SRX

 

Hello

 

I am initiating a source ping from interface configured on the SRX and still able to ping network on other firewall althogh there is no policy configured and default-deny is also there:

 

SRXA# run ping 192.168.6.1 interface fe-0/0/1.0
PING 192.168.6.1 (192.168.6.1): 56 data bytes
64 bytes from 192.168.6.1: icmp_seq=0 ttl=64 time=3.553 ms
64 bytes from 192.168.6.1: icmp_seq=1 ttl=64 time=2.923 ms
64 bytes from 192.168.6.1: icmp_seq=2 ttl=64 time=2.854 ms

 

 

SRXA# run show security policies
Default policy: deny-all

 

SRXA# run show route

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 1d 00:23:37
> to 192.168.10.101 via fe-0/0/0.0

 

SRXA# run show security zones detail

Security zone: lab
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
fe-0/0/1.0

 

Security zone: untrust

Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
fe-0/0/0.0

 

 

Hostname: SRXA
Model: srx110h-va
JUNOS Software Release [11.4R7.5]

 

how is SRX allowing interzone traffic on the same firewall without any policy?.. dont have phsical access to firewalls now thats why doing a interface ping.

 

Regards

Kashif

 

 

 

You're not showing all 8 routes, only the default. You don't show what IP addresses are configured, or where. If you're pinging out fe-0/0/1.0, I'd guess it's direct, so you're not crossing zones.

if you loaded the factory defdault for the SRX, it will allow all outgoing and block all incoming initiated from outside. You should get the ping response, because it was initiated from inside and a session created. but without seeing your configuration, thats sounds like about right.

thanks for the reply guys. pasting my configs.. these are lab units .. so you will find other stuff as well in it too.. sorry about that..

 

 

SRXA:

 

cash@SRXA# run ping 192.168.6.1 interface fe-0/0/1.0
PING 192.168.6.1 (192.168.6.1): 56 data bytes
64 bytes from 192.168.6.1: icmp_seq=0 ttl=64 time=3.555 ms
64 bytes from 192.168.6.1: icmp_seq=1 ttl=64 time=2.953 ms
64 bytes from 192.168.6.1: icmp_seq=2 ttl=64 time=3.167 ms
64 bytes from 192.168.6.1: icmp_seq=3 ttl=64 time=3.015 ms
64 bytes from 192.168.6.1: icmp_seq=4 ttl=64 time=3.059 ms
^C
--- 192.168.6.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.953/3.150/3.555/0.214 ms

[edit]
cash@SRXA# run show configuration | no-more
## Last commit: 2013-10-16 10:56:15 EST by cash
version 11.4R7.5;
system {
host-name SRXA;
domain-name home;
time-zone Australia/Sydney;
authentication-order password;
root-authentication {
encrypted-password "$1$hWOIb5sU$kwUOemox9pp1OV/LWOUCN."; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
radius-server {
192.168.1.110 {
secret "$9$pcaRuBRhclXNbEc7Vbwg45QznCu"; ## SECRET-DATA
source-address 192.168.1.100;
}
}
login {
retry-options {
tries-before-disconnect 6;
lockout-period 15;
}
class admin {
permissions [ configure security security-control ];
allow-configuration-regexps [ "security nat" "security utm" "security ike" "security idp" ];
}
class super-user-local {
idle-timeout 5;
}
class support {
access-start "17:30:00 +1100";
access-end "02:30:00 +1100";
permissions view;
allow-commands "(show interfaces terse)|(show system uptime)|(exit)";
deny-commands .*;
}
user admin {
uid 2002;
class admin;
authentication {
encrypted-password "$1$xNSBs.fE$UBYwa/qlE1rG6vzo9ItgR."; ## SECRET-DATA
}
}
user cash {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$R.r2Y14E$BGjO7C0Qhdh6KCHrxiHMB0"; ## SECRET-DATA
}
}
user noc {
uid 2001;
class support;
authentication {
encrypted-password "$1$NrPoV3qz$zpXRFchj0hehF1gAZYkAk1"; ## SECRET-DATA
}
}
user remote {
uid 2003;
class read-only;
}
user remote-template-2 {
uid 2004;
class super-user;
}
}
services {
ssh {
root-login deny;
}
xnm-clear-text;
web-management {
http {
interface [ vlan.0 fe-0/0/0.0 ];
}
https {
system-generated-certificate;
interface [ vlan.0 fe-0/0/0.0 ];
}
}
}
syslog {
file traffic {
user info;
match RT_FLOW;
archive size 1000k world-readable;
structured-data;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
boot-server 216.234.161.11;
server 78.46.194.186 version 4;
server 216.234.161.11 prefer;
server 204.2.134.164;
}
}
interfaces {
fe-0/0/0 {
unit 0 {
family inet {
address 192.168.10.100/24;
}
}
}
fe-0/0/1 {
unit 0 {
family inet {
address 192.168.5.1/24;
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
pt-1/0/0 {
unit 0;
}
lo0 {
unit 0;
}
vlan {
unit 0 {
family inet {
address 192.168.1.100/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.10.101;
}
}
security {
log {
mode event;
}
policies {
default-policy {
deny-all;
}
}
zones {
security-zone trust {
address-book {
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
ssh;
}
}
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
tftp;
}
}
}
}
}
security-zone lab {
address-book {
}
interfaces {
fe-0/0/1.0;
}
}
security-zone vpn;
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}

