Re: ASA to SRX golden configuration

keithr · ‎09-10-2009

Try moving your host-inbound-traffic configuration to the actual interface, rather than the zone.

I haven't gotten deep into this, but I just ran a real quick experiment, and I noticed that when I have this:

security-zone untrust {
  host-inbound-traffic {
    system-services {
      ping;
    }
  }
  interfaces {
    ge-0/0/0.420 {
      host-inbound-traffic {
        system-services {
          traceroute;
          ssh;
          http;
          https;
        }
        protocols {
          ospf;
        }
      }
    }
  }
}

I am unable to ping the address of my ge-0/0/0.420 interface. However, if I change it to this:

security-zone untrust {
  interfaces {
    ge-0/0/0.420 {
      host-inbound-traffic {
        system-services {
          ping;
          traceroute;
          ssh;
          http;
          https;
        }
        protocols {
          ospf;
        }
      }
    }
  }
}

I am then able to ping the interface.

I'm sure there's probably some blurb buried deep somehwere in a "You passed the JNCIS-SEC test, so you should know this!" document, but honestly, I've always attached my host-inbound-traffic directly to my interfaces, not to the zones, and I've never run into this issue before.

Try it, see if it works.

-kr

---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.

dfex · ‎04-17-2008

Host-inbound-traffic under a specific interface always overrides the zone configuration, but having it just configured in a zone Should Just Work™ just as well.

On an unrelated side note, there are extra services that are ONLY available when you configure under an interface - such as dhcp, bootp etc.

As for the original problem - I would disable "establish-tunnels immediately" on the SRX650. Cisco defaults to something equivalant to "establish tunnels on-traffic" (eg: something has to match the crypto-map before it will trigger IKE) and this can cause a synchronisation issue where both gateways are trying to initiate a tunnel to each other, and this WILL fail repeatedly. As a rule of thumb, I always set up SPOKES to connect back to the hub, with "establish-tunnels immediately" on the spoke side and no configuration on the hub.

Also I notice in your IKE Gateway configuration you specify a local-identity. This shouldn't be required in Main mode, so remove it from the configuration just in case it is interfering with anything.

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIE-SEC #64
Juniper Ambassador
Follow me @labelswitcher

keithr · ‎09-10-2009

dfex wrote:
Host-inbound-traffic under a specific interface always overrides the zone configuration, but having it just configured in a zone Should Just Work™ just as well.

Agreed, and it's great when things really do just work, but even in my simple test, "Should Just Work", as we can see, didn't.

I was merely suggesting a couple simple tests to see if it had an effect, maybe it'll help, maybe it won't.

-kr

---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.

GustavO · ‎04-29-2009

I took another look at this (tried your suggestion as well keithr - same result thou...) I have several interfaces on the srx and found out that traffic isn't entering the .455 interface but rather .15 (same physical interface though, ge-0/0/0) and they belong to the same security zone, untrust. When that became clear to me, I added a policy for untrust to untrust which permits ping, and voilà, the pings are suddenly answered... This might explain a lot I guess. I've just added "application any" to the untrust to untrust rule and will se if the VPN's act more stable than before.

Thanks for your suggestions!