SRX

Hi there,

I've a srx650 in place now with the trust interface participoating in ospf on my local lan. I've a static route to the subnet on my untrust zone set up which is being redistributed into ospf on the trust side.

My problem is that I cannot ping from my untrust subnet to the trust lan evenbthough I have a policy untrust to trust allow any any any.

I can however ping from thr trust to thr untrust.

I'm obviously missing something simple here but I'm at the banging head against the wall stage.

Any suggestions?

Thanks,

Paul

Hi,

Are you permitting the "ping" system service?  I would try adding it on the zone.

set security zones security-zone untrust host-inbound-traffic system-services ping

John

Hi,

thanks for the reply. No traffic at all is passing from untrust to trust, ping was being used as the primary test method.

My policy is as follows:

inactive: from-zone untrust to-zone trust {
    policy untrust-to-LAN {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }

Any ideas?

Hi Paul,

The policy  seems inactive.Can you check?

Regards,

Visitor

---

@paulkil wrote:

 

inactive: from-zone untrust to-zone trust {
    policy untrust-to-LAN {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }

 

 

Any ideas?

---

Try "activate security policies from-zone untrust to-zone trust" and commit.

Your policy is inactive, so the traffic is going to hit the default system "deny all" policy.

Hi Guys,

yes it had been deactivated, hadn't noticed that.

All working now thanks yo ye.

Many thanks,

Paul 🙂