SRX

Hi
i am quite new to juniper SRX100.  I am trying to create a firewall policy (policy name : p) and i found that it is not working well.

The following is my setup environment:
1) Security zone Z5 which contains two interfaces: fe-0/0/2 and fe-0/0/3
2) a firewall policy p which deny traffic sent from zone Z5 to Z5

The issue is that the policy does not deny the traffic sent from zone Z5 to zone Z5.  can you advise me what is wrong with my configuration?  I have attached CLI configuration with this case that i copied from J-web.

Attachment(s)

New Text Document.txt   6 KB 1 version

New Text Document (2).txt   6 KB 1 version

thank you for reply my post.  i am using j-web.  i am not sure how to enter the command in j-web. can you show me where i can enter it in J-web?

Hi,

What I'm seeing is that you are using the interfaces in the Z5 zone as family ethernet-switching (layer-2) (switching ports). If you apply a policy to a switching port you have to be aware that you need to use firewall filters to deny layer-2 packets.

Security policies can only be applied to zones and layer-3 interfaces.

Thank you for your answer. I will try the firewall filter.  i really appreicate your help.

I have another issue.

Firstly let me explain my setup environment:
1) PC A (ip address: 169.254.0.201 subnet mask: 255.255.0.0) is connected to Zone A
2) PC B (ip address: 169.254.0.5 subnet mask: 255.255.0.0) is connected to Zone B
3) an UDP program is sending UDP packet to IP address 169.254.0.5 from PC A (169.254.0.201 ) to PC B (169.254.0.5)

But policy All_zoneA_zoneB is not working such that it does not allow traffic to be sent from Zone A to Zone B.

i have attached my CLI configuration with this topic.  

Attachment(s)

original configuration.txt   5 KB 1 version

HI,

you are using the same /16 within both zones 169.254.0/16. The problems is that when you do this. The router will think that the /16 is localy behind the interface in Zone A ( This is the case if you send a packet from the PC behind zone A) On the other hand when you send a packet from the PC behind zone B the system will think that the whole /16 is behind that interface. Traffic will stay locally. 

What you need to do is split the /16 in smaller subnets lets say in to two /15 's. I would suggest if you only need some ip's

using two /24's one for every zone.

Zone A 169.254.0.0/24

Zone B  169.254.1.0/24

If you now configure your policy's to allow traffic from both the zones to eachother traffic will start to be allowed.

Hi

i really appreciate your help. thank you very much.  

Attachment(s)

new configuration.txt   4 KB 1 version

PC b.txt   148 B 1 version

PC A.txt   1 KB 1 version

you have a problem in the policy allowing traffic from Zone-B to zone-A

from-zone zoneB to-zone zoneA {
            policy All_zoneB_zoneA {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
    }

. You are denying all the traffic from zoneB to zoneA so the packets will never get from that zone to the other zone.

Hello,

---

gohcc83@gmail.com wrote:

Hi

i really appreciate your help. thank you very much.  

 

After reading your reply, i changed my new setup environment to be:

1) PC A (ip address: 169.254.0.201 subnet mask: 255.255.0.0, default gateway:169.254.0.21 ) is connected to Zone A 

2) PC B  (ip address: 192.254.0.5 subnet mask: 255.255.0.0, default gateway:192.254.0.6 ) is connected to Zone B

3) an UDP program is sending UDP packet to IP address 192.254.0.5 from PC A (169.254.0.201 ) to PC B (192.254.0.5) 

 

 

 

 

---

The routing won't work properly until You change the subnets and fix errors with Your addressing. Trust me.

Please do the following changes:

1) PC A (ip address: 169.254.0.201 subnet mask: 255.255.255.0, default gateway:169.254.0.21 ) is connected to Zone A 
2) PC B  (ip address: 192.254.1.5 subnet mask: 255.255.255.0, default gateway:169.254.1.6 ) is connected to Zone B
3) an UDP program is sending UDP packet to IP address 192.254.1.5 from PC A (169.254.0.201 ) to PC B (169.254.1.5) 

HTH

Thanks

Alex

hi

thank you for your reply.  Do i need to change the configuration in the J-web such that vlan unit 3 ip address as below

    vlan {
        unit 2 {
            family inet {
                address 169.254.0.21/16;
            }
        }
        unit 3 {
            family inet {
                address 169.254.1.6/16;
            }
        }
    }

Attachment(s)

new configuration.txt   4 KB 1 version

---

 

1) PC A (ip address: 169.254.0.201 subnet mask: 255.255.255.0, default gateway:169.254.0.21 ) is connected to Zone A 
2) PC B  (ip address: 192.254.1.5 subnet mask: 255.255.255.0, default gateway:169.254.1.6 ) is connected to Zone B
3) an UDP program is sending UDP packet to IP address 192.254.1.5 from PC A (169.254.0.201 ) to PC B (169.254.1.5) 

Based on your reply, i just change the UDP address to be 169.254.1.5 in the config file that UDP program (at PC A) is pointing to.  Do i need to change the ip address for PC B from 192.254.1.5 to169.254.1.5

Hello,

No, You need to change a lot more:

vlan {
        unit 2 {
            family inet {
                address 169.254.0.21/24;
            }
        }
        unit 3 {
            family inet {
                address 169.254.1.6/24;
            }
        }
    }

Also:

- netmask for interface IPs on Your PCs

- default GW on Your PCs,

and finally:

- Your "UDP program" target IP

HTH

Thanks
Alex

---

gohcc83@gmail.com wrote:

Hi

i really appreciate your help. thank you very much.  

