SRX Services Gateway
Reply
Visitor
modi
Posts: 2
Registered: ‎08-20-2010
0

Can not telnet to Internet from SRX

Hello,

 

I have configured SRX series device for Internet connection. I configured zones [trust and untrust] and put the respected interfaces in them.

I am able to ping to IP address on interface but I can not traceroute to Internet IP address from SRX. I can ping/traceroute from the trust zone machine, though.

 

Here is the config:

 

security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            TCP-rst;
            host-inbound-traffic {
                system-services {
                    ssh;
                    ping;
                    traceroute;
                }
            }
            interfaces {
                fe-0/0/2.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ssh;
                    ping;
                    snmp;
                    traceroute;
                    telnet;
                }
            }
            interfaces {
                t1-1/0/0.0;
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
    }
}

 

What am I missing in this, so its not working.

The version is 10.0R3.10

 

Thanks,

Modi

 

Visitor
modi
Posts: 2
Registered: ‎08-20-2010
0

Re: Can not telnet to Internet from SRX

Hi,

 

I found out the problem.

 

As traceroute reply goes to CPU for processing if it is generated from the router, we have to enable them. As we have firewall filter on lo0 which only allows ping but not traceroute, it was not working.

 

term allow-ping {
        from {
            icmp-type [ echo-request echo-reply time-exceeded ];
        }
        then accept;
    }

 

Thanks,

Modi

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.