SRX

We are installing a new SRX240H and I am having some issues with the programming.  I am a long time Netscreen user and am having some issues figuring out the JUNOS.  My question is the following:

We are setting up a new office and are segmenting our networks into separate IP ranges.  We want the SRX to do the routing between the networks.  I have set up an interface for each network and a zone for each network and I am not trying to pass traffic between the networks and also externally to our cloud connection.  I think I have the cloud connection figured but I am having trouble passing traffic between the zones/networks.  I have set up a policy but no traffic is getting past the gateway address to the other networks.

Any help would be appreciated.

Lew Pollock

Hi ,

Ideally you need a policy between the 2 zones

e.g You have a network in zone A and another in zone B.

All you need is just a policy from zone A to zone B and zone B to zone A matching the interesting traffic.

But if it is not working , Can you paste your configuration and highlight where exactly the incoming and the outgoing zone?

Also let us know what exact traffic you are trying to pass?

Hope this helps.

Regards,
Visitor

--------------------------------------------------​--------------------------------------------------​---
If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated

I am trying to get the Backbone zone and the WH zone communicating.  Here is the config:

Any help would be appreciated.

Lew

 
## Last changed: 2012-03-04 16:23:14 EST
version 11.4R1.6;

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 208.34.243.193/24;
            }
        }

    ge-0/0/3 {
        unit 0 {
            family inet {
                address 192.168.152.254/24;
            }
        }
    }
    ge-0/0/12 {
        unit 0 {
            family inet {
                address 192.168.170.254/24;
            }
        }
    }

    }
    st0 {
        unit 1 {
            family inet;
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 208.34.243.192;
        route 192.168.210.0/24 next-hop st0.1;
    }
}

protocols {
    stp;
}
security {
    ike {
        policy ike_pol_Norton_To_Avon {
            mode aggressive;
            proposal-set compatible;
            pre-shared-key ascii-text "$9$6V0B9uOIEclvWREwY4aUD";
        }
        gateway gw_Norton_To_Avon {
            ike-policy ike_pol_Norton_To_Avon;
            address 206.61.xxx.xxx;
            external-interface ge-0/0/0.0;
        }
    }
    ipsec {
        policy ipsec_pol_Norton_To_Avon {
            proposal-set compatible;
        }
        vpn Norton_To_Avon {
            bind-interface st0.1;
            vpn-monitor;
            ike {
                gateway gw_Norton_To_Avon;
                ipsec-policy ipsec_pol_Norton_To_Avon;
            }
            establish-tunnels immediately;
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }

            rule-set BB2WH {
                from zone BackBone;
                to zone WH;
                rule BB2WH {
                    match {
                        source-address 192.168.170.0/24;
                        destination-address 192.168.152.0/24;
                    }
                    then {
                        source-nat {
                            off;
                        }
                    }
                }
            }
        }
        static {
            rule-set HJSQL {
                from zone untrust;
                rule HJSQL {
                    match {
                        destination-address 208.34.XXX.XXX/32;
                    }
                    then {
                        static-nat prefix 192.168.152.10/32;
                    }
                }
            }
        }
        proxy-arp {
            interface ge-0/0/0.0 {
                address {
                    208.34.XXX.XXX/32 to 208.34.XXX.XXX/32;
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone BackBone to-zone untrust {
            policy policy_out_Norton_To_Avon {
                match {
                    source-address addr_192_168_170_0_24;
                    destination-address addr_192_168_210_0_24;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone BackBone {
            policy policy_in_Norton_To_Avon {
                match {
                    source-address addr_192_168_210_0_24;
                    destination-address addr_192_168_170_0_24;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            address-book {
                address addr_192_168_210_0_24 192.168.210.0/24;
            }
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
                st0.1;
            }
        }
        security-zone WH {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/3.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone BackBone {
            address-book {
                address addr_192_168_170_0_24 192.168.170.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/12.0;
            }
        }

Hi,

For communication between  Backbone zone and the WH zone you need security policies from Backbone zone to WH zone and vice versa. Currently you donot have any policies permitting this. You have only these 3 policies configured.

a)  from-zone trust to-zone untrust

b)  from-zone BackBone to-zone untrust

c) from-zone untrust to-zone BackBone

Create 2 more policies from Backbone zone to  WH zone and WH zone to Backbone zone.

Hope this helps.

Regards,
Visitor

--------------------------------------------------​--------------------------------------------------​---
If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated

I cannot believe I missed that.  Thank you.  This project has me overtired and second guessing myself.