SRX Services Gateway
Reply
Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: ASA to SRX golden configuration

Try moving your host-inbound-traffic configuration to the actual interface, rather than the zone.

 

I haven't gotten deep into this, but I just ran a real quick experiment, and I noticed that when I have this:

 

security-zone untrust {
  host-inbound-traffic {
    system-services {
      ping;
    }
  }
  interfaces {
    ge-0/0/0.420 {
      host-inbound-traffic {
        system-services {
          traceroute;
          ssh;
          http;
          https;
        }
        protocols {
          ospf;
        }
      }
    }
  }
}

I am unable to ping the address of my ge-0/0/0.420 interface.  However, if I change it to this:

 

security-zone untrust {
  interfaces {
    ge-0/0/0.420 {
      host-inbound-traffic {
        system-services {
          ping;
          traceroute;
          ssh;
          http;
          https;
        }
        protocols {
          ospf;
        }
      }
    }
  }
}

I am then able to ping the interface.

 

I'm sure there's probably some blurb buried deep somehwere in a "You passed the JNCIS-SEC test, so you should know this!" document, but honestly, I've always attached my host-inbound-traffic directly to my interfaces, not to the zones, and I've never run into this issue before.

 

Try it, see if it works.  :smileywink:

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Distinguished Expert
dfex
Posts: 783
Registered: ‎04-17-2008
0

Re: ASA to SRX golden configuration

Host-inbound-traffic under a specific interface always overrides the zone configuration, but having it just configured in a zone Should Just Work™ just as well.

 

On an unrelated side note, there are extra services that are ONLY available when you configure under an interface - such as dhcp, bootp etc.

 

As for the original problem - I would disable "establish-tunnels immediately" on the SRX650.   Cisco defaults to something equivalant to "establish tunnels on-traffic" (eg: something has to match the crypto-map before it will trigger IKE) and this can cause a synchronisation issue where both gateways are trying to initiate a tunnel to each other, and this WILL fail repeatedly.  As a rule of thumb, I always set up SPOKES to connect back to the hub, with "establish-tunnels immediately" on the spoke side and no configuration on the hub.

 

Also I notice in your IKE Gateway configuration you specify a local-identity.  This shouldn't be required in Main mode, so remove it from the configuration just in case it is interfering with anything.

Ben Dale
JNCIP-ENT, JNCIS-SP, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: ASA to SRX golden configuration


dfex wrote:

Host-inbound-traffic under a specific interface always overrides the zone configuration, but having it just configured in a zone Should Just Work™ just as well.


Agreed, and it's great when things really do just work, but even in my simple test, "Should Just Work", as we can see, didn't.

 

I was merely suggesting a couple simple tests to see if it had an effect, maybe it'll help, maybe it won't.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Contributor
GustavO
Posts: 73
Registered: ‎04-29-2009
0

Re: ASA to SRX golden configuration

I took another look at this (tried your suggestion as well keithr - same result thou...) I have several interfaces on the srx and found out that traffic isn't entering the .455 interface but rather .15 (same physical interface though, ge-0/0/0) and they belong to the same security zone, untrust. When that became clear to me, I added a policy for untrust to untrust which permits ping, and voilà, the pings are suddenly answered... This might explain a lot I guess. I've just added "application any" to the untrust to untrust rule and will se if the VPN's act more stable than before.

 

Thanks for your suggestions!

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.