SRX

I'm sure it's something that I'm unfamiliar with but I've created a new vlan following the instructions at http://kb.juniper.net/index?page=content&id=KB16667&pmv=print and added ports ge-0/0/8-11 to the vlan. I have a laptop on port 8 with the firewall disabled and I'm still on the default vlan with my personal laptop and I can't ping across the vlans. I've attached the config below.  Both laptops can ping their respective gateways.

**Update**

From the CLI attaching through 192.168.1.1, I can ping the laptop on vlan-100 @ 192.168.37.40. I just can't ping from laptop to laptop.

Attachment(s)

srx240config.txt   4 KB 1 version

From the laptop , can you ping the ip of the other vlan  layer3 interface ?

no, I can ping my own gateway but I can't hit the other interface from my laptop.

You are connetced to port 8 & which port ?

can you ping  :  ping ip-of-vlan-100  source  ip-of-vlan-3

My main laptop (#1) is plugged into port 4 which is still part of the default vlan. It's IP address is 192.168.1.2/24 with a gateway of 192.168.1.1. The other laptop (#2) is plugged into port 8 which is part of the new vlan I created. It's IP address is 192.168.37.40/24 with a gateway of 192.168.37.1.  

From the CLI I ran the following and received responses from both of them.

ping 192.168.37.1

& 

ping 192.168.37.1 source 192.168.1.1 

we can check what is the debug output saying , follow the below configuration :

SRX1#show security flow
traceoptions {
    file Flow-Of-Packet;
    flag basic-datapath;
    packet-filter filter1 {
        source-prefix   X.X.X.X/32 destination-prefix Y.Y.Y.Y/32;  ~~~~~~~~  ips of laptops

SRX1# run clear log Flow-Of-Packet

now , initiate the ping  for few seconds   then stop it  

SRX1#run show log Flow-Of-Packet  ~~~~~~~~~~  get that output  

ok, I'm assuming you want me to run the ping from laptop 1 and ping laptop 2 right?

Also before the debug , try ping at the reverse direction & make sure that antivirus is disabled on the PC

I've got a persistent ping going from both. antivirus and firewall are disabled on both.

ok, I'm enough of a newb to JUNOS that I apparently have no idea how to run this debug. Could you spell it out for the kindergarten student please.

SRX1#edit security flow
           #set traceoptions file Flow-Of-Packet;    
                                            flag basic-datapath;
                                             packet-filter filter1 source-prefix   X.X.X.X/32 destination-prefix Y.Y.Y.Y/32; 
        

SRX1# run clear log Flow-Of-Packet

now , initiate the ping  for few seconds   then stop it  

SRX1#run show log Flow-Of-Packet  ~~~~~~~~~~  get that output  

Thanks for not making fun of the special ed. student. Here is the log file.

Attachment(s)

FOP.txt   39 KB 1 version

It looks like clients off vlan-trust are getting dhcp addresses for 192.168.1.0/24 but you have no dhcp setup for vlan-100 192.168.37.0/24 so I wonder how is the PC off port 8 setup? Does it have a default gateway set?

yes, dhcp is still setup to the default config for vlan.0 and I've hard set laptop #2 on vlan.100 with the 37.40 address and the default gateway of 37.1

At the debug , you will find the below line :

packet dropped, denied by policy

that happens after searching policies  from zone trsut to zone trsut

try configuring a policy from trust to trust  allowing any

That did it. I think default config in screenOS was trust to trust was already allowed and you only needed to configure from one zone to another.  Thanks for the help.

hmmm, according to http://kb.juniper.net/KB16553 there should be a default factory policy of trust to trust - permit. I restored to factory default and verified it's not there. I wonder if something's changed since the article has been written. Thanks for your help again.

I'm reading this and trying to remember why I set up a virtual router for each vlan. I thought it was because I couldn't route between vlans, but I don't remember.  This post makes it sound as though I didn't need to.

yeah, you probably had the same thing I did. The documentation says there should be a default trust to trust allow all policy but there wasn't one on my box. I had to create it and traffic started flowing between vlans.

Well, on mine I put the vlans in separate zones. So perhaps I needed the virtual router to traverse zones

I don't think so. I'm pretty sure your security policies restrict the flow of traffic. Unless you have some  ACLs between the routers.

Hmm, that's probably it. I didn't create any policies until I created virtual routers, as it's a part of the virtual router how-to. Basically it has you create routing instances on interfaces in your vlans (e.g. dmz-router,internal-router), create policy-options such as 'from instance internal-router then accept' and then apply those policy-options to the other router, and then finally create a policy that allows selected traffic between the zones.

If my l3-interface on each vlan automatically knows how to get to IPs on other vlans simply by applying a policy, then that would simplify things, I'll have to save my config and try that.  Thanks.