SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  could not limit ssh access to internal interface only

    Posted 07-04-2014 04:24

    Hello, I wanted to limit access to ssh only for user from internal network (vlan.0 interface).

    I had following configuration for ssh and security zone:

    services {
            ssh {
                        }

    zones {
            security-zone trust {
                    host-inbound-traffic {
                    system-services {
                        all;
                    }

    interfaces {
                    vlan.0;
                    st0.0;
                }
            }

    Then I deactivated services ssh statement:

    services {
            inactive: ssh {
                        }

     

    and lost ssh connection (I'm on internal network). What I did wrong ?



  • 2.  RE: could not limit ssh access to internal interface only

    Posted 07-04-2014 04:33

    Hi jnsvano,

     

    System services ssh needs to be there always.

     

    It should not be removed .

     

    For ssh, ftp , telnet and http and https connections to the SRX interface ip address , set system services ssh , ftp, telnet ,http and https configuration needs to be there along with zone system services.

     

    so when you disabled System services ssh, you lost access to the device.

     

    Please enable System services ssh for ssh login to work.

     

    Regards
    rparthi

     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

     



  • 3.  RE: could not limit ssh access to internal interface only

    Posted 07-04-2014 04:47

    Hello,

     

     

    You need the following configuration:

     

    1. ssh on system services hierarcy:

    services {
        ssh;
    ++++++++++++++++++

    2. SSH enabled on trust zone with interface level:

    security-zone trust {
        interfaces {                       
            VLAN.0 {
                host-inbound-traffic {
                    system-services {
                        all;<<<<<<<<<<<<<<<<<<<<<< All includes ssh as well.
                    }
                }
            }
            st0.0 {
                host-inbound-traffic {
                    system-services {
                        ping;<<<<<<<<<<<<<<<<<<< only ping will work.
                    }
                }
            }
        }
    }


    Regards
    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too



  • 4.  RE: could not limit ssh access to internal interface only

    Posted 07-04-2014 07:04

    Hello rpathri and thanks for help.

    I probably understand, what is wrong, i have the following:

    security-zone untrust {
                screen untrust-screen;
                host-inbound-traffic {
                    system-services {
                        ike;
                        ssh;
                        https;
                    }
                }
                interfaces {
                    fe-0/0/2.0;
                }
            }

     

    I probably must delete 'ssh' from 'screen'  but how to do this ? When I try to edit

    'edit security zones security-zone untrust..." it doesn't show anything about screen options ?



  • 5.  RE: could not limit ssh access to internal interface only
    Best Answer

    Posted 07-04-2014 20:56

    Hi jnsvano,

     

    Run this config line from the configuration mode:

     

    delete security zones security-zone untrust host-inbound-traffic system-services ssh

     

    This will delete the ssh service for the untrust zone:

     

    Regards
    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too