SRX Services Gateway
Reply
Contributor
chobbs
Posts: 18
Registered: ‎07-01-2009
0

strange traffic filtering/routing

I've been working on this issue for a few days now and I can't seem to figure out what's happening.  Maybe a fresh set of eyes will help.

 

Here's the setup:

 

I've got an SRX240H with 3 active interfaces.  Each in a separate zone:

 

ge-0/0/0.0 - trust zone, the internal network

ge-0/0/1.0 - untrust zone, ISP

ge-0/0/2.0 - "dmz" zone, our "dmz" (for lack of better words)

 

All three of those use a different address scheme and I've got static routes pointing to each hop.

 

I've got several security policies set up to torque down control of traffic and the default policy is to deny all.  If I'm on the firewall itself via console cable or ssh, I can ping all interfaces, ping sites outside our network, and ping hosts in both the dmz and our internal network.

 

From a host in DMZ, I can ping the 'dmz' interface (ge-0/0/2.0), hosts within the subnet, hosts within the internal network, the external interface of the firewall (ge-0/0/1.0), and hosts in the internal subnet ("trust" zone). I can't, however, ping the interface for the "trust" zone (ge-0/0/0.0) or pass any traffic to/from the Internet.  The rules existing between dmz and untrust are set up to allow all traffic.

 

I have a simmilar situation from hosts on the internal ("trust") subnet.  I can hit trust hosts, dmz hosts,  the dmz interface, the and external interface, but not the trust interface or any traffic to/from the internet.

 

Static NAT works great from our external interface to the dmz interface as well.

 

I hope that made some kind of sense.  I can post configs or the output of any commands if necessary. I've ran a few traceroutes and watched security flow sessions.  I plan to try the SRX troubleshooting flow as well.   It's probably something ridiculously simple at this point, but I think I've been staring at the problem too long.

 

Any input is greatly appreciated.

Trusted Contributor
Optimist
Posts: 60
Registered: ‎09-09-2009
0

Re: strange traffic filtering/routing

Regarding ping ge-0/0/0

 

is host inbound service ping allowed for ge-0/0/0.0?

 

set security zones security-zone trust interface ge-0/0/0.0 host-inbound-traffic system-services ping

 

should solve it. If not, please send the output of 

 

show security zones security-zone trust

 

 

for the other issue 

show security policy

and show  security nat would be helpful

 

If this worked for you please flag my post as an "Accepted Solution" so others can benefit.
A kudo would be cool if you think I earned it.

 

 

 

Contributor
chobbs
Posts: 18
Registered: ‎07-01-2009
0

Re: strange traffic filtering/routing

Ping is allowed, as is icmp-echo, icmp-echo-all, and ping-ipv6 (not that it would matter much).  That's the first thing I checked.

 

I'll get the security policy output posted ASAP.

 

Thanks

Contributor
chobbs
Posts: 18
Registered: ‎07-01-2009
0

Re: strange traffic filtering/routing


As mentioned earlier, NAT is working just fine. `show security zones security-zone trust` threw an error, so here is the output of `show security zones`:



 


Security zone: dmz
Send reset for non-SYN session TCP packets: On
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/2.0

Security zone: junos-global
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 0
Interfaces:

Security zone: trust
Send reset for non-SYN session TCP packets: On
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/0.0

Security zone: untrust
Send reset for non-SYN session TCP packets: On
Policy configurable: Yes
Screen: untrust-screen
Interfaces bound: 1
Interfaces:
ge-0/0/1.0

 




And the output of `show security policies`:



 


