Quantcast
Channel: SRX Services Gateway topics
Viewing all articles
Browse latest Browse all 3959

Filter at lo0 for SSH and NTP

$
0
0

I'm sure this is easy and something simple is being missed. Heck, if I had a test environment (or tested better before installation) this would be solved. 

 

The below configuration is a active/passive HA pair of SRX340s. Everything is functioning except for my access to the management ports. Wanting to lock this down to only allow access from a specific segment I have a filter in place on the loopback; it is also setup to permit NTP with a specific host. At this time I cannot access either fxp0 interface yet NTP is working without issue. 

 

Any assistance would be greatly appreciated. 

 

version 15.1X49-D75.5;
/* Groups are used for node specific settings */
groups {
    node0 {
        system {
            host-name vwSrx340-node0;
            backup-router 10.x.y.1 destination 0.0.0.0/0;
        }
        interfaces {
            fxp0 {
                description Management;
                unit 0 {
                    family inet {
                        address 10.x.y.41/24;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name vwSrx340-node1;
            backup-router 10.x.y.1 destination 0.0.0.0/0;
        }
        interfaces {
            fxp0 {
                description Management;
                unit 0 {
                    family inet {
                        address 10.x.y.42/24;
                    }
                }
            }
        }
    }
}
apply-groups "${node}";
system {
    host-name vwSrx340-cluster1;
    }
    services {
        ssh {
            root-login deny;
        }
        web-management {
            https {
                system-generated-certificate;
                interface fxp0.0;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    ntp {
        boot-server 10.x.y.1;
        server 10.x.y.1;
    }
}
chassis {
    cluster {
        control-link-recovery;
        reth-count 2;
        redundancy-group 0 {
            node 0 priority 200;
            node 1 priority 100;
        }
        redundancy-group 1 {
            node 0 priority 200;
            node 1 priority 100;
        }
    }
}
security {
    forwarding-options {
        family {
            mpls {
                mode packet-based;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        description “Outside via ISP PP?”;
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-0/0/4 {
        description “Inside via FEX123/1/3”;
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-5/0/0 {
        description “Outside via ISP PP?”;
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-5/0/4 {
        description “Inside via FEX124/1/3”;
        gigether-options {
            redundant-parent reth1;
        }
    }
    /* Both fab0 & fab1 are used for data & session sharing between nodes */
    fab0 {
        fabric-options {
            member-interfaces {
                ge-0/0/2;
                ge-0/0/3;
            }
        }
    }
    fab1 {
        fabric-options {
            member-interfaces {
                ge-5/0/2;
                ge-5/0/3;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input fil-local_acl;
                }
            }
        }
    }
    /* This is the virtual interface for ge-0/0/0 & ge-5/0/0 for our outside connection */
    reth0 {
        description “ISP Internet”;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address a.b.c.132/29;
            }
        }
    }
    /* This is the virtual interface for ge-0/0/4 & ge-5/0/4 for our outside connection */
    reth1 {
        description “Inside”;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 172.x.y.1/24;
            }
        }
    }
}
routing-options {
    static {
        route d.e.f.0/24 next-hop 172.x.y.254;
        route 0.0.0.0/0 next-hop a.b.c.129;
    }
}
firewall {
    family inet {
        filter fil-local_acl {
            term term-ntp_allow {
                from {
                    source-address {
                        10.x.y.1/32;
                    }
                    destination-port 123;
                }
                then accept;
            }
            term term-ntp_block {
                from {
                    destination-port 123;
                }
                then {
                    discard;
                }
            }
            term term-mgmt_allow {
                from {
                    source-address {
                        10.x.y.0/16;
                    }
                    protocol tcp;
                    destination-port [ https ssh ];
                }
                then accept;
            }
            term term-mgmt_block {
                from {
                    protocol tcp;
                    destination-port [ https ssh ];
                }
                then {
                    discard;
                }
            }
            term term-else {
                then accept;
            }
        }
    }
}

Viewing all articles
Browse latest Browse all 3959

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>