SRX

Gents,

My apologies if it sound really silly.

I have a very Basic question, on my SRX i have denied ICMP and I am trying to ping the other device which is directly connected, why is that icmp from and to , allowed to another device ?

I understand that there is a global deny for everything, but still traffic goes through fine , am i missing something ?

Session ID: 1450, Policy name: self-traffic-policy/1, Timeout: 4, Valid
  In: 12.12.100.3/3 --> 13.13.13.2/41993;icmp, If: .local..0, Pkts: 1, Bytes: 84
  Out: 13.13.13.2/41993 --> 12.12.100.3/3;icmp, If: st0.0, Pkts: 1, Bytes: 84

Regards

Rakesh M

https://r2079.wordpress.com

Hello,

Traffic through the box is governed by security policies.

Traffic destined to the box is governed by 'host inbound traffic' under security zone.

So if you are pinging to SRX device, host inbound traffic under security zone needs to be configured appropriately to block inbound traffic destined to the box.

Regards,

Rushi

Hi Tilak,

[edit]
root@srx3# show security zones security-zone vpn
host-inbound-traffic {
    system-services {
        inactive: ping;
    }
    protocols {
        ospf;
    }
}
interfaces {
    st0.0;
    lo0.0;
}

[edit]
root@srx3# show security policies

[edit]
root@srx3# run ping 13.13.13.2 rapid
PING 13.13.13.2 (13.13.13.2): 56 data bytes
!!!!!
--- 13.13.13.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 9.492/13.165/14.498/1.895 ms

[edit]
root@srx3#

---

My query is why is that system is allowing icmp-echo-reply from other box and why is that system is allowing me to ping other box ?

Regards

Rakesh M

https://r2079.wordpress.com

Hello Rakesh,

Can you share following outputs?

show interface terse

Regards,

Rushi

[edit]
root@srx3# run show interfaces terse 
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up  
ge-0/0/0.0              up    up   inet     192.168.3.1/24  
gr-0/0/0                up    up  
ip-0/0/0                up    up  
lsq-0/0/0               up    up  
lt-0/0/0                up    up  
mt-0/0/0                up    up  
sp-0/0/0                up    up  
sp-0/0/0.0              up    up   inet    
                                   inet6   
sp-0/0/0.16383          up    up   inet     10.0.0.1            --> 10.0.0.16
                                            10.0.0.6            --> 0/0
                                            128.0.0.1           --> 128.0.1.16
                                            128.0.0.6           --> 0/0
ge-0/0/1                up    up  
ge-0/0/1.0              up    up   inet     9.9.103.1/24    
ge-0/0/2                up    up  
ge-0/0/3                up    up  
dsc                     up    up  
gre                     up    up  
ipip                    up    up  
irb                     up    up  
lo0                     up    up        
lo0.0                   up    up   inet     13.13.13.3          --> 0/0
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up  
lsi                     up    up  
mtun                    up    up  
pimd                    up    up  
pime                    up    up  
pp0                     up    up  
ppd0                    up    up  
ppe0                    up    up  
st0                     up    up  
st0.0                   up    up   inet     12.12.100.3/24  
tap                     up    up  
vlan                    up    down

Regards

Rakesh M

https://r2079.wordpress.com

Hello Rakesh,

I think though there is implicit deny policy on Juniper SRX for pass through traffic, there is an implicit allow policy for self traffic.

When ICMP packets are sent from the SRX, a session is created & reply packet (echo-reply) matches it.

Can you create a specific policy from zone junos-host to VPN allowing everything except ping & check if it blocks what you want?

Regards,

Rushi

Thanks Rishi , It worked

root@srx3# show security policies  
from-zone vpn to-zone vpn {
    policy system_services {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone junos-host to-zone vpn {
    policy block_ping {
        match {
            source-address any;
            destination-address any;
            application junos-ping;
        }
        then {
            reject;
        }
    }
    policy allow_else {                 
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}

one question tough, with the above policy am i blocking icmp-echo-reply ? so inverse will block icmp-echo-request ?

Regards

Rakesh M

https://r2079.wordpress.com

Hello Rakesh,

I am glad it worked.

With the policy from junos-host to VPN, you are blocking ICMP echo request that is trying to go out.

Reverse policy or host-inbound-traffic under zone can block ICMP echo request destined to firewall interface.

Regards,

Rushi

thanks man !

Cheers