SRX

How do I allow ping from Router A loopback (source loopback) to SRX firewall vlan interface or loopback ip address and vice versa? Thanks in advanced.

Hi,

1- Make sure that routing is fine (each device can see valid route to the lo0 of the remote device)

2- SRX to router no much configuration required, it should work if routing is fine

3- router to SRX you need to allow security policy from untrust zone to (the lo0 / vlan interface zone) to allow ping traffic

  - need to enable ping service under (the lo0 / vlan interface zone)

security zones security-zone untrust interfaces lo0.0 host-inbound-traffic system-services ping

Regards,

Mohamed Elhariry

2* JNCIE (SEC # 159, SP # 1059)

Didn't manage to get it work, can't ping from router to firewall loopback address of 2.2.2.2. config below

root@G-FW# show | no-more
## Last changed: 2014-07-13 21:48:43 UTC
version 10.4R4.5;
groups {
    global {
        interfaces {
            lo0 {
                unit 0 {
                    family inet;
                }
            }
        }
    }
}
system {
    host-name G-FW;
    root-authentication {
        encrypted-password "$1$cuRaBuU9$irjLForpUn3A4n75MkqI.."; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user admin {
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "$1$v0dV3J.3$c8Wg8OT7k4BvH1oZC6EPX0"; ## SECR                                                                                                                                        ET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
            }
            propagate-settings fe-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
chassis {
    aggregated-devices {
        ethernet {
            device-count 2;
        }
    }
}
interfaces {
    interface-range CONNECTION-TO-FIREWALL {
        member fe-0/0/6;
        member fe-0/0/7;
        fastether-options {
            802.3ad ae0;
        }
    }
    fe-0/0/0 {
        vlan-tagging;
        unit 0 {
            vlan-id 0;
        }
        unit 1154 {
            description "G SG Private P2P";
            vlan-id 1154;
            family inet {
                address 10.147.64.2/30;
            }
        }
        unit 2154 {
            description "G SG Private P2P";
            vlan-id 2154;
            family inet {
                address 103.8.120.226/29;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        description "Connection to Router G Network";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members G-Network;
                }
            }
        }
    }
    ae0 {
        aggregated-ether-options {
            lacp {
                active;
            }
        }
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ vlan-trust vlan-management vlan-wireless ];
                }
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 2.2.2.2/32;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
        unit 4 {
            description "GRMS - Guest Wireless";
            family inet {
                address 10.147.32.1/24;
            }
        }
        unit 20 {
            description "GRMS Management Network";
            family inet {
                address 10.147.24.1/24;
            }
        }
        unit 95 {
            description "GRMS Trust Network";
            family inet {
                address 10.147.0.1/20;
            }
        }
        unit 666 {
            description G-Network;
            family inet {
                address 192.168.253.14/30;
            }
        }
    }
}
protocols {
    stp;
}
security {
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
                lo0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                    }
                }
            }
        }
        security-zone GENERAL-MANAGEMENT {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.20;
            }
        }
        security-zone TRUST {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.95;
                lo0.0;
            }
        }
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
        }
        security-zone G-Network {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.666 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone GENERAL-MANAGEMENT to-zone trust {
            policy ALLOW-ALL {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone GENERAL-MANAGEMENT {
            policy ALLOW-ALL {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone TRUST {
            policy untrust-to-TRUST {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-icmp-all junos-ping ];
                }
                then {
                    permit;
                }
            }
        }
    }
}
routing-instances {
    TRUST {
        instance-type virtual-router;
        interface fe-0/0/0.1154;
        interface lo0.0;
        interface vlan.20;
        interface vlan.95;
        interface vlan.666;
        routing-options {
            static {
                route 0.0.0.0/0 next-table inet.0;
                route 10.65.6.27/32 next-hop 192.168.253.13;
                route 1.1.1.0/30 next-hop 192.168.253.13;
            }
            aggregate {
                route 10.147.0.0/16;
            }
            autonomous-system 64915;
        }
    }
}
vlans {
    G-Network {
        vlan-id 666;
        l3-interface vlan.666;
    }
    vlan-management {
        vlan-id 20;
        l3-interface vlan.20;
    }
    vlan-trust {
        vlan-id 95;
        l3-interface vlan.95;
    }
    vlan-wireless {
        vlan-id 4;
        l3-interface vlan.4;
    }
}

