SRX

last person joined: 20 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Basic SRX configuration

    Posted 10-14-2016 09:40

    Hello All,

     

    I am working on setting up a lab for learning purposes. Since I have been working with routers and switches, security platforms are new to me. The thing is that I have a connection like this

     

     

    topology.png

     

    vSRX-01 and vSRX-02 are connected using ge-0/0/1 and this is the configuration. I have just added those interfaces to the trust zone, allowing all services and I have also added a policy to allow any source, destination and application but they still are not able to ping each other. Any advise?

     

     

     



  • 2.  RE: Basic SRX configuration

    Posted 10-14-2016 09:56

    Pls share your config



  • 3.  RE: Basic SRX configuration

    Posted 10-14-2016 10:12

    Here it is. It is the same on the remote end but it uses .1

    root@SRX-1# show interfaces ge-0/0/1
unit 0 {
    family inet {
        address 148.22.100.2/28;
    }
}

[edit]
root@SRX-1# show security zones security-zone trust
tcp-rst;
host-inbound-traffic {
    system-services {
        all;
    }
}
interfaces {
    ge-0/0/1.0;
}

[edit]
root@SRX-1# show routing-options
static {
    route 0.0.0.0/0 next-hop 148.22.100.1;
}


root@SRX-1# show security policies
from-zone trust to-zone trust {
    policy default-permit {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
    policy test {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone trust to-zone untrust {
    policy default-permit {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone untrust to-zone trust {
    policy default-deny {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            deny;
        }
    }
}

[edit]


  • 4.  RE: Basic SRX configuration

    Posted 10-14-2016 11:11
    Hi,

    On SRX-1 (for example) try to ping SRX-02 using the 'source' statement :
    > ping 148.22.100.1 source 148.22.100.2

    if still not working , share with us the 'show route' output .


  • 5.  RE: Basic SRX configuration

    Posted 10-14-2016 11:55

    Thank you! Here it is

    root@SRX-1# run show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 03:50:30
                    > to 148.22.100.1 via ge-0/0/1.0
148.22.100.0/28    *[Direct/0] 03:50:30
                    > via ge-0/0/1.0
148.22.100.2/32    *[Local/0] 03:50:32
                      Local via ge-0/0/1.0
192.168.100.1/32   *[Local/0] 03:15:05
                      Reject

[edit]
root@SRX-1# run ping 148.22.100.1 source 148.22.100.2
PING 148.22.100.1 (148.22.100.1): 56 data bytes
^C
--- 148.22.100.1 ping statistics ---
10 packets transmitted, 0 packets received, 100% packet loss

[edit]
root@SRX-1#


Also, from SRX-2
root@SRX-2# run show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

146.22.56.0/28     *[Direct/0] 03:50:27
                    > via ge-0/0/5.0
146.22.56.1/32     *[Local/0] 03:50:28
                      Local via ge-0/0/5.0
148.22.100.0/28    *[Direct/0] 03:50:27
                    > via ge-0/0/1.0
148.22.100.1/32    *[Local/0] 03:50:28
                      Local via ge-0/0/1.0

[edit]
root@SRX-2# show security zones security-zone ?
Possible completions:
  <name>               Name of the zone
  INSIDE               Name of the zone
  INTERNET             Name of the zone
  Public-Edge          Name of the zone
  trust                Name of the zone
  untrust              Name of the zone
[edit]
root@SRX-2# show security zones
security-zone trust {
    tcp-rst;
    host-inbound-traffic {
        system-services {
            all;
        }
    }
    interfaces {
        ge-0/0/1.0;
    }
}
security-zone untrust {
    screen untrust-screen;
    interfaces {
        ge-0/0/0.0 {
            host-inbound-traffic {
                system-services {
                    http;
                    https;
                    ssh;
                    telnet;
                    dhcp;
                }
            }
        }
    }
}
security-zone Public-Edge;
security-zone INTERNET {
    host-inbound-traffic {
        system-services {
            ssh;
            telnet;
            ping;
            all;
        }
    }
}
security-zone INSIDE {
    host-inbound-traffic {
        system-services {
            all;
        }
    }
}

[edit]
root@SRX-2# show security policies
from-zone trust to-zone trust {
    policy default-permit {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone trust to-zone untrust {
    policy default-permit {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone untrust to-zone trust {
    policy default-deny {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            deny;
        }
    }
}

[edit]
root@SRX-2#


  • 6.  RE: Basic SRX configuration
    Best Answer

    Posted 10-15-2016 00:08

    Hi,

    Your configuration seems to be correct . I'm pretty sure it's something related to the VSRX virtual box .
    Since this is a lab in GNS, I would suggest the following :
    1. Backup all your configuration to TXT file .

    2. Enter the following commands :
    #delete security
    #set security policies default-policy permit-all
    #commit
    3. Try to ping and see if it work after you reboot both VSRXs .

    Those commands will 'downgrade' the SRX to a router 'packet-mode' .

     

    If still the is no ping between VSRXs , try to enter the following command :
    set security forwarding-options family mpls mode packet-based
    and reboot .



  • 7.  RE: Basic SRX configuration

    Posted 10-15-2016 01:58

    And just to be sure of my last answer (that it is something related to the virtual box 'VSRX') , I replicated your issue in my lab

     

     

     

    Screenshot_8.png

     Screenshot_7.png

    - Tip : You don't need the static router of 0.0.0.0 (because it is directly connected) and the policy trust to trust (because of the host-inbound... system-services all statement)  . This will work without both statements .

     



  • 8.  RE: Basic SRX configuration

    Posted 10-15-2016 04:03

    I would also suggest you to go through this article :

     

    http://brezular.com/2014/07/22/how-to-run-juniper-firefly-perimeter-vsrx-on-gns3/

     

    See this step if configured correctly :

     

    ===Change the default NIC type from Automatic to Paravirtualized (virtio-net) type otherwise connection will not be working===

     

    Screenshot_8.png



  • 9.  RE: Basic SRX configuration

    Posted 10-17-2016 19:45

    Abed, after rebooting the virtual devices, it started to work. Thank you so much for all your assistance. Since I am learning things, hopefully you will see other post from me.