SRX

Greetings,

 

I'm trying to configure an SRX210 such that management functions such as SSH are only enabled on a single interface, specifically vlan.1.  However, I want to allow users on vlan.2 to reach this management address.

 

Consider the following configuration:

 

set interfaces vlan unit 1 family inet address 192.168.1.1/24
set interfaces vlan unit 2 family inet address 192.168.2.1/24

set security zones security-zone home interfaces vlan.2 host-inbound-traffic system-services dhcp
set security zones security-zone home interfaces vlan.2 host-inbound-traffic system-services ping
set security zones security-zone home interfaces vlan.2 host-inbound-traffic system-services traceroute

set security zones security-zone management interfaces vlan.1 host-inbound-traffic system-services dhcp

set security zones security-zone management interfaces vlan.1 host-inbound-traffic system-services ping
set security zones security-zone management interfaces vlan.1 host-inbound-traffic system-services traceroute
set security zones security-zone management interfaces vlan.1 host-inbound-traffic system-services telnet
set security zones security-zone management interfaces vlan.1 host-inbound-traffic system-services ssh
set security zones security-zone management interfaces vlan.1 host-inbound-traffic system-services http
set security zones security-zone management interfaces vlan.1 host-inbound-traffic system-services https
set security zones security-zone management interfaces vlan.1 host-inbound-traffic system-services snmp

set security policies from-zone home to-zone management policy test match source-address any
set security policies from-zone home to-zone management policy test match destination-address any
set security policies from-zone home to-zone management policy test match application any
set security policies from-zone home to-zone management policy test then permit

 

No matter what, I cannot seem to ping from a host on 192.168.2.0/24 to 192.168.1.1, and the SRX reports it due to a policy deny.

 

show log sectrace.log | trim 41 | except "^ *$"

<192.168.2.2/0->192.168.1.1/8248;1> matched filter home-to-mgmt:
packet [84] ipid = 65215, @423db19e
---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x423daf80, rtbl_idx = 0
flow process pak fast ifl 70 in_ifp vlan.2
vlan.2:192.168.2.2->192.168.1.1, icmp, (8/0)
find flow: table 0x48924978, hash 33398(0xffff), sa 192.168.2.2, da 192.168.1.1, sp 0, dp 8248, proto 1, tok 7
no session found, start first path. in_tunnel - 0, from_cp_flag - 0
flow_first_create_session
flow_first_in_dst_nat: in <vlan.2>, out <N/A> dst_adr 192.168.1.1, sp 0, dp 8248
chose interface vlan.2 as incoming nat if.
flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 192.168.1.1(8248)
flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.2.2, x_dst_ip 192.168.1.1, in ifp vlan.2, out ifp N/A sp 0, dp 8248, ip_proto 1, tos 0
Doing DESTINATION addr route-lookup
Changing out-ifp from .local..0 to vlan.1 for dst: 192.168.1.1 in vr_id:0
routed (x_dst_ip 192.168.1.1) from home (vlan.2 in 0) to vlan.1, Next-hop: 192.168.1.1
policy search from zone home-> zone management (0x0,0x2038,0x2038)
app 0, timeout 60s, curr ageout 60s
packet dropped, denied by policy
packet dropped, policy deny.
flow find session returns error.
----- flow_process_pkt rc 0x7 (fp rc -1)

 

Thoughts?

 

Regards,

 

  Phil

One interesting follow-up; I can create an lo0.0, put it in a "loopback" zone, with host-inbound-traffic system-services ping, etc., and then a policy from-zone home to-zone loopback to permit the traffic, and that works.

 

It is seemingly only between the vlan l3-interfaces.

 

--phil

Hi,

Can you try renaming your security zone from 'management' to something else ,because that is a predefined functional zone inn SRX. They might be conflicting .... If not, could you share your complete configuration as well.

Aha, that was it.  Page 119 of the O'Reilly JunOS Security book explains it pretty well.

 

Thanks much for the pointer!

 

--phil