SRX

Hi

I create simple policy "Permit ALL" from zone Outside to zone Inside, from zone Inside to Outside.

Permit any traffic on all interface.

But i can not ping Loopback!!!

If i add "Permit ALL" from Inside zone to Inside zone i can ping lo0.0. (I think it is wrong policy)

Where i get mistake?

policies {
from-zone Outside to-zone Inside {
policy OutsideToInside {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Inside to-zone Outside {
policy InsideToOutside {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Inside to-zone Inside {
policy InsideToInside {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone Outside {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone Inside {
interfaces {
ge-0/0/1 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
ge-0/0/2 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
ge-0/0/3 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
lo0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
 

I fix my bug 😃 Loopback must be situated at funcional-zone!!!

Is it correct? 

Hi

lo0.0 must be placed in some security zone, right. And you need policies to access it

from other zones (intrazone policy to access it from the same zone).

Also host-inbound-traffic setting on the zone still applies to it if you want management

or dynamic routing via lo0.

Separate security zone only for lo0.0 ?

Not necessarily, lo0.0 can be for example in "Inside" zone. Just treat it as a usual network interface.

English:

It is work not properly. If lo0.0 situated at security-zone Inside, everything is fine, but i cann't ping lo0.0

If add policy  "from zone Inside to-zone Inside ". I can ping lo0.0, but this policy is pointless. May be i undestand policy not properly?

Russian:

Нифига так не работает. Если lo0.0 в security-zone Inside, то всё нормуль, но я не могу пинговать lo0.0

Если добавляю policy типа from zone Inside to-zone Inside, начинает пинговаться. Хотя, насколько мне известно, такого рода policy не имеет смысла. Может я что-то не допонимаю?

This is working as designed. Policy from Inside to Inside is 100% legitimate.

If you have 2 interfaces on SRX (ge and ge, OR lo0.0 and ge - does not matter) the traffic

is not allowed between interfaces in the same zone without policy.

This is kind of weird and it was different in Netscreen, but it is working that way.

Tnx.

That is more correct? Lo0.0 at security-zone or at functional-zone? 

Preved!

Lo0.0 in security-zone!!!!