_________________________________________

 

 

 

SRXB

 

cash@SRXB> show configuration | no-more
## Last commit: 2013-10-16 10:12:58 EST by cash
version 11.4R7.5;
system {
host-name SRXB;
time-zone Australia/Sydney;
root-authentication {
encrypted-password "$1$ky7yZwbR$YQxz2ift4sxOP9PbDwxkD0"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
user cash {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$kfl.chBM$/CAZzMEI12bEQ1yzVlpF0/"; ## SECRET-DATA
}
}
}
services {
ssh {
root-login deny;
}
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file traffic {
user info;
match RT_FLOW;
archive size 1000k world-readable;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
boot-server 216.234.161.11;
server 216.234.161.11 prefer;
server 78.46.194.186 version 4;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.10.101/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.6.1/24;
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
lo0 {
unit 0;
}
vlan {
unit 0 {
family inet {
address 192.168.1.101/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.1;
route 192.168.5.0/24 next-hop 192.168.10.100;
}
}
security {
log {
mode event;
}
nat {
source {
rule-set srxAnat {
from zone untrust;
to zone trust;
rule r1 {
match {
source-address [ 1.1.1.1/32 192.168.10.100/32 ];
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone untrust to-zone lab {
policy untrustotlab {
match {
source-address srxa;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
}
zones {
security-zone trust {
address-book {
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
address-book {
address srxa 192.168.5.0/24;
}
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone lab {
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
ge-0/0/1.0;
}
}
security-zone vpn;
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}

 

Thanks

 

 

"ge-0/0/1 {
unit 0 {
family inet {
 address 192.168.6.1/24;"

 

You seem to be doing something unnatural. You're pinging yourself, and expecting it to be blocked? I'd be worried about why it's taking milliseconds to ping yourself. 🙂 

 

(Protip: when pasting a config, switch to the HTML tab, and surround it with <pre> and </pre> tags. That will maintain the indentation and make it much easier to read.)

Hi Mike

 

thanks for the reply.

 

you read 192.168.6.1 from SRXB config... i am doing ping from SRXA 🙂

 

there are two configs in the post.

 

cheers

 

 

On SRXB you are allowing ping on the ge-0/0/1 interface under the security zone untrust hierarchy. If pinging from SRXA to SRXB ge-0/0/1 interface, SRXA will allow outbound traffic by default if initiated from the device's interface. It creates the session an allows response. If SRXB were to ping SRXA it should not work based on the lab zone config on SRXA.

 

Yes it seems like that SRX allows outbound traffic if initiated from the interface..I was expecting a deny behavior since ScreenOS denies interface initiated traffic as well if appropriate policy is not configured.

 

update to this:

 

you are supposed to use junos-host zone to control initiated or destined to interfaces present on the firewall..

 

cheers