Default policy: deny-all
From zone: trust, To zone: trust
Policy: tust_to_trust_permit, State: enabled, Index: 4, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
From zone: trust, To zone: untrust
Policy: trust_to_untrust_permit, State: enabled, Index: 5, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
From zone: trust, To zone: dmz
Policy: trust_to_dmz_permit, State: enabled, Index: 6, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
From zone: untrust, To zone: dmz
Policy: untrust_to_dmz_permit, State: enabled, Index: 7, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
From zone: untrust, To zone: trust
Policy: untrust_to_trust_big_pack, State: enabled, Index: 11, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: cad_rambler, gw_client_tcp, gw_client_udp, gwproxy, jabber, junos-aol, junos-cvspser
ver, junos-dns-tcp, junos-dns-udp,
junos-echo, junos-finger, junos-ftp, junos-http, junos-http-ext, junos-https, junos-icmp-all, juno
s-icmp-ping, junos-ident,
junos-imap, junos-imaps, junos-internet-locator-service, junos-irc, junos-msn, junos-nntp, junos-n
tp, junos-ping, junos-pingv6,
junos-realaudio, junos-smtp, junos-snmp-agentx, junos-ssh, junos-telnet, junos-tftp, junos-vnc, ju
nos-who, junos-whois, junos-ymsg,
web_payments, webaccess
Action: permit
From zone: untrust, To zone: untrust
Policy: untrust_to_untrust_permit, State: enabled, Index: 12, Sequence number: 1
Destination addresses: any
Applications: any
Action: permit
From zone: dmz, To zone: untrust
Policy: dmz_to_untrust_permit, State: enabled, Index: 8, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
From zone: dmz, To zone: dmz
Policy: dmz_to_dmz_permit, State: enabled, Index: 9, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
From zone: dmz, To zone: trust
Policy: dmz_to_trust_big_pack, State: enabled, Index: 10, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: cad_rambler, gw_client_tcp, gw_client_udp, gwproxy, jabber, junos-aol, junos-dhcp-cl
ient, junos-dhcp-relay,
junos-dhcp-server, junos-dns-tcp, junos-dns-udp, junos-echo, junos-finger, junos-ftp, junos-http,
junos-http-ext, junos-https,
junos-icmp-all, junos-icmp-ping, junos-ident, junos-ike, junos-ike-nat, junos-imap, junos-imaps, j
unos-internet-locator-service,
junos-irc, junos-ldap, junos-ldp-tcp, junos-ldp-udp, junos-lpr, junos-mail, junos-nfs, junos-nfsd-
tcp, junos-nfsd-udp, junos-nntp,
junos-ns-global, junos-ns-global-pro, junos-ntp, junos-ospf, junos-ping, junos-pingv6, junos-rsh,
junos-rtsp, junos-sccp,
junos-sctp-any, junos-sip, junos-smb, junos-smtp, junos-snmp-agentx, junos-snpp, junos-ssh, junos-
sun-rpc, junos-sun-rpc-mountd,
junos-sun-rpc-mountd-tcp, junos-sun-rpc-mountd-udp, junos-sun-rpc-nfs, junos-sun-rpc-nfs-access, j
unos-sun-rpc-nfs-tcp,
unos-sun-rpc-nfs-tcp,
junos-sun-rpc-nfs-udp, junos-sun-rpc-portmap, junos-sun-rpc-portmap-tcp, junos-sun-rpc-portmap-udp
, junos-sun-rpc-status,
junos-sun-rpc-status-tcp, junos-sun-rpc-status-udp, junos-sun-rpc-tcp, junos-sun-rpc-udp, junos-su
n-rpc-ypbind,
junos-sun-rpc-ypbind-tcp, junos-sun-rpc-ypbind-udp, junos-syslog, junos-tftp, junos-vnc, junos-who
, junos-whois, junos-ymsg, ldaps,
web_payments, webaccess
Action: permit


 




I believe I copied everything properly. `show security nat` threw errors as well, but NAT isn't an issue currently.




Thanks!

Contributor
chobbs
Posts: 18
Registered: ‎07-01-2009
0

Re: strange traffic filtering/routing

Additionally, I suppose my only real issue at this point is I can't seem to pass any traffic to/from the outside world (via the untrust interface ge-0/0/1). 

 

Ping now functions on ge-0/0/0 and all internal traffic is just fine.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.