SRX

I am attempting to set up security and routing policies to allow traffic to flow from a control system console to a plc through the SRX240H, but I have had no luck getting traffic to pass through the router. This is what I have set up so far:

 

PLC IP address: 192.168.1.10/24 -> ge-0/0/2.0 IP address 192.168.1.2/24

Console IP address: 192.168.1.30/24 -> ge-0/0/3.0 IP address 192.168.1.3/24

 

my security zones are as follows:

security-zone plc {

    interfaces {

        ge-0/0/2.0;

    }

}

security-zone console {

    interfaces {

        ge-0/0/3.0;

    }

}

 

my security policies are as follows:

from-zone plc to-zone console {

    policy plc-to-console {

        match {

           source-address any;

           destinaction-address any;

           application any;

        }

        then {

            permit;

        }

    }

}

from-zone console to-zone plc {

    policy console-to-plc {

        match {

           source-address any;

           destinaction-address any;

           application any;

        }

        then {

            permit;

        }

    }

}

 

 

How do I configure the SRX to allow all traffic to route between ge-0/0/2.0 and ge-0/0/3.0?

 

Hi,

I think missing some important points.

Could you share the output of show interfaces  and show route .
Or simply the output of show configuration .

Here is the device configuration. Some of the default configuration remains in my configuration, but is unneeded.

## Last changed: 2015-11-10 01:03:27 GMT
version 12.1X44-D30.4;
system {
    host-name KGCSFW;
    time-zone GMT;
    root-authentication {
        encrypted-password "$1$jwiS5ZWX$ToXHwppTzql/EazhHlAkD0";
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    name-resolution {
        no-resolve-on-input;
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface vlan.1;
            }
            https {
                system-generated-certificate;
                interface vlan.1;
            }
            session {
                idle-timeout 60;
            }
        }
        dhcp {
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
                router {
                    192.168.1.1;
                }
            }
            propagate-settings ge-0/0/0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server us.ntp.pool.org;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 192.168.1.2/24;
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family inet {
                address 192.168.1.3/24;
            }
        }
    }
    vlan {
        unit 1 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
protocols {
    stp;
}
security {
    address-book {
        global {
            address console {
                wildcard-address 192.168.1.30/24;
            }
            address plc {
                wildcard-address 192.168.1.10/24;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set nsw_srcnat {
                from zone Internal;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone Internal to-zone Internet {
            policy All_Internal_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone plc to-zone console {
            policy plc-to-console {
                match {
                    source-address plc;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone console to-zone plc {
            policy console-to-plc {
                match {
                    source-address console;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internal {
            interfaces {
                vlan.1 {
                    host-inbound-traffic {
                        system-services {
                            all;
                            http;
                            https;
                            ssh;
                            telnet;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone Internet {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            tftp;
                            dhcp;
                        }
                    }
                }
            }
        }
        security-zone plc {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/2.0;
            }
        }
        security-zone console {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/3.0;
            }
        }
    }
}
vlans {
    vlan1 {
        vlan-id 3;
        l3-interface vlan.1;
    }
}

Hi,

Configure both interfaces 2 and 3 to be related to vlan 1 . You don't need to configure to each interface same ip subnet .

Traffic is now flowing between the plc and the console, but when I run the show security policies hit-count, there are 0 hits on either policy. How is network traffing geting accross the switch without using a policy?

 

I've attached my updated config..I removed the default security zones.

Hi,

 

Because you don't need a policy permitting a traffic between hosts in a same VLAN .

I am hoping to use IDP in this configuration. Will that be possible without the use of securoty zones?

Hi,

No, an IDP needed to be permitted to a specific policy .
Usually, an IDP policy will be used between trust zone and untrust zone , and not between hosts . If you willing to use an IDP between hosts , then they needed to be in a separate VLAN and IP subnets as well .

Hope thats help .
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too