I have an SRX220H2 that is allowing some connections inbound such as 3389 but not 9081,908210001,10002. I have confirmed I can access the devices on the ports detailed and can ping from the SRX to devices. The devices I can get to and the ones I cannot are all on the same subnet. I have published the configuration below. Input would be appreciated
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2016.06.20 19:47:09 =~=~=~=~=~=~=~=~=~=~=~=
version 12.3X48-D30.7;
system {
host-name XXXXXX
domain-name XXXXXXXXXXXXXX
domain-search XXXXXXXXXXXXXX
time-zone GMT-8;
no-redirects;
no-ping-record-route;
no-ping-time-stamp;
internet-options {
tcp-drop-synfin-set;
no-tcp-reset drop-all-tcp;
}
authentication-order [ radius password ];
ports {
console log-out-on-disconnect;
}
root-authentication {
encrypted-password "XXXXXXXXXXXXXXXXXXXXXXXXX; ## SECRET-DATA
}
name-server {
4.2.2.3;
8.8.8.8;
209.18.47.61;
209.18.47.62;
208.67.222.222;
208.67.220.220;
}
radius-server {
172.16.1.200 {
port 1645;
secret "XXXXXXXXXXXXXXXXXXX SECRET-DATA
timeout 2;
retry 2;
source-address 192.168.1.1;
}
}
radius-options {
---(more)---
password-protocol mschap-v2;
}
login {
announcement "\n\tUNAUTHORIZED USE OF THIS SYSTEM\n\tIS STRICTLY PROHIBITED!\n\n\tLEAVE NOW IF YOU DO NOT BELONG HERE!\n\n\n";
message "This is a private system which may be accessed and used for authorized purposes only.\n\All information on this computer system may be intercepted, recorded, read, copied, and\n\disclosed to authorized personnel for business and investigation purposes.\n\nUnauthorized access or use of this system may result in information relating to possible\ncriminal or malicious activity being provided to law enforcement officials.\n\n\tTHERE IS NO RIGHT OF PRIVACY FOR ANY PERSON ACCESSING OR USING THIS SYSTEM.\n\n\tAccess or use of this information system constitutes consent to these terms\n";
retry-options {
tries-before-disconnect 3;
backoff-threshold 3;
backoff-factor 6;
minimum-time 30;
}
user admin {
uid 2006;
class super-user;
authentication {
encrypted-password "$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; ## SECRET-DATA
}
}
user remote {
full-name "all remote users";
uid 2007;
class super-user;
authentication {
encrypted-password "XXXXXXXXXXXXXXXXXXXXXXXXXXL"; ## SECRET-DATA
}
}
password {
format sha1;
}
}
services {
ssh {
root-login deny;
protocol-version v2;
connection-limit 3;
---(more 7%)---
rate-limit 2;
}
dns {
forwarders {
8.8.8.8;
216.52.254.1;
216.116.96.2;
209.18.47.62;
209.18.47.61;
}
dns-proxy {
interface {
ge-0/0/1.0;
ge-0/0/2.0;
ae0.0;
ae1.0;
}
}
}
web-management {
https {
system-generated-certificate;
interface ae1.0;
}
session {
idle-timeout 60;
}
}
dhcp {
pool 192.168.3.0/29 {
address-range low 192.168.3.2 high 192.168.3.4;
default-lease-time 3600;
domain-name consulteron.local;
name-server {
192.168.3.1;
}
router {
192.168.3.1;
}
---(more 10%)---
}
pool 192.168.4.0/29 {
address-range low 192.168.4.2 high 192.168.4.6;
default-lease-time 3600;
name-server {
192.168.4.1;
8.8.8.8;
}
router {
192.168.4.1;
}
}
static-binding 00:07:80:06:d2:73 {
fixed-address {
192.168.3.3;
}
host-name XXXXXXXXXXXX
domain-name XXXXXXXXXXXXXXXXx
name-server {
192.168.3.1;
}
router {
192.168.3.1;
}
}
static-binding 00:1e:c0:18:5a:98 {
fixed-address {
192.168.3.2;
}
host-name XXXXXXXXx;
domain-name XXXXXXXXXXX