[edit]
root@grmsjufw01#
root@grmsjufw01# show | no-more
## Last changed: 2014-07-13 21:48:43 UTC
version 10.4R4.5;
groups {
    global {
        interfaces {
            lo0 {
                unit 0 {
                    family inet;
                }
            }
        }
    }
}
system {
    host-name G-FW;
    root-authentication {
        encrypted-password "$1$cuRaBuU9$irjLForpUn3A4n75MkqI.."; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user admin {
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "$1$v0dV3J.3$c8Wg8OT7k4BvH1oZC6EPX0"; ## SECR                                                                                                                                        ET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
            }
            propagate-settings fe-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
chassis {
    aggregated-devices {
        ethernet {
            device-count 2;
        }
    }
}
interfaces {
    interface-range CONNECTION-TO-FIREWALL {
        member fe-0/0/6;
        member fe-0/0/7;
        fastether-options {
            802.3ad ae0;
        }
    }
    fe-0/0/0 {
        vlan-tagging;
        unit 0 {
            vlan-id 0;
        }
        unit 1154 {
            description "G SG Private P2P";
            vlan-id 1154;
            family inet {
                address 10.147.64.2/30;
            }
        }
        unit 2154 {
            description "G SG Private P2P";
            vlan-id 2154;
            family inet {
                address 103.8.120.226/29;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        description "Connection to Router G Network";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members G-Network;
                }
            }
        }
    }
    ae0 {
        aggregated-ether-options {
            lacp {
                active;
            }
        }
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ vlan-trust vlan-management vlan-wireless ];
                }
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 2.2.2.2/32;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
        unit 4 {
            description "GRMS - Guest Wireless";
            family inet {
                address 10.147.32.1/24;
            }
        }
        unit 20 {
            description "GRMS Management Network";
            family inet {
                address 10.147.24.1/24;
            }
        }
        unit 95 {
            description "GRMS Trust Network";
            family inet {
                address 10.147.0.1/20;
            }
        }
        unit 666 {
            description G-Network;
            family inet {
                address 192.168.253.14/30;
            }
        }
    }
}
protocols {
    stp;
}
security {
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
                lo0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                    }
                }
            }
        }
        security-zone GENERAL-MANAGEMENT {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.20;
            }
        }
        security-zone TRUST {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.95;
                lo0.0;
            }
        }
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
        }
        security-zone G-Network {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.666 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone GENERAL-MANAGEMENT to-zone trust {
            policy ALLOW-ALL {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone GENERAL-MANAGEMENT {
            policy ALLOW-ALL {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone TRUST {
            policy untrust-to-TRUST {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-icmp-all junos-ping ];
                }
                then {
                    permit;
                }
            }
        }
    }
}
routing-instances {
    TRUST {
        instance-type virtual-router;
        interface fe-0/0/0.1154;
        interface lo0.0;
        interface vlan.20;
        interface vlan.95;
        interface vlan.666;
        routing-options {
            static {
                route 0.0.0.0/0 next-table inet.0;
                route 10.65.6.27/32 next-hop 192.168.253.13;
                route 1.1.1.0/30 next-hop 192.168.253.13;
            }
            aggregate {
                route 10.147.0.0/16;
            }
            autonomous-system 64915;
        }
    }
}
vlans {
    G-Network {
        vlan-id 666;
        l3-interface vlan.666;
    }
    vlan-management {
        vlan-id 20;
        l3-interface vlan.20;
    }
    vlan-trust {
        vlan-id 95;
        l3-interface vlan.95;
    }
    vlan-wireless {
        vlan-id 4;
        l3-interface vlan.4;
    }
}

