SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Icmp redirect

    Posted 02-24-2014 05:08

     

    I have an SRX100h running Junos 11.4R8.4. On the SRX some networks are routed to a gateway on the same interface that the packets arrive on.

     

    I was hoping that the SRX would send an icmp-redirect to the source machine, giving it the correct route, but I can't see any

    sign of this happening.

     

    I tried googling this, and it looks like it should work, but I can't get it working.

     

    Help on this would be very welcome! Reconfiguring would require other parties, so the best thing would be to get it working via an icmp-redirect.



  • 2.  RE: Icmp redirect

    Posted 02-24-2014 05:44

    Hi,

     

    Do you have the set system no-redirects option set?

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB28400



  • 3.  RE: Icmp redirect

    Posted 02-24-2014 05:50

    No, the no-redirects option is not set. 

     

    Are there any specal config ( policies etc) that is needed? I was under the impression that it should work if you don't set the no-redirects.



  • 4.  RE: Icmp redirect

    Posted 02-24-2014 06:01

    It shouldnt be set, I shouldve been clearer.  So what policies do you have in place for this zone to the same zone?



  • 5.  RE: Icmp redirect

    Posted 02-24-2014 06:12

    No, that was fine, understood it.

    I don't have any particular policies for the icmp-redirect, just a static route routing some nets to a router on the same subnet.



  • 6.  RE: Icmp redirect
    Best Answer

    Posted 02-24-2014 06:21

    It should happen by default as you say.

     

    So you have no polices in place for intrazone traffic?  Try the below replacing the trust zone with whatever your zone is.  The SRX by default will block traffic between the same zones.

     

    set security policies from-zone trust to-zone trust policy TRUST-TRAFFIC match source-address any
    set security policies from-zone trust to-zone trust policy TRUST-TRAFFIC match destination-address any
    set security policies from-zone trust to-zone trust policy TRUST-TRAFFIC match application any
    set security policies from-zone trust to-zone trust policy TRUST-TRAFFIC then permit

     



  • 7.  RE: Icmp redirect

    Posted 02-24-2014 07:10

    Thanks a lot. Worked like a charm