name-server {
192.168.3.1;
}
router {
192.168.3.1;
}
}
propagate-settings ge-0/0/0;
---(more 14%)---
}
dynamic-dns {
client XXXXXXXXXXX{
server XXXXXXXXXX
username XXXXXXXXXXX
password "$XXXXXXXXXXXXXXXX## SECRET-DATA
interface ge-0/0/0.0;
}
}
}
syslog {
archive size 1m files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file policy_session {
user info;
match RT_FLOW;
archive size 1000k world-readable;
structured-data;
}
file message {
any critical;
authorization info;
}
file blocked-traffic {
any any;
match RT_FLOW_SESSION_DENY;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
---(more 18%)---
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
boot-server 172.16.1.4;
server 172.16.1.4;
}
}
chassis {
aggregated-devices {
ethernet {
device-count 2;
}
}
}
security {
log {
mode stream;
format sd-syslog;
}
pki {
ca-profile ms-ca {
ca-identity consulteron-SERVER;
enrollment {
url http://172.16.1.200/certsrv/mscep/mscep.dll;
retry 20;
retry-interval 1800;
}
}
}
alg {
h323 disable;
mgcp disable;
sccp disable;
sip {
disable;
application-screen {
---(more 22%)---
protect {
deny {
all;
}
}
}
}
ike-esp-nat {
enable;
}
}
application-tracking {
disable;
first-update;
}
utm {
feature-profile {
anti-virus {
kaspersky-lab-engine {
profile junos-av-defaults {
scan-options {
intelligent-prescreening;
}
}
}
juniper-express-engine {
profile junos-eav-defaults {
scan-options {
intelligent-prescreening;
}
}
}
}
anti-spam {
sbl {
profile junos-as-defaults {
sbl-default-server;
}
}
---(more 25%)---
}
}
}
flow {
syn-flood-protection-mode syn-proxy;
aging {
early-ageout 30;
low-watermark 70;
high-watermark 90;
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
spoofing;
source-route-option;
tear-drop;
}
tcp {
syn-fin;
tcp-no-flag;
syn-frag;
port-scan threshold 1000000;
syn-ack-ack-proxy threshold 500;
syn-flood {
alarm-threshold 1024;
attack-threshold 1500;
source-threshold 200;
destination-threshold 2048;
timeout 10;
}
land;
winnuke;
}
udp {
flood threshold 50000;
---(more 29%)---
}
limit-session {
source-ip-based 1000;
destination-ip-based 1000;
}
}
}
nat {
source {
port-randomization disable;
interface {
port-overloading off;
}
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool DVR_Server {
description "Camera DVR server";
routing-instance {
default;
}
address 172.16.1.200/32;
}
pool Garage_Opener {
description "Arduino ";
---(more 33%)---
routing-instance {
default;
}
address 192.168.128.254/32;
}
pool 2nd_Flr_HVAC {
description "Thermostat on the 2nd floor";
routing-instance {
default;
}
address 172.16.1.198/32;
}
pool Win_8_PC {
description "Windows 8 PC";
routing-instance {
default;
}
address 172.16.1.201/32 port 3389;
}
pool 1st_Flr_HVAC {
description "Thermostat on the 1st floor";
routing-instance {
default;
}
address 172.16.1.199/32;
}
rule-set NatRule {
from zone Internet;
rule Rule3Garage {
match {
destination-address 0.0.0.0/0;
destination-port {
9090;
}
}
then {
destination-nat {
pool {
Garage_Opener;
---(more 37%)---
}
}
}
}
rule Rule1DVR {
match {
destination-address 0.0.0.0/0;
destination-port {
9999;
}
}
then {
destination-nat {
pool {
DVR_Server;
}
}
}
}
rule Rule2RDP {
description "RDP access to the win 2012 r2 server";
match {
destination-address 0.0.0.0/0;
destination-port {
3389;
}
}
then {
destination-nat {
pool {
DVR_Server;
}
}
}
}
