Hello,
I have a SRX210b running 11.2R3.3 that I'm having a policy issue between 2 VLANs.
In this case it's my DMZ and Internal VLANs and the default rule is that the DMZ can't talk to anything Internal. There are two exceptions to this (specific ports on specific hosts) and one is working as expected, but the newer one is still blocked even though (as far as I can tell) it is setup identically. I know the target host and service are working as I can hit them fine from other hosts on the Internal VLAN.
Relevant zones:
security-zone dmz {
tcp-rst;
address-book {
address server X.X.X.2/32;
}
interfaces {
vlan.2 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone internal {
tcp-rst;
address-book {
address dvr X.X.Y.30/32;
address camera1 X.X.Y.40/32;
}
interfaces {
lo0.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
vlan.4 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
Relevant policy:
from-zone dmz to-zone internal {
policy dvr-fetch {
match {
source-address server;
destination-address dvr;
application my-web;
}
then {
permit;
}
}
policy camera-fetch {
match {
source-address server;
destination-address camera1;
application my-web;
}
then {
permit;
}
}
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
Note that 'my-web' contains the TCP ports 80 and 443.
The 'dvr-fetch' rule is working fine as the server continues to talk to the DVR as expected. The 'camera-fetch' rule is the one that is not working.
Anyone see what I've done wrong?
Thanks,
-dave