Having an odd problem (new to Junos, so may be obvious to everyone else). I have a WAN link, a public IP space, plus three private networks, all being run over a trunk to a cisco 2960G. The systems on the public IP space can talk out to the world no problem. NAT is set up and working great - systems on the private network can talk to the world no problem. However, the private network systems can't talk to each other even when they're all in the 'trust' group and the security policy explicily allows trust-to-trust traffic!
interfaces {
...
ge-0/0/2 {
description "bgp peering";
gigether-options {
auto-negotiation;
}
unit 0 {
family inet {
address <redacted>;
}
}
}
...
ge-0/0/5 {
gigether-options {
no-loopback;
auto-negotiation;
}
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
unit 300 {
family inet {
address publicnetwork/25;
}
}
unit 350 {
family inet {
address 10.30.0.1/24;
}
}
unit 351 {
family inet {
address 10.30.10.1/24;
}
}
unit 352 {
family inet {
address 10.30.20.1/24;
}
}
}
}
routing-options {
interface-routes {
rib-group inet populate-inet2;
family inet {
export {
lan;
}
}
}
rib inet.2 {
aggregate {
route publicnetwork/25 passive;
}
}
rib-groups {
populate-inet2 {
import-rib [ inet.0 inet.2 ];
}
}
}
...
security {
nat {
source {
pool nat-pool-1 {
address {
blah to blah;
}
}
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
pool {
nat-pool-1;
}
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy blah-to-trust {
match {
source-address blah-network;
destination-address any;
application any;
}
then {
permit;
}
}
policy untrust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
reject;
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone trust {
tcp-rst;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
vlan.300 {
host-inbound-traffic {
system-services {
all;
}
}
}
vlan.350 {
host-inbound-traffic {
system-services {
all;
}
}
}
vlan.351 {
host-inbound-traffic {
system-services {
all;
}
}
}
vlan.352 {
host-inbound-traffic {
system-services {
all;
}
}
}
ge-0/0/5.0;
}
}
security-zone untrust {
tcp-rst;
address-book {
address blah-network blah-network;
}
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
ge-0/0/2.0 {
host-inbound-traffic {
protocols {
bgp;
}
}
}
}
}
}
}
Any ideas?