Greetings,
I'm trying to configure an SRX210 such that management functions such as SSH are only enabled on a single interface, specifically vlan.1. However, I want to allow users on vlan.2 to reach this management address.
Consider the following configuration:
set interfaces vlan unit 1 family inet address 192.168.1.1/24
set interfaces vlan unit 2 family inet address 192.168.2.1/24
set security zones security-zone home interfaces vlan.2 host-inbound-traffic system-services dhcp
set security zones security-zone home interfaces vlan.2 host-inbound-traffic system-services ping
set security zones security-zone home interfaces vlan.2 host-inbound-traffic system-services traceroute
set security zones security-zone management interfaces vlan.1 host-inbound-traffic system-services dhcp
set security zones security-zone management interfaces vlan.1 host-inbound-traffic system-services ping
set security zones security-zone management interfaces vlan.1 host-inbound-traffic system-services traceroute
set security zones security-zone management interfaces vlan.1 host-inbound-traffic system-services telnet
set security zones security-zone management interfaces vlan.1 host-inbound-traffic system-services ssh
set security zones security-zone management interfaces vlan.1 host-inbound-traffic system-services http
set security zones security-zone management interfaces vlan.1 host-inbound-traffic system-services https
set security zones security-zone management interfaces vlan.1 host-inbound-traffic system-services snmp
set security policies from-zone home to-zone management policy test match source-address any
set security policies from-zone home to-zone management policy test match destination-address any
set security policies from-zone home to-zone management policy test match application any
set security policies from-zone home to-zone management policy test then permit
No matter what, I cannot seem to ping from a host on 192.168.2.0/24 to 192.168.1.1, and the SRX reports it due to a policy deny.
show log sectrace.log | trim 41 | except "^ *$"
<192.168.2.2/0->192.168.1.1/8248;1> matched filter home-to-mgmt:
packet [84] ipid = 65215, @423db19e
---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x423daf80, rtbl_idx = 0
flow process pak fast ifl 70 in_ifp vlan.2
vlan.2:192.168.2.2->192.168.1.1, icmp, (8/0)
find flow: table 0x48924978, hash 33398(0xffff), sa 192.168.2.2, da 192.168.1.1, sp 0, dp 8248, proto 1, tok 7
no session found, start first path. in_tunnel - 0, from_cp_flag - 0
flow_first_create_session
flow_first_in_dst_nat: in <vlan.2>, out <N/A> dst_adr 192.168.1.1, sp 0, dp 8248
chose interface vlan.2 as incoming nat if.
flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 192.168.1.1(8248)
flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.2.2, x_dst_ip 192.168.1.1, in ifp vlan.2, out ifp N/A sp 0, dp 8248, ip_proto 1, tos 0
Doing DESTINATION addr route-lookup
Changing out-ifp from .local..0 to vlan.1 for dst: 192.168.1.1 in vr_id:0
routed (x_dst_ip 192.168.1.1) from home (vlan.2 in 0) to vlan.1, Next-hop: 192.168.1.1
policy search from zone home-> zone management (0x0,0x2038,0x2038)
app 0, timeout 60s, curr ageout 60s
packet dropped, denied by policy
packet dropped, policy deny.
flow find session returns error.
----- flow_process_pkt rc 0x7 (fp rc -1)
Thoughts?
Regards,
Phil