rule Win8PC {
description "RDP access to the win8 PC";
match {
destination-address 0.0.0.0/0;
---(more 41%)---
destination-port {
3390;
}
}
then {
destination-nat {
pool {
Win_8_PC;
}
}
}
}
rule 9081 {
description "port 9081 for remote access to first floor thermostat";
match {
destination-address 0.0.0.0/0;
destination-port {
9081;
}
}
then {
destination-nat {
pool {
1st_Flr_HVAC;
}
}
}
}
rule 10001 {
description "port 10001 for thermost";
match {
destination-address 0.0.0.0/0;
destination-port {
10001;
}
}
then {
destination-nat {
pool {
---(more 44%)---
1st_Flr_HVAC;
}
}
}
}
rule 9082 {
description "port 9082 for remote access to the 2nd floor thermostat";
match {
destination-address 0.0.0.0/0;
destination-port {
9082;
}
}
then {
destination-nat {
pool {
2nd_Flr_HVAC;
}
}
}
}
rule 10002 {
description "port 10002 for the 2nd floor thermostat";
match {
destination-address 0.0.0.0/0;
destination-port {
10002;
}
}
then {
destination-nat {
pool {
2nd_Flr_HVAC;
}
}
}
}
}
}
---(more 48%)---
}
policies {
from-zone Internal to-zone Internet {
policy Block_Skyjacking {
description "Blocks the LWAPs from registering and downloading from rogue controller on the Internet";
match {
source-address Wireless_Mgmt_Network;
destination-address any;
application LWAP_ports;
}
then {
deny;
}
}
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internal to-zone Internal {
policy Wired_to_Camera {
description "Allows traffic from the Wired LAN to the Camera LAN";
match {
source-address Private_Wired;
destination-address Camera_Network;
application any;
}
then {
permit;
}
}
policy Wireless_to_Camera {
description "Allows traffic from the Wiress LAN to the Camera LAN";
---(more 52%)---
match {
source-address Private_Wireless;
destination-address Camera_Network;
application any;
}
then {
permit;
}
}
policy Wired_to_Proxy {
description "Allows traffic from the Wired LAN to the Proxy DMZ to manage the Nomadix";
match {
source-address Private_Wired;
destination-address Nomadix_Proxy_Network;
application any;
}
then {
permit;
}
}
policy NTP {
description "Allows Devices access to NTP time source";
match {
source-address any;
destination-address Private_Wired;
application junos-ntp;
}
then {
permit;
}
}
policy Wireless_to_Proxy {
description "Allows traffic for proxy management from the Private Wireless network";
match {
source-address Private_Wireless;
destination-address Nomadix_Proxy_Network;
application any;
}
then {
---(more 56%)---
permit;
}
}
policy Wired_and_Wireless_to_Pool {
description "Allows traffic from the Wired and Wireless networks into the Pool Network";
match {
source-address [ Private_Wireless Private_Wired ];
destination-address Pool_Network;
application any;
}
then {
permit;
}
}
policy Nomadix_Radius {
description "allows radius authentication from Nomadix";
match {
source-address Nomadix_Proxy_Network;
destination-address Private_Wired;
application [ Radius_Accounting Radius_Auth ];
}
then {
permit;
}
}
}
from-zone Internet to-zone Internal {
policy Garage_Policy {
description "Allows remote control of garage doors";
match {
source-address any;
destination-address Camera_Network;
application Garage_Opener;
}
then {
permit;
}
}
policy INBOUND_FROM_INTERNET {
---(more 59%)---
description "Allows access to camers server and services NAT\'d out to the Internet";
match {
