comment

by:beltonnz
ID: 40005715
Great thank you!

Would be great to forward ranges! Is the DMZ or UPNP possible with the SRX

 I can forward ports like below e.g.

Create a destination pool for each server/INTERNAL port:
set security nat destination pool dnat_SBSSERVER_SMTP address 192.168.3.2/32 port 25
set security nat destination pool dnat_SBSSERVER_HTTP address 192.168.3.2/32 port 80
set security nat destination pool dnat_SBSSERVER_HTTPS address 192.168.3.2/32 port 443

Create a DNAT rule-set:

set security nat destination rule-set DEST-NAT from zone untrust

For each port, add a DNAT rule to define the EXTERNAL port – using 0.0.0.0/0 will catch VPN traffic in the DNAT rule:

[edit security nat destination rule-set DEST-NAT]
set rule SBSSERVER_SMTP match destination-address <public ip>/32
set rule SBSSERVER_SMTP match destination-port 25
set rule SBSSERVER_SMTP then destination-nat pool dnat_SBSSERVER_SMTP

set rule SBSSERVER_HTTP match destination-address <public ip>/32
set rule SBSSERVER_HTTP match destination-port 80
set rule SBSSERVER_HTTP then destination-nat pool dnat_SBSSERVER_HTTP

set rule SBSSERVER_HTTPS match destination-address <public ip>/32
set rule SBSSERVER_HTTPS match destination-port 443
set rule SBSSERVER_HTTPS then destination-nat pool dnat_SBSSERVER_HTTPS

Create a security policy to allow the ports to the destination server:
[edit security policies from-zone untrust to-zone trust policy untrust-to-trust-DNAT_SBSSERVER]

set match source-address any
set match destination-address SBSSERVER
# Set single
set match application junos-smtp
# Or multiple
set match application [ junos-http junos-https ]
0
 
LVL 1

Author Comment

by:beltonnz
ID: 40021768
Anyone?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 17

Expert Comment

by:pergr
ID: 40041414
You have outlines the solution yourself, in the comment above.
0
 
LVL 10

Accepted Solution

by:
Rafael earned 500 total points
ID: 40042240
DMZ is possible in the SRX.
First you have to make sure you configure address book entries.
Then you have to set up your Pre-translated ports configuration
Then set up your NAT Pool configuration and then create your policy.

I would recommend setting up a PS4 application set so that you can drop the required ports into the set. That would make it easier for security policies and configuration of the DMZ and NAT pool.

So something such as:

set application-set PS4
                {
                application 3478-3480;
                application 3659;
                application 52028-52030;
                application 10000-10099;
                application 1935;
                application 42127;
                                       
                application 3074;
                application 3478-3479;
                application 3659;
                application 6000;
                }

Outside of that you would be on the right track. Make the configuration changes and re-post the updated config so we can take a look at it once the changes have been made.

-Rafael
0
 
LVL 1

Author Comment

by:beltonnz
ID: 40045513
Thanks rcaballerojr

Will make some changes tomorrow an post the configuration.
0
 
LVL 1

Author Comment

by:beltonnz
ID: 40048701
I have made some changes - let me just grab that config.
0
 
LVL 1

Author Comment

by:beltonnz
ID: 40063428
Thanks Rafael

I manged to get everything working with your help. I haven't had time to post final config, but i will.
0
 
LVL 10

Expert Comment

by:Rafael
ID: 40063549
You're welcome. I look forward to seeing the final config. I"m sure it will help others as well when they do a search for something similar here on EE.
0
 

Expert Comment

by:Aaron Brown
ID: 40373835
beltonnz,

Any chance you can post your final configuration? I have this same question and problem and would rather not open another thread.

Thanks,
Aaron
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question