[edit]
root@grmsjufw01#
root@grmsjufw01# show | no-more
## Last changed: 2014-07-13 21:48:43 UTC
version 10.4R4.5;
groups {
    global {
        interfaces {
            lo0 {
                unit 0 {
                    family inet;
                }
            }
        }
    }
}
system {
    host-name G-FW;
    root-authentication {
        encrypted-password "$1$cuRaBuU9$irjLForpUn3A4n75MkqI.."; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user admin {
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "$1$v0dV3J.3$c8Wg8OT7k4BvH1oZC6EPX0"; ## SECR                                                                                                                                        ET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
            }
            propagate-settings fe-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
chassis {
    aggregated-devices {
        ethernet {
            device-count 2;
        }
    }
}
interfaces {
    interface-range CONNECTION-TO-FIREWALL {
        member fe-0/0/6;
        member fe-0/0/7;
        fastether-options {
            802.3ad ae0;
        }
    }
    fe-0/0/0 {
        vlan-tagging;
        unit 0 {
            vlan-id 0;
        }
        unit 1154 {
            description "G SG Private P2P";
            vlan-id 1154;
            family inet {
                address 10.147.64.2/30;
            }
        }
        unit 2154 {
            description "G SG Private P2P";
            vlan-id 2154;
            family inet {
                address 103.8.120.226/29;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        description "Connection to Router G Network";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members G-Network;
                }
            }
        }
    }
    ae0 {
        aggregated-ether-options {
            lacp {
                active;
            }
        }
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ vlan-trust vlan-management vlan-wireless ];
                }
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 2.2.2.2/32;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
        unit 4 {
            description "GRMS - Guest Wireless";
            family inet {
                address 10.147.32.1/24;
            }
        }
        unit 20 {
            description "GRMS Management Network";
            family inet {
                address 10.147.24.1/24;
            }
        }
        unit 95 {
            description "GRMS Trust Network";
            family inet {
                address 10.147.0.1/20;
            }
        }
        unit 666 {
            description G-Network;
            family inet {
                address 192.168.253.14/30;
            }
        }
    }
}
protocols {
    stp;
}
security {
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
                lo0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                    }
                }
            }
        }
        security-zone GENERAL-MANAGEMENT {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.20;
            }
        }
        security-zone TRUST {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.95;
                lo0.0;
            }
        }
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
        }
        security-zone G-Network {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.666 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone GENERAL-MANAGEMENT to-zone trust {
            policy ALLOW-ALL {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone GENERAL-MANAGEMENT {
            policy ALLOW-ALL {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone TRUST {
            policy untrust-to-TRUST {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-icmp-all junos-ping ];
                }
                then {
                    permit;
                }
            }
        }
    }
}
routing-instances {
    TRUST {
        instance-type virtual-router;
        interface fe-0/0/0.1154;
        interface lo0.0;
        interface vlan.20;
        interface vlan.95;
        interface vlan.666;
        routing-options {
            static {
                route 0.0.0.0/0 next-table inet.0;
                route 10.65.6.27/32 next-hop 192.168.253.13;
                route 1.1.1.0/30 next-hop 192.168.253.13;
            }
            aggregate {
                route 10.147.0.0/16;
            }
            autonomous-system 64915;
        }
    }
}
vlans {
    G-Network {
        vlan-id 666;
        l3-interface vlan.666;
    }
    vlan-management {
        vlan-id 20;
        l3-interface vlan.20;
    }
    vlan-trust {
        vlan-id 95;
        l3-interface vlan.95;
    }
    vlan-wireless {
        vlan-id 4;
        l3-interface vlan.4;
    }
}

[edit]
root@G-FW#

Hi kennethgoh,

I was trying to load your configuration on one of my decvices and I can see the below error which is expected.

root@SRX# commit
[edit security zones security-zone untrust]
  'interfaces lo0.0'
    Interface lo0.0 must be in the same routing instance as other interfaces in the zone
error: configuration check-out failed

Looks like the configuration is not commit. Can you provide  configuration output from operational mode

"root>show configuration|no-more"

We cannot have interfaces in different routing instances part of same security zones.