source-address any;
destination-address Private_Wired;
application [ Camera_DVR Camera_PC_RPC Thermostats ];
}
then {
permit;
}
}
}
from-zone junos-host to-zone Internet {
policy DNS-Queries {
description "Allows DNS Proxy Queries";
match {
source-address any;
destination-address any;
application [ junos-dns-udp junos-dns-tcp ];
}
then {
permit;
}
}
}
from-zone Internal to-zone junos-host {
policy Internal_DNS_Queries {
description "Allows DNS queries via internal server";
match {
source-address any;
destination-address internal_server;
application [ junos-dns-udp junos-dns-tcp ];
}
then {
permit;
}
}
}
}
zones {
---(more 63%)---
security-zone Internal {
tcp-rst;
address-book {
address Nomadix_Proxy_Network 192.168.2.0/30;
address Private_Wireless 172.16.2.0/24;
address Private_Wired 172.16.1.0/24;
address Private_DMZ 192.168.1.0/30;
address Pool_Network 192.168.3.0/29;
address Camera_Network 192.168.128.0/24;
address Guest_Network 10.10.10.0/24;
address VOIP_Network 172.16.5.0/24;
address Wireless_Mgmt_Network 172.16.4.0/29;
}
screen untrust-screen;
interfaces {
ae0.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
ae1.0 {
host-inbound-traffic {
system-services {
ping;
https;
ssh;
dns;
ntp;
}
}
}
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
dns;
ntp;
---(more 67%)---
}
}
}
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
ntp;
ping;
dns;
dhcp;
}
}
}
}
application-tracking;
}
security-zone Internet {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
ike;
}
}
}
}
application-tracking;
}
security-zone junos-host {
address-book {
address internal_server 172.16.1.200/32;
address nomadix_gateway 192.168.2.2/32;
}
}
}
}
interfaces {
ge-0/0/0 {
---(more 71%)---
description "TW Cable Modem";
gigether-options {
auto-negotiation;
}
unit 0 {
description "Connected to TW Cable Modem";
family inet {
filter {
input blocked.IP;
output blocked.IP;
}
dhcp {
update-server;
}
}
}
}
ge-0/0/1 {
description "Nomadix Guest Proxy";
gigether-options {
auto-negotiation;
}
unit 0 {
description "Guest Network (Nomadix WAN port)";
family inet {
no-redirects;
address 192.168.2.1/30;
}
}
}
ge-0/0/2 {
description "Pool Controls";
gigether-options {
no-auto-negotiation;
}
unit 0 {
description "Pool & Sprinkler Controllers";
family inet {
no-redirects;
---(more 74%)---
address 192.168.3.1/29;
}
}
}
ge-0/0/3 {
description "To Switchport GI1/0/40";
gigether-options {
auto-negotiation;
802.3ad ae0;
}
}
ge-0/0/4 {
description "To Switchport GI1/0/42";
gigether-options {
auto-negotiation;
802.3ad ae0;
}
}
ge-0/0/5 {
description "Test port";
gigether-options {
auto-negotiation;
}
unit 0 {
description "Test Port";
family inet {
address 192.168.4.1/29;
}
}
}
ge-0/0/6 {
description "To Switchport GI1/0/44";
gigether-options {
auto-negotiation;
802.3ad ae1;
}
}
ge-0/0/7 {
description "To Switchport GI1/0/45";
---(more 78%)---
gigether-options {
auto-negotiation;
802.3ad ae1;
}
}
ae0 {
description "Camera Network";
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family inet {
address 192.168.128.1/24;
}
}
}
ae1 {
description "DMZ Uplink";
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family inet {
address 192.168.1.1/29;
}
}
}
vlan {
unit 1 {
family inet {
address 192.168.1.1/24;
}
}
}
}
---(more 82%)---
snmp {
description "Juniper SRX220H2";
location XXXXXXXXX;
contact "XXXXXXXXXX";
