ScreenOS Firewalls (NOT SRX)
Reply
Trusted Contributor
Stac Polaidh
Posts: 90
Registered: ‎01-24-2012
0

intra-subnet and intra-zone blocking not working

Hi

 

I have set up a new interface 10.77.0.1/18 and have "block intra-subnet traffic" set.

I have also created a custom zone and have "block intra-zone traffic" set.

I have created 3 different policies for 3 different groups:

X 10.77.10.0/24

Y 10.77.20.0/24

Z 10.77.30.0/24

I want them to be unable to reach each other and thought with that blocking set up that would be the case, but if I use subnet /18 on the hosts they can ping each other.

The hosts are connect to the juniper interface via a 3500 catalyst switch.

Are they able to reach other via the switch even though block intra-subnet traffic and block intra-zone traffic is set up on the ssg.

If I am unable to hide them from each other this way how can I do this, via vlan's and subinterfaces?

 

Pier
Network and telephony support engineer
JNCIA-FWV, CCNP Voice, CCNA
Super Contributor
nikolay.semov
Posts: 170
Registered: ‎03-15-2012
0

Re: intra-subnet and intra-zone blocking not working

If all hosts are in one big subnet, then traffic between them never needs to go to your firewall, therefore the firewall's zone configuration and policies are irrelevant. VLANs and subinterfaces are indeed what you'd need here.
Trusted Contributor
Stac Polaidh
Posts: 90
Registered: ‎01-24-2012
0

Re: intra-subnet and intra-zone blocking not working

I tried with vlan's and subinterfaces for a couple of hours this afternoon but seemed to be unable to get anywhere, could not even ping the ip of the subinterfaces let alone get out to the internet and this was even being connected straight to the interface with a client.

I believe using secondary ip's on the interface should be able to get me to hide the different networks from each other, but would still like to have a go at vlan's and subinterfaces if anyone can give step by step at all that would be most helpful.

 

Thanks in advance

Pier
Network and telephony support engineer
JNCIA-FWV, CCNP Voice, CCNA
Super Contributor
nikolay.semov
Posts: 170
Registered: ‎03-15-2012
0

Re: intra-subnet and intra-zone blocking not working

Connecting a client machine directly to the firewall won't work, and isn't supposed to work.

 

Please advise what switch(es) you are using.

Trusted Contributor
Stac Polaidh
Posts: 90
Registered: ‎01-24-2012
0

Re: intra-subnet and intra-zone blocking not working

It is an SSG-320 and a Cisco Catalyst 3550 I was using. I had created 3 subinterfaces on the firewall with 3 vlan tags 100, 200 and 300. Did I need to create these same vlan's with identical tags on the switch as well, was that were I was going wrong?

Pier
Network and telephony support engineer
JNCIA-FWV, CCNP Voice, CCNA
Super Contributor
nikolay.semov
Posts: 170
Registered: ‎03-15-2012
0

Re: intra-subnet and intra-zone blocking not working

Yes, you need to configure VLANs with the same tags on the switch, and configure the switch port connecting to the firewall in trunk mode. Then you need to set aside switch ports for each of the three networks, put them in access mode and assign them to the appropriate VLAN.
Trusted Contributor
Stac Polaidh
Posts: 90
Registered: ‎01-24-2012
0

Re: intra-subnet and intra-zone blocking not working

Great thank you Nikolay I followed your instructions for setting up the switch and that worked fine.

Thanks again for your help.

Pier
Network and telephony support engineer
JNCIA-FWV, CCNP Voice, CCNA
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.