In your case lo0 is part of routing instance TRUST but its placed under zone TRUST which contains interface fe-0/0/0 which is not part of routing instance TRUST.

Thanks,

Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Hi Suraj,

Here you go, my aim will be to ensure that the router is able to ping to the SRX lo0 2.2.2.2

root@G-FW> show configuration | no-more
## Last commit: 2014-07-14 20:32:09 UTC by root
version 10.4R4.5;
groups {
    global {
        interfaces {
            lo0 {
                unit 0 {
                    family inet;
                }
            }
        }
    }
}
system {
    host-name G-FW;
    root-authentication {
        encrypted-password "$1$cuRaBuU9$irjLForpUn3A4n75MkqI.."; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user admin {
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "$1$v0dV3J.3$c8Wg8OT7k4BvH1oZC6EPX0"; ## SECR                                                                                                                                        ET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
            }
            propagate-settings fe-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
chassis {
    aggregated-devices {
        ethernet {
            device-count 2;
        }
    }
}
interfaces {
    interface-range CONNECTION-TO-FIREWALL {
        member fe-0/0/6;
        member fe-0/0/7;
        fastether-options {
            802.3ad ae0;
        }
    }
    fe-0/0/0 {
        vlan-tagging;
        unit 0 {
            vlan-id 0;
        }
        unit 1154 {
            description "G SG Private P2P";
            vlan-id 1154;
            family inet {
                address 10.147.64.2/30;
            }
        }
        unit 2154 {
            description "G SG Private P2P";
            vlan-id 2154;
            family inet {
                address 103.8.120.226/29;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        description "Connection to Router G Network";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members G-Network;
                }
            }
        }
    }
    ae0 {
        aggregated-ether-options {
            lacp {
                active;
            }
        }
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ vlan-trust vlan-management vlan-wireless ];
                }
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 2.2.2.2/32;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
        unit 4 {
            description "GRMS - Guest Wireless";
            family inet {
                address 10.147.32.1/24;
            }
        }
        unit 20 {
            description "GRMS Management Network";
            family inet {
                address 10.147.24.1/24;
            }
        }
        unit 95 {
            description "GRMS Trust Network";
            family inet {
                address 10.147.0.1/20;
            }
        }
        unit 666 {
            description G-Network;
            family inet {
                address 192.168.253.14/30;
            }
        }
    }
}
protocols {
    stp;
}
security {
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
            }
        }
        security-zone GENERAL-MANAGEMENT {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.20;
            }
        }
        security-zone TRUST {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.95;
                lo0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                    }
                }
            }
        }
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
        }
        security-zone G-Network {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.666 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone GENERAL-MANAGEMENT to-zone trust {
            policy ALLOW-ALL {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone GENERAL-MANAGEMENT {
            policy ALLOW-ALL {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone TRUST {
            policy untrust-to-TRUST {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-icmp-all junos-ping ];
                }
                then {
                    permit;
                }
            }
        }
    }
}
routing-instances {
    TRUST {
        instance-type virtual-router;
        interface fe-0/0/0.1154;
        interface lo0.0;
        interface vlan.20;
        interface vlan.95;
        interface vlan.666;
        routing-options {
            static {
                route 0.0.0.0/0 next-table inet.0;
                route 10.65.6.27/32 next-hop 192.168.253.13;
                route 1.1.1.0/30 next-hop 192.168.253.13;
            }
            aggregate {
                route 10.147.0.0/16;
            }
            autonomous-system 64915;
        }
    }
}
vlans {
    G-Network {
        vlan-id 666;
        l3-interface vlan.666;
    }
    vlan-management {
        vlan-id 20;
        l3-interface vlan.20;
    }
    vlan-trust {
        vlan-id 95;
        l3-interface vlan.95;
    }
    vlan-wireless {
        vlan-id 4;
        l3-interface vlan.4;
    }
}

root@G-FW>

Can you show me how do you configure:

3- router to SRX you need to allow security policy from untrust zone to (the lo0 / vlan interface zone) to allow ping traffic