 

After reading your reply, i changed my new setup environment to be:

1) PC A (ip address: 169.254.0.201 subnet mask: 255.255.0.0, default gateway:169.254.0.21 ) is connected to Zone A 

2) PC B  (ip address: 192.254.0.5 subnet mask: 255.255.0.0, default gateway:192.254.0.6 ) is connected to Zone B

3) an UDP program is sending UDP packet to IP address 192.254.0.5 from PC A (169.254.0.201 ) to PC B (192.254.0.5) 

 

The policy is still not working.  i have attached three files. PC A and PC B .txt are outputs from traceroute. new configuration.txt is the new CLI configuration.  

 

 

---

hi @aarseniev

I think your configuration is the same as mine(quote) just that:

my subnet mask is 255.255.x.x, my zone A Ip address starts at 169.254.x.x and my zone b ip address starts at 192.254.x.x instead of 

your subnet mask start from 255.255.255.x, your zone A ip address starts at 169.254.0.x and your zone B ip address starts at 169.254.1.x. 

Anyway i will try it to whether your configuration is working.   Thank you very much

Hi
I tried it with other subnet but it is still not working.

Firstly let me explain my new setup environment:
1) PC A (ip address: 172.16.0.22 subnet mask: 255.255.240.0, gateway: 172.16.0.21) is connected to Zone A
2) PC B (ip address: 172.16.1.5 subnet mask: 255.255.240.0, gateway: 172.16.1.6) is connected to Zone B
3) an UDP program is sending UDP packet to IP address 172.16.1.5 from PC A (172.16.0.22 ) to PC B (172.16.1.5)

But policy All_zoneA_zoneB is not working such that it does not allow traffic to be sent from Zone A to Zone B.

i have attached "ipconfig /all" for PC A and PC B ( Please refer to newPCA(172.16).txt and newPCB(172.16).txt)
I have attached my new CLI configuration ( please refer to new CLI configuration(172.16).txt)

I did two tests

Test 1: Plug both PC B's network cable and PC A's network cable into Zone A and perform tracert at PC A and PC B.
AT PC A, i am able to perform traceroute to PC B successfully ( please refer to tracertFromPCAToPCB(ZoneA To Zone A).txt)
AT PC B, i am able to perform traceroute to PC A successfully ( please refer to tracertFromPCBToPCA(ZoneA To Zone A).txt)

Test 2: Plug PC B's network cable into Zone B and plug PC A's network cable into Zone A and perform tracert at PC A and PC B.
AT PC A, i am able to perform traceroute to PC B not successfully ( please refer to tracertFromPCAToPCB(ZoneA To Zone B).txt)
AT PC B, i am able to perform traceroute to PC A not successfully ( please refer to tracertFromPCBToPCA(ZoneB To Zone A).txt)

Attachment(s)

tracertFromPCAToPCB(ZoneA To Zone A).txt   153 B 1 version

new CLI configuration(172.16).txt   5 KB 1 version

newPCA(172.16).txt   1 KB 1 version

newPCB(172.16).txt   4 KB 1 version

tracertFromPCAToPCB(ZoneA to ZoneB).txt   145 B 1 version

tracertFromPCBToPCA(Zone ATo Zone A).txt   145 B 1 version

i add one more attachement

Attachment(s)

tracertFromPCBToPCA(Zone B to Zone A).txt   150 B 1 version

nice to see that you haved fixed your problem! 🙂 can you tell us how you fixed it ?

Hi

   I will explain how i solved the firewall policy issue (related to second issue). 

   I mentioned that i have two issues:

1)For the first issue, i have not solved it yet but u guys mentioned use firewall filter. I have not tried it yet.  Can anyone show it to me an example (CLI configuration)

FIrst issue

----------------------------------------------------------------------------

The following is my setup environment for the first issue:
1) Security zone Z5 which contains two interfaces: fe-0/0/2 and fe-0/0/3
2) a firewall policy p which deny traffic sent from zone Z5 to Z5

The issue is that the policy does not deny the traffic sent from zone Z5 to zone Z5.

-----------------------------------------------------------------------------

2) For the second issue, i have solved it

second issue:

----------------------------------------------------------------------------

The following is my setup environment for the second issue:

1) PC A (ip address: 169.254.0.201 subnet mask: 255.255.0.0) is connected to Zone A
2) PC B (ip address: 169.254.0.5 subnet mask: 255.255.0.0) is connected to Zone B
3) an UDP program is sending UDP packet to IP address 169.254.0.5 from PC A (169.254.0.201 ) to PC B (169.254.0.5)

But policy All_zoneA_zoneB is not working such that it does not allow traffic to be sent from Zone A to Zone B.

So i changed to new setup environment

New setup

1) PC A (ip address: 169.254.0.21 subnet mask: 255.255.255.0) is connected to Zone A
2) PC B (ip address: 169.254.1.5 subnet mask: 255.255.255.0) is connected to Zone B
3) an UDP program is sending UDP packet to IP address 169.254.1.5 from PC A (169.254.0.21 ) to PC B (169.254.1.5)

4) Vlan 1 for Zone A : 169.254.0.22/24

5) vlan 2 for Zone B : 169.254.1.6/24

But it is still not working.

----------------------------------------------------------------------------

Solution for second issue

1) Any ip address starting with 169.254.x.x at Zone A will not sent traffic to zone B even the subnet mask is 255.255.255.0 (refer to https://en.wikipedia.org/wiki/Link-local_address) athough the link i posted here mentioned only IP address with 169.254.x.x/16 will not cause the router to route the traffic from Zone A to Zone B. I tried with different IP address (172.16.0.x/24 for Zone A and 172.16.100.x/24) for Zone B) and the firewall policy is working

2) Zone A and Zone B must be in different subnet (172.16.0.x/24 for Zone A and 172.16.100.x/24) for Zone B)

Hi guys

i really appreciate your help. thank you very much