community home {
authorization read-only;
}
}
routing-options {
static {
route 172.16.2.0/24 next-hop 192.168.1.2;
route 172.16.6.0/28 next-hop 192.168.1.2;
route 10.10.10.0/24 next-hop 192.168.2.2;
route 172.16.5.0/24 next-hop 192.168.1.2;
route 172.16.1.0/24 next-hop 192.168.1.2;
}
}
protocols {
router-discovery {
disable;
}
lldp {
interface ge-0/0/0.0 {
disable;
}
}
stp;
}
firewall {
family inet {
filter blocked.IP {
term 1 {
from {
source-address {
115.68.2.0/24;
89.248.0.0/16;
93.174.0.0/16;
222.186.0.0/16;
94.102.0.0/16;
---(more 86%)---
46.0.0.0/8;
5.0.0.0/8;
46.229.171.27/32 except;
82.199.87.205/32 except;
216.150.79.138/32;
117.0.0.0/8;
213.120.215.123/32;
80.82.0.0/16;
205.209.128.0/24;
91.0.0.0/8;
98.126.52.0/22;
217.71.50.2/32;
61.152.108.67/32;
121.10.142.184/32;
81.82.209.193/32;
85.115.170.186/32;
194.63.0.0/16;
193.0.0.0/8;
122.0.0.0/8;
78.138.106.0/24;
37.0.0.0/8;
195.175.64.0/24;
146.185.0.0/16;
185.0.0.0/8;
190.0.0.0/8;
176.103.0.0/16;
185.26.230.129/32 except;
185.11.125.19/32 except;
208.100.42.216/32 except;
77.0.0.0/8;
}
}
then {
count blocked-traffic;
log;
discard;
}
}
term 2 {
---(more 89%)---
then accept;
}
}
}
}
applications {
application Camera_DVR {
protocol tcp;
source-port 1-65535;
destination-port 9999;
inactivity-timeout 30;
description "Blue Iris DVR Software";
}
application Camera_PC_RPC {
protocol tcp;
source-port 1-65535;
destination-port 3389;
inactivity-timeout 30;
description "Remote Access to DVR Computer";
}
application Garage_Opener {
protocol tcp;
source-port 1-65535;
destination-port 9090;
inactivity-timeout 30;
description "Arduino Garage Door Controller";
}
application Win8_PC_RPC {
protocol tcp;
source-port 3389;
destination-port 3390;
description "Remote Access to Win8 Computer";
}
application Radius_Auth {
protocol udp;
source-port 1-65535;
destination-port 1645;
description "radius authentication port";
}
---(more 93%)---
application Radius_Accounting {
protocol udp;
source-port 1-65535;
destination-port 1646;
description "Radius Accounting port";
}
application LWAP_port_12222 {
protocol udp;
source-port 12222;
destination-port 0-65535;
description "LWAP UDP boot port 12222";
}
application LWAP_port_12223 {
protocol udp;
source-port 12223;
destination-port 0-65535;
description "LWAP UDP boot port 12223";
}
application Thermostat_10001 {
protocol tcp;
source-port 1-65535;
destination-port 10001;
description "Thermostat port 10001 for iphone app";
}
application Thermostat_10002 {
protocol tcp;
source-port 1-65535;
destination-port 10002;
description "Thermostat port 10002 for iphone app";
}
application Thermostat_9081 {
protocol tcp;
source-port 1-65535;
destination-port 9081;
description "remote thermostat access on port 9081";
}
application Thermostat_9082 {
protocol tcp;
source-port 1-65535;
---(more 97%)---
destination-port 9082;
description "remote thermostat access on port 9082";
}
application-set LWAP_ports {
description "UDP ports 12222 12223";
application LWAP_port_12223;
application LWAP_port_12222;
}
application-set Thermostats {
description "Ports associated with remote control of thermostats";
application Thermostat_10001;
application Thermostat_10002;
application Thermostat_9081;
application Thermostat_9082;
}
}
ethernet-switching-options {
voip;
}
vlans {
default;
vlan1 {
vlan-id 3;
l3-interface vlan.1;
}
}