Need help with Juniper SRX configuration please!
Hi,
We have two SRX series firewalls (100H) in an HA configuration running software version 11.4.R7.5; I Need to allow stunnel through from a specific IP (external) and port through to a specific local machine and port on our internal LAN, and I can't find any information on how to do this - I'm not that familiar with Juniper firewalls, so am unsure of what to do;
Please help!
Thank you
Robin human
We have two SRX series firewalls (100H) in an HA configuration running software version 11.4.R7.5; I Need to allow stunnel through from a specific IP (external) and port through to a specific local machine and port on our internal LAN, and I can't find any information on how to do this - I'm not that familiar with Juniper firewalls, so am unsure of what to do;
Please help!
Thank you
Robin human
I use the SRX but not with all the features that you refer to.
So, to strip down the situation:
First, I would address the tunnel:
- It can only address the public IP of one of the SRX's.
- I has to reach a particular machine on the inside / the LAN or one of the LANs.
So far this sounds fairly normal as a general case.
Does that work by itself without HA?
Then, if you have HA and NOT load balancing, how can you assure that the path with the tunnel is even enabled at any point in time?
This suggests that there is a contradiction in your specification.
Usually with HA, one path is active and the other path is dormant. But, I'm sure there are variations.
One approach with load balancing is to "bind" certain traffic to one path or the other. That would assure the public IP address that you need.
etc.
So, to strip down the situation:
First, I would address the tunnel:
- It can only address the public IP of one of the SRX's.
- I has to reach a particular machine on the inside / the LAN or one of the LANs.
So far this sounds fairly normal as a general case.
Does that work by itself without HA?
Then, if you have HA and NOT load balancing, how can you assure that the path with the tunnel is even enabled at any point in time?
This suggests that there is a contradiction in your specification.
Usually with HA, one path is active and the other path is dormant. But, I'm sure there are variations.
One approach with load balancing is to "bind" certain traffic to one path or the other. That would assure the public IP address that you need.
etc.
ASKER
Hi Fred,
Thank you for your reply;
the two SRX's are in an HA configuration (2 physical firewalls, with 1 virtual active one presenting an external IP)
NAT rule set to route traffic from a specific external IP arriving at our external IP to a specific internal IP and port
After digging further, I think that the problem is with policy not allowing this traffic through (default-deny), but I'm not sure how to set up a policy so that it is specific to the IP addresses - I think that's where the problem lies
Cheers
Robin
Thank you for your reply;
the two SRX's are in an HA configuration (2 physical firewalls, with 1 virtual active one presenting an external IP)
NAT rule set to route traffic from a specific external IP arriving at our external IP to a specific internal IP and port
After digging further, I think that the problem is with policy not allowing this traffic through (default-deny), but I'm not sure how to set up a policy so that it is specific to the IP addresses - I think that's where the problem lies
Cheers
Robin
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
ASKER