SRX Services Gateway
Reply
cs2
Visitor
cs2
Posts: 3
Registered: ‎08-23-2012
0
Accepted Solution

SRX240 - Security Zones seem don't work...

[ Edited ]

Hi all,

I've a lab enviroment with an SRX240 connected to an EX Switch as the following table:

 

SRX:                EX:

Ge-0/0/6 <-> Ge-0/0/6

Ge-0/0/7 <-> Ge-0/0/7

Ge-0/0/8 <-> Ge-0/0/8

 

On the SRX I configured the 3 interfaces as Routed interfaces, and assigned each to a Security Zone:

- Inside -> Ge-0/0/6 - IP 10.6.0.254/24

- DMZ -> Ge-0/0/7- IP 10.7.0.254/24

- Outside -> Ge-0/0/8- IP 10.8.0.254/24

 

On the EX Switch I configured 3 routing-instances, One for each with the following IPs:

- Inside-router -> Ge-0/0/6 - IP 10.6.0.1/24

- DMZ-router -> Ge-0/0/7- IP 10.7.0.1/24

- Outside-router -> Ge-0/0/8- IP 10.8.0.1/24

 

and each instance has a default route to the .254 SRX IP.

 

I'm expecting that by default the deny-all policy blocks any kind of traffic between outside/dmz toward the inside, but I can make a ping or a telnet from Outside-router EX instance to the Inside-Router EX interface.

 

In attach the configuration of both devices. Any ideas?

 

Thanks

 

 

Recognized Expert
mhariry
Posts: 287
Registered: ‎06-01-2011
0

Re: SRX240 - Security Zones seem don't work...

hi,

 

Actually your attached config not showing anything no routing-option on the EX or security policy on SRX.

 

You are correct the default action is deny between zones.

 

first make sure communication between two zones is done through SRX not EX (>show route 10.6.0.1/24 table OUTSIDE-Router) at EX and make sure it is through default route to SRX

 

one more point you are trying to ping/telnet 10.6.0.1 or 10.0.6.254 cause of you are trying to ping the SRX you may need host-inbound-traffic under security zones

 

security-zone inside {
    host-inbound-traffic {
        system-services {
            all;
            ping {
                except;
            }
            telnet {
                except;
            }
        }

 

Regards,

Mohamed

cs2
Visitor
cs2
Posts: 3
Registered: ‎08-23-2012
0

Re: SRX240 - Security Zones seem don't work...

Hi Mohamed, thank you for your reply.


I didn't make any modification to the configuration but the SRX seems behave as a router, not as a firewall.

Here some show from EX Switch:

 

lab@SW-EX# run show route

inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.210.14.128/27   *[Direct/0] 1w3d 02:20:51
                    > via me0.0
10.210.14.141/32   *[Local/0] 1w3d 02:20:51
                      Local via me0.0

DMZ-Router.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:00:04
                    > to 10.7.0.254 via ge-0/0/7.0
10.7.0.0/24        *[Direct/0] 00:00:04
                    > via ge-0/0/7.0
10.7.0.1/32        *[Local/0] 00:00:04
                      Local via ge-0/0/7.0

INSIDE-Router.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:00:04
                    > to 10.6.0.254 via ge-0/0/6.0
10.6.0.0/24        *[Direct/0] 00:00:04
                    > via ge-0/0/6.0
10.6.0.1/32        *[Local/0] 00:00:04
                      Local via ge-0/0/6.0

OUTSIDE-Router.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:00:04
                    > to 10.8.0.254 via ge-0/0/8.0
10.8.0.0/24        *[Direct/0] 00:00:04
                    > via ge-0/0/8.0
10.8.0.1/32        *[Local/0] 00:00:04
                      Local via ge-0/0/8.0

{master:0}[edit]
lab@SW-EX#

lab@SW-EX# run traceroute 10.6.0.1 routing-instance OUTSIDE-Router
traceroute to 10.6.0.1 (10.6.0.1), 30 hops max, 40 byte packets
 1  10.8.0.254 (10.8.0.254)  28.599 ms  9.334 ms  9.302 ms
 2  10.6.0.1 (10.6.0.1)  188.147 ms  1.094 ms  1.026 ms

