SRX

Hi Guys,

a Customer wants to allow IP Protocol 97 through his SRX.

So I created an application like this:

set applications application ip97 protocol 97

The Rule looks like this:

from-zone Zone1 to-zone Zone2 {

            policy Anchor_Controler {

                match {

                    source-address Controller1;

                    destination-address [ Controller2 Controller3 ];

                    application ip97;

                }

                then {

                    permit;

                         }

However the Customer reports, that this is not working.

Since I have never had to allow a Protocol by Number - before i search myself crazy on the SRX - is this correct and the error is elsewhere or do I need more Parameters?

Regards

Chris

Hi there,

Can you see any denied traffic? Do you have a default deny policy to capture this?

Also, these controllers, do they use any ports? Might be worth configuring a destination port of ANY in your application for a test too.

Did you have one with traffic in the reverse?

from-zone Zone2 to-zone Zone1 {

            policy Anchor_Controler {

                match {

                    source-address [ Controller2 Controller3 ];

                    destination-address Controller1;

                    application ip97;

                }

                then {

                    permit;

Thank you very much for your help.

The Rules I created were enough to get it done.

I could see the traffic passing the SRX - the Problem was a routing issue at the Customers site.