SRX

Hi,

Appreciate if anyone can point me to the right direction:), I have configured an HA based on this article KB15504. My problem/question right now, I could not ping the assigned IP address on the reth interface for my trust zone. Is it normal?

Note:

 I have created also a policy to allow everything (application/traffic) for this zone.

Thanks and Best regards.

Dennis

Hi,

No you should ping your SRX reth interface in trust zone as the system service allowing. It is better to paste your configuration to have a look on it

Regards,

Mohamed

Hi ,

It is not normal. You should be able to ping to the reth interface IP.  Just check if you have associated the reth interface with a zone correctly and then most importantly you have  ping as host-inbound-traffic system-services setting under either that zone level  or reth interface level.

Hi Pradeep,

Below is the config I have for the interface, zone and policy for reth0 interface;

reth0 {
    description "Trusted Zone Link";
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 0 {
        family inet {
            filter {
                input FILTER_ISPs;
            }
            address 90.1.1.137/11;
        }
    }                                   
}

-------------------------------------------------------
security-zone trust {
    host-inbound-traffic {
        system-services {
            all;
        }
    }
    interfaces {
        reth0.0;
    }
}

-------------------------------------------------------
from-zone trust to-zone trust {
    policy allow-trust-to-trust {
        match {
            source-address any;
            destination-address any;
            application any;
        }                               
        then {
            permit;
        }
    }
}

Based on the above config, I am not quite sure if this is correct in order to ping my reth0 interface. As you can see, I just let everything permitted.

Best regards,

Dennis

Hi Dennis,

yes your configuration seems to be fine just two comments.

1- you are trying to ping from LAN subnet (90.1.1.137/11) or from other subnet / zone

2- This firewall filter not blocking ping traffic. and no firewall filter on lo0 interface also it is exist. Most probably it is because of firewall filter

Regards,

Mohamed

Hi Mohamed,

Yes, I'm trying to ping from the same LAN subnet. What do you mean by "probably my firewall filter"?  Is there any way that I can ping this kind of interface? Do you have any article which I can read on so I may have to re-test my configuration for this matter.

Thank you Mohamed.

Cheers,

Dennis

Hi

I can see firewall filter applied on the interface. Could you paste the output of # show firewall

Regards,

Mohamed

Hi Mohamed,

Please see below firewall filter I have for this matter;

root@240CC-DC01# show firewall 
filter FILTER_ISPs {
    term T1 {
        from {
            source-address {
                90.1.0.0/16;
            }
        }
        then {
            routing-instance routing-table-ISP1;
        }
    }
    term T3 {
        from {
            source-address {
                192.168.1.0/24;
            }
        }
        then {
            routing-instance routing-table-ISP1;
        }
    }
    term default {
        then {
            routing-instance routing-table-ISP2;
        }
    }
}

Hi,

Can you add term in your filter to allow ping traffic on the interfcae

set firewall filter FILTER_ISPs term permit_ping from destination-address 90.1.1.137/32
set firewall filter FILTER_ISPs term permit_ping then accept

insert firewall filter FILTER_ISPs term permit_ping before term T1

commit

Mohamed Elhariry

JNCIE-M/T # 1059, CCNP & CCIP

----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution". Kudos are always appreciated!

Hi Mohamed,

Sorry for the late reply. The solution you suggested works:)

Thank you very much for your help Mohamed! I really appreciate it.

Thanks again.

---

@dennis.ramos wrote:

Hi Pradeep,

 

Below is the config I have for the interface, zone and policy for reth0 interface;

 

reth0 {
    description "Trusted Zone Link";
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 0 {
        family inet {
            filter {
                input FILTER_ISPs;
            }
address 90.1.1.137/11;
        }
    }                                   
}

-------------------------------------------------------
security-zone trust {
    host-inbound-traffic {
        system-services {
            all;
        }
    }
    interfaces {
        reth0.0;
    }
}

-------------------------------------------------------
from-zone trust to-zone trust {
    policy allow-trust-to-trust {
        match {
            source-address any;
            destination-address any;
            application any;
        }                               
        then {
            permit;
        }
    }
}

 

 

Based on the above config, I am not quite sure if this is correct in order to ping my reth0 interface. As you can see, I just let everything permitted.

 

 

 

Best regards,

 

Dennis

---

are you sure you wanted to configure a /11 on your interface? that seems awfully large for 1 subnet.