{master:0}[edit]
lab@SW-EX# run traceroute 10.6.0.1 routing-instance DMZ-Router        
traceroute to 10.6.0.1 (10.6.0.1), 30 hops max, 40 byte packets
 1  10.7.0.254 (10.7.0.254)  12.414 ms  11.119 ms  9.927 ms
 2  10.6.0.1 (10.6.0.1)  4.133 ms  1.456 ms  0.899 ms

{master:0}[edit]
lab@SW-EX# run show lldp neighbors
Local Interface    Parent Interface    Chassis Id          Port info          System Name
ge-0/0/6.0         -                   00:26:88:fb:b3:80   ge-0/0/6.0         srx240              
ge-0/0/7.0         -                   00:26:88:fb:b3:80   ge-0/0/7.0         srx240              
ge-0/0/8.0         -                   00:26:88:fb:b3:80   ge-0/0/8.0         srx240              

{master:0}[edit]
lab@SW-EX#

 

As you can see from traceroute from the routing-instance OUTSIDE-Router, the .254 (SRX) route without block any traffic to the 10.6.0.1 network.

 

Here some shows from the SRX side of the default security policy and security zones assigned:

lab@srx240# run show security policies
Default policy: deny-all

[edit]
lab@srx240# run show security zones       

Functional zone: management
  Policy configurable: No  
  Interfaces bound: 1
  Interfaces:
    ge-0/0/0.0

Security zone: dmz
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes  
  Interfaces bound: 1
  Interfaces:
    ge-0/0/7.0

Security zone: inside
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes  
  Interfaces bound: 1
  Interfaces:
    ge-0/0/6.0

Security zone: outside
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes              
  Interfaces bound: 1
  Interfaces:
    ge-0/0/8.0

Security zone: junos-host
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes  
  Interfaces bound: 0
  Interfaces:

[edit]
lab@srx240#

Recognized Expert
mhariry
Posts: 287
Registered: ‎06-01-2011

Re: SRX240 - Security Zones seem don't work...

Hi,

 

The only thing make the SRX working as a router is convert the SRX to be packet-mode instead of flow-mode. Could you please advise if your SRX have these configuration

 

SRX1# show security forwarding-options                       
family {
    inet6 {
        mode packet-based;
    }
    iso {
        mode packet-based;
    }
}

Regards,

Mohamed Elhariry

cs2
Visitor
cs2
Posts: 3
Registered: ‎08-23-2012
0

Re: SRX240 - Security Zones seem don't work...

Hi Mohamed,

I checked with the following command:

lab@SXR240# run show security flow status
  Flow forwarding mode:
    Inet forwarding mode: packet based
    Inet6 forwarding mode: drop
    MPLS forwarding mode: packet based
    ISO forwarding mode: drop
  Flow trace status
    Flow tracing status: off

[edit]
lab@SXR240#

I've also checking the initial lab pre-configuration (this is a remote lab) and I see:

lab@SXR240# show security forwarding-options
forwarding-options {
    family {
        mpls {
            mode packet-based;
        }
    }
}

that I suppose change the mode to packet-based.

 

I removed the security forwarding-options and then:

lab@SXR240# run show security flow status         
  Flow forwarding mode:
    Inet forwarding mode: packet based (reboot needed to change to flow based)
    Inet6 forwarding mode: drop
    MPLS forwarding mode: packet based (reboot needed to change to drop)
    ISO forwarding mode: drop
  Flow trace status
    Flow tracing status: off

[edit]
lab@SXR240#run request system reboot

lab@SXR240> show security flow status    
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: drop
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
  Flow trace status
    Flow tracing status: off

lab@SXR240>

 

When I create a simple policy from inside zone to outside zone with a permit all the ping works as expected. From outside zone to inside zone packets are dropped.

 

I didn't know that removing the forwarding-options under security config requires a reboot (I'm started studing SRX few days ago...).

 

Thank you